IETF Logo Mail Archive

Re: [media-types] Thoughts on suffixes, single and multiple

Mark Nottingham <mnot@mnot.net> Thu, 04 April 2024 04:26 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: media-types@ietfa.amsl.com
Delivered-To: media-types@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D78A8C14F5F4 for <media-types@ietfa.amsl.com>; Wed, 3 Apr 2024 21:26:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b="W3HzyJZy"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Y87xLTtK"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Y4AlnbtZUl2 for <media-types@ietfa.amsl.com>; Wed, 3 Apr 2024 21:26:39 -0700 (PDT)
Received: from wfhigh3-smtp.messagingengine.com (wfhigh3-smtp.messagingengine.com [64.147.123.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BD0AC14F5F6 for <media-types@ietf.org>; Wed, 3 Apr 2024 21:26:39 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailfhigh.west.internal (Postfix) with ESMTP id CA87518000E5; Thu, 4 Apr 2024 00:26:35 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Thu, 04 Apr 2024 00:26:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1712204795; x=1712291195; bh=bk5oelel+2XJ9jonyUPOe7OLmI6sZAaI1WjH9g+THUE=; b= W3HzyJZy4F+KgwitLILYKQaycKpWtct7wk++vdJ/VhYnNDcLucuW/i2HM+fGhPZ6 ++UDEa8aHh3hsK69sWBdUvoQA8CGRQX9IzyLnqot7fyp7ttg/fSM5td3oTm8p+7D qGSzQEPaiQlCfyufv+szquohiG/3ogh5VLFXjz9v+FrT7behiM9HnjxzE8EK1tzh qgMwE2iElwriafVU3b+jDd8Db0X/pU8qcLmCjj6C/fIicMKpp9JH1gtqGQjbXAvG DFJ9VKIZNQgKcRIaHkpJCqLhmvPgkawK5sMypXqvgdD4PpsnEnmTdiwCaYqFPdbN IVOyXX1Jnu+/Hi5cJmyVrA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1712204795; x= 1712291195; bh=bk5oelel+2XJ9jonyUPOe7OLmI6sZAaI1WjH9g+THUE=; b=Y 87xLTtKwqtAmFSJyf5+C8JtlfKeBBa0ac0c962V6ZH6BRvc8Tfw/cx3o80rIsGmY lFd7xT6/syLV/dGG3XF7Fx5uWC6HTpGPuPKMW3afQXqu+jr7HM5eQ77IFCZidA2c u6qO+xB3Ob1764SXwW2pLqSb3ts2PcDkqH7M7HFraPchlEGVso7OXp5WTJH+cE6/ tU6Sc05gaFnfRnSUEIgpyhy9znMFjy4NLvwYQiC5w7Da7iamXQVQQyLMbBQ78Pbn Td1DBROMjrKyHuLbvjSlGNBiDijf0waU3Trsg6Jn9CvCEQg0Pob43n0DeKb7maY9 yeYor3pmnxnaABm3QbHdg==
X-ME-Sender: <xms:-isOZgueJAfJ1DcSC3dJCHb7C31J1VPe_sKuPjQ3K-xFyOF85-z6bg> <xme:-isOZtdIr3Q6wnd9rrzr6SRMdKVJcQUZO0dCknqzAX_CU-MEh8EPZ7pSiPKQN4HDE ZRF0eZGzImNhbhpcQ>
X-ME-Received: <xmr:-isOZryFp7klwBSDPhUWzCBK96BQTszKnr_AcLnvjYSt6g9b79SVKBTg56i25rWD4gwvccWB_sHWQLlwRcs9BsL_csrrEaXunrWSKVSGtNwA1DuvzKgA6M-R>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudefjedgkeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtdejnecuhfhrohhmpeforghr khcupfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrth htvghrnhepvdffkeduueeuheehvdeftdegueefkefhieefjeefkeeiueegkefgtedtkeek gffgnecuffhomhgrihhnpehivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehmnhhothesmhhnohhtrdhnvght
X-ME-Proxy: <xmx:-ysOZjNFriRIW7hSJLJFyd9oz5tqUJZs3X7UZ2KWj3X0o5Er-yiyWA> <xmx:-ysOZg8Np3G9oqmKDtzgz7mIduJ0nKPYNQscPshMcBGWFIWXx1kxmw> <xmx:-ysOZrWllgblfj5BRdsK8mAgjYrcu5wmevER6HucaCABl9rMVWXHKA> <xmx:-ysOZpe9flJxWAb0i0svXT93Buq4j6JKDOXzvFRS_C_qzs5fxrGZgA> <xmx:-ysOZrYY-0R87ZGNE0uhsZCJGnKs2in3k4eUHuPACvmhslVSwN9_gtEg>
Feedback-ID: ie6694242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 4 Apr 2024 00:26:32 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <SJ0PR02MB7439D38C184EB61C74A7417EB73C2@SJ0PR02MB7439.namprd02.prod.outlook.com>
Date: Thu, 04 Apr 2024 15:26:27 +1100
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, "media-types@ietf.org" <media-types@ietf.org>, Orie Steele <orie@transmute.industries>, Kristina Yasuda <yasudakristina@gmail.com>, Daniel Fett <fett@danielfett.de>, Oliver Terbu <oliver.terbu@mattr.global>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9F82BFF1-28BF-4336-93DD-D4015CD9E487@mnot.net>
References: <2E20FEDE-C766-43EE-A6E2-1FB63E79CF0B@mnot.net> <CAN8C-_KzQOPhv3Tep8gsnLqDxO7EnAo0qUkVUg1E6COttBTrfA@mail.gmail.com> <CA+k3eCSAh1Mbx8S1-Vnn2oGZT8ik1R5JOi-=Oc4Z5OaJyG=Rsg@mail.gmail.com> <SJ0PR02MB743954437952C86757B73BC7B73D2@SJ0PR02MB7439.namprd02.prod.outlook.com> <90C11F85-3A89-461F-B974-392E1D01A420@mnot.net> <SJ0PR02MB7439D38C184EB61C74A7417EB73C2@SJ0PR02MB7439.namprd02.prod.outlook.com>
To: Michael Jones <michael_b_jones@hotmail.com>
X-Mailer: Apple Mail (2.3774.500.171.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/media-types/xEaF5CigNTWirfPr4eMQQt2PsPI>
Subject: Re: [media-types] Thoughts on suffixes, single and multiple
X-BeenThere: media-types@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IANA mailing list for reviewing Media Type \(MIME Type, Content Type\) registration requests." <media-types.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/media-types>, <mailto:media-types-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/media-types/>
List-Post: <mailto:media-types@ietf.org>
List-Help: <mailto:media-types-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/media-types>, <mailto:media-types-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 04:26:43 -0000

Is there a reasonable use case for knowing the syntax without knowing the specific semantics or processing model? E.g., an editors' highlighting mode (keeping in mind that we're not seeing great deployment for that in eg browsers for even +xml or +json)?


> On 4 Apr 2024, at 13:22, Michael Jones <michael_b_jones@hotmail.com> wrote:
> 
> In general, you'll need to know what kind of JWT or SD-JWT the object is to process it.  For instance, you won't necessarily know where to get the keys and you won't know which claims are required and optional, and importantly, you won't know the processing rules for those claims - for instance, what can you do (and what are you REQUIRED to do) with the "iss" (issuer) claim value.
> 
> But yes, you will know the syntax from the structured suffix.
> 
>                                -- Mike
> 
> -----Original Message-----
> From: Mark Nottingham <mnot@mnot.net>
> Sent: Wednesday, April 3, 2024 5:19 PM
> To: Michael Jones <michael_b_jones@hotmail.com>
> Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>; media-types@ietf.org; Orie Steele <orie@transmute.industries>; Kristina Yasuda <yasudakristina@gmail.com>; Daniel Fett <fett@danielfett.de>; Oliver Terbu <oliver.terbu@mattr.global>
> Subject: Re: [media-types] Thoughts on suffixes, single and multiple
> 
> So that focuses nicely on the relevant question -- is +sd-jwt (and by extension, +jwt) really just flagging syntax, or is implying that the format can be processed in a certain way?
> 
> 
>> On 4 Apr 2024, at 03:54, Michael Jones <michael_b_jones@hotmail.com> wrote:
>> 
>> Not only is +sd-jwt planning to be registered, it’s used by a W3C specification for securing Verifiable Credentials.
>> I understand pushback on multiple suffixes, but using a single suffix to indicate syntax is useful, and common existing practice.
>>                                                                 --
>> Mike
>> From: media-types <media-types-bounces@ietf.org> On Behalf Of Brian
>> Campbell
>> Sent: Wednesday, April 3, 2024 9:07 AM
>> To: media-types@ietf.org; Orie Steele <orie@transmute.industries>;
>> Kristina Yasuda <yasudakristina@gmail.com>; Daniel Fett
>> <fett@danielfett.de>; Oliver Terbu <oliver.terbu@mattr.global>
>> Subject: [media-types] Fwd: Thoughts on suffixes, single and multiple
>> Indeed there is work in progress that plans on requesting registration of "+sd-jwt" https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt#name-structured-syntax-suffix-re based party on anticipated/suggested usage https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt#name-explicit-typing similar to "+jwt" that Mike mentioned herehttps://mailarchive.ietf.org/arch/msg/media-types/WgnX1lyhUMR2M82HRlsegEGg8j0/. And other work in progress that plans on requesting registration of "vc+sd-jwt"https://datatracker.ietf.org/doc/html/draft-ietf-oauth-sd-jwt-vc#name-media-types-registry.  I suppose "+jwt" and the nascent "+sd-jwt" fall into the "seldom used" category mentioned by Mark (and those he's suspicious of) but they are used in practice and expected to be used going forward so deprecating them or the use of suffixes in media types would have ramifications with respect to that.
>>    ---------- Forwarded message ---------
>> From: Orie Steele <orie@transmute.industries>
>> Date: Wed, Apr 3, 2024 at 7:43 AM
>> Subject: Fwd: [media-types] Thoughts on suffixes, single and multiple
>> To: Kristina Yasuda <Kristina.Yasuda@microsoft.com>, Daniel Fett
>> <fett@danielfett.de>, bcampbell <bcampbell@pingidentity.com>  Please remind this group that you are about to register +sd-jwt, and give any comments that might support arriving at some kind of consensus here.
>> 
>> OS
>> ---------- Forwarded message ---------
>> From: Mark Nottingham <mnot=40mnot.net@dmarc.ietf.org>
>> Date: Wed, Apr 3, 2024 at 1:30 AM
>> Subject: [media-types] Thoughts on suffixes, single and multiple
>> To: IETF Media Types <media-types@ietf.org>
>> 
>> 
>> After the meeting in Brisbane, some of us went aside to continue to the multiple suffixes discussion. There, we quickly came to the conclusion that we should deprecate the concept of suffixes in media subtypes -- i.e., they would still be syntactically allowed, but would have no meaning or registry. Martin Thomson and I took an action to write something down about this.
>> 
>> Once I was home, I started to think more carefully about this and do research. One thing that I haven't yet seen is a summary of how suffixes are currently used (apologies if I missed someone else's effort there). These are the counts for each suffix in the registry that I came up with about a week ago:
>> 
>> +xml = 439
>> +json = 145
>> +ber = 0
>> +cbor = 16
>> +der = 1
>> +fastinfoset = 1
>> +wbxml = 7
>> +zip = 24
>> +tlv = 1
>> +json-seq = 2
>> +sqlite = 1
>> +jwt = 6
>> +gzip = 2
>> +cbor-seq = 4
>> +zstd = 0
>> +yaml = 2
>> +cose = 0
>> 
>> As you can see, we have a few very widely used suffixes (in a registry of 1,588 entries as of that survey), and many very seldom used ones - with a few not used at all.
>> 
>> The widespread use of +xml and +json in particular made me more cautious about deprecating suffixes altogether -- especially since we still sort-of believe that they are indeed used by (or at least potentially useful to) things like editors to hint syntactic conventions.
>> 
>> So, that leaves a few different options, considering the constraints we have:
>> 
>> 1) Disallow more than one "+" sign in media subtypes, as floated at the meeting. This would put a fair amount of pressure on the registry's ability to reflect reality, depending on how widely deployed some things get (although we could grandfather some types in to ease the pressure here).
>> 
>> 2) Syntactically allow suffixes before the last one, but not assign them any meaning or register them; e.g., application/foo+bar+xml would be an XML format, but who knows what bar is; effectively, it's just part of "foo+bar". This would allow people to define suffix-like things, but wouldn't give them any recognition or coordination -- potentially leading to the need to formalise things more down the road, just as we did in the first round of suffixes.
>> 
>> 3) Consider multiple suffixes, when they occur, to be unrelated hints as to the syntax of the format -- i.e., there is no processing model, there is no ordering (although a registrant would have to choose an order; registrations with different orderings should be refused). Effectively, suffixes would just be a 'bag of hints' about the format being used.
>> 
>> I'd be interested in hearing people's reactions to these.
>> 
>> Separately, I think we need to settle a few other matters to make progress:
>> 
>> 
>> ### Defining What Suffixes Are For (no matter how many there are)
>> 
>> After the discussion in Brisbane, I strongly believe that suffixes should ONLY be for hinting about the syntax or format convention in use, as an aid eg to editors, syntax highlighters, etc. This is the proven use case for media type suffixes. Suffixes should not be used to hint semantics; only syntax. We should have strong language about the dangers of using suffixes to hint particular kinds of processing; cf the previous discussion on the 'polyglot problem' and the potential security issues around performing processing based upon suffixes.
>> 
>> The suffix registration process should be designed to assure that only such suffixes are registered.
>> 
>> Note that in this view, "+ld" is very likely unregistrable.
>> 
>> 
>> ### Cleaning Up Existing Suffixes
>> 
>> +gzip and +zstd are problematic; the former should be disallowed for new registrations, and the latter should be removed or obsoleted in the registry. Likewise, I am highly suspicious of +jwt and +cose. +zip _is_ a format convention, so I suppose it's OK?
>> 
>> 
>> Cheers,
>> 
>> --
>> Mark Nottingham   https://www.mnot.net/
>> 
>> _______________________________________________
>> media-types mailing list
>> media-types@ietf.org
>> https://www.i/
>> etf.org%2Fmailman%2Flistinfo%2Fmedia-types&data=05%7C02%7C%7C37943bd46
>> 64d44bcaee208dc543cdc0e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C6
>> 38477867572436078%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
>> V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=o5%2Fa46bYK%
>> 2FJOMigYEiT0tdNdyZXmycB4h%2BAgCZDNEuU%3D&reserved=0
>> ᐧ
>> 
>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
>> _______________________________________________
>> media-types mailing list
>> media-types@ietf.org
>> https://www.i/
>> etf.org%2Fmailman%2Flistinfo%2Fmedia-types&data=05%7C02%7C%7C37943bd46
>> 64d44bcaee208dc543cdc0e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C6
>> 38477867572440485%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
>> V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=CmWz15MPLfiJ
>> 6sa%2FoXg9g1UjGb9x2noXBK66avS0axI%3D&reserved=0
> 
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 

--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email