Re: [secdir] secdir review of draft-saintandre-urn-example-04
Barry Leiba <barryleiba@computer.org> Sat, 23 March 2013 14:53 UTC
Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 193D021F8A54; Sat, 23 Mar 2013 07:53:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.478
X-Spam-Level:
X-Spam-Status: No, score=-102.478 tagged_above=-999 required=5 tests=[AWL=0.499, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rlGiO3l7AOQX; Sat, 23 Mar 2013 07:53:12 -0700 (PDT)
Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by ietfa.amsl.com (Postfix) with ESMTP id 6A19221F8A8F; Sat, 23 Mar 2013 07:53:04 -0700 (PDT)
Received: by mail-vc0-f182.google.com with SMTP id ht11so3832683vcb.13 for <multiple recipients>; Sat, 23 Mar 2013 07:53:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=Kc7K49mzYc2jID83RjRNoAPgYNxE3NTBKpWITlkcrkA=; b=E4ygZG6tLH1aQ3ZVX4YzUz5+O0DNm7jJiG6MYJBjLJp+mCGnZxX8YwDpD5qXGg6YjP nLbdPizaCSUpH5W/7eN9MvVe8B4aVaX/hKmQBLH5d3SqDVZuH1LzjyPagIvUvm0ktYAJ tbz63VAk+ADooWLSIDheA/iBM1fGf18tQNyvGRyB8RvuryiDrJJH5Tihns6Jhf8Hwm0d NUUjsUkRn5HxFVRBhIAcajSndIcV04PSFAEUteVCfcQDpjpV3z0kzPqsQFsokPjUklPI AFP4Pyo12yO8hlyTDu2S/dA+Vi32GBkf+z7kKFr9O+COZaDUjkQCoRh/2cjI4Opb7BFn NNrQ==
MIME-Version: 1.0
X-Received: by 10.52.155.5 with SMTP id vs5mr6170857vdb.24.1364050383906; Sat, 23 Mar 2013 07:53:03 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.59.3.41 with HTTP; Sat, 23 Mar 2013 07:53:03 -0700 (PDT)
In-Reply-To: <CAFOuuo4aOOne3OppwucKZd8p9PYF8JL=q9-GwrMEZR=dWN_nmw@mail.gmail.com>
References: <CAFOuuo4aOOne3OppwucKZd8p9PYF8JL=q9-GwrMEZR=dWN_nmw@mail.gmail.com>
Date: Sat, 23 Mar 2013 10:53:03 -0400
X-Google-Sender-Auth: UwgJEfH5C4Z5jm6f93bNU9BDYCc
Message-ID: <CAC4RtVB8VQkPQXc6ge3yDhW85B=gqdK4dhXw40HqH_-iLDr0+Q@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Radia Perlman <radiaperlman@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: The IESG <iesg@ietf.org>, draft-saintandre-urn-example@tools.ietf.org, secdir <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-saintandre-urn-example-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2013 14:53:14 -0000
Hi, Radia, and thanks for the review. On the chance that you really do want some of your questions answered, let me take a stab: > But then I started hearing about URNs and URIs. I pretty much ignored them > because my life seemed to be complete without needing to understand them. > But then since I was assigned this draft to review, I decided to investigate > what URNs and URIs are and how they are different. "URI" is an abstraction. We have here a protocol (or a data format), and in this spot in the protocol we want the client to send the server something. We're going to say that the something is a URI, which is rather like saying that the something is a fruit. Broadly speaking, we've divided URIs into two types: locators and names. A URL (locator) tells you where to find something and/or what to do with it. A URN (name) tells you what something is called. Different sub-abstractions, like "fruit that needs to be peeled" and "fruit that you can eat without peeling". The first part of a URI is called a "scheme" -- it's the part that looks like "http:" or "sip:" or "mailto:" or "urn:". That's what tells you how to interpret this particular URI; it's the concrete instantiation of the abstraction -- the lemon or the apple. When you see a URI with the scheme "http:", you know you're meant to go look at RFC 2616 to see how to process it, and you'll usually end up contacting a server on port 80 and sending it certain stuff, expecting certain stuff in response. When you see "mailto:", you know you'll be using SMTP (RFC 5321). But names are different. URIs with the "urn:" scheme are a type of URN, and they're just meant to name things (but there are other URNs; the "ni:" scheme, defined in http://tools.ietf.org/html/draft-farrell-decade-ni , also defines names, not locators). There are documents that say how to map ISBNs into URNs (RFC 3187), how to map serial numbers into URNs (RFC 3044), and so on. The URN just gives you a name, and it doesn't tell you what to do with the name. But they're still part of the abstract thing called a URI, and they're syntactically valid where URIs are allowed. Of course, specifications can, and often do, limit the types of URIs that are semantically appropriate in any particular spot in any particular protocol or application. A web browser probably knows how to deal with http: and ftp: URIs. Many can deal with mailto: URIs. They're less likely to know what to do with sip: URIs and probably won't do anything at all useful with urn: URIs. But because of the common syntax imposed by the abstraction, the web browsers know how to start parsing the sip: and urn: URIs, and, thus, know when to throw them out as unsupported instantiations. > Then I read yet another incomprehensible RFC, #3986, which has this > sentence: > "Future specifications and related documentation should use the general term > "URI" rather than the more restrictive terms "URL" and "URN" [RFC3305]." So, > why are we, today, in 2013, tweaking URNs if we are supposedly trying to > mercifully put the term "URN" to bed? What the text in 3986 (which needs updating, by the way, an update which is on the radar, if not actually in the works yet) is trying to get across is that in the general case, specifications should refer to the abstraction, the URI. But there certainly are times when, for example, something specifically needs to be a name, a URN... and in those cases it's perfectly sensible to use the term "URN". Today, in 2013, we're still tweaking URNs because we still need resource names (see the aforementioned draft-farrell-decade-ni, for example). > And why is the NSS (Namespace Specific String, which is part of the URN) > ASCII? Given that I'm never planning on using a URN, I don't really care, > but if people wanted these things for whatever reason, mightn't they want to > use International characters? That's an artifact of history, and of the need to maintain compatibility. For better or worse (well, worse, surely) our protocols and the implementations thereof were set up to expect only ASCII character encoding. We can and should move over to UTF-8, and we are working on it, a few protocols at a time. But look at the difficulty the seven-year effort on EAI (email address internationalization) has had, and you can see that it's not as simple as suddenly saying, "OK, we can now send these protocol elements encoded in UTF-8." For URIs, specifically, much of the internationalization can be handled by the encoding mechanisms specified in RFC 3986, and it's working well. The IRI (internationalized resource identifier) work has tried to expand that, but there've been bumps in that road. But the bottom line is that URIs *can* use international characters, by encoding them, and it's the job of the presentation layers to encode the user input and to decode for display. > So my conclusion is that invention of UR* terminology is a low level denial > of service attack on people, but is otherwise harmless. You won't hear much argument about that from me, indeed. Though I'll point out that that describes more of what we do than most of us would like to admit. Barry
- [secdir] secdir review of draft-saintandre-urn-ex… Radia Perlman
- Re: [secdir] secdir review of draft-saintandre-ur… Barry Leiba