IETF Logo Mail Archive

[Uri-review] Re: draft-grimminck-safe-ioc-sharing

"Independent Submissions Editor (Eliot Lear)" <rfc-ise@rfc-editor.org> Mon, 13 April 2026 17:47 UTC

Return-Path: <rfc-ise@rfc-editor.org>
X-Original-To: uri-review@mail2.ietf.org
Delivered-To: uri-review@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C5E90DB74E7C for <uri-review@mail2.ietf.org>; Mon, 13 Apr 2026 10:47:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776102436; bh=SxlTyQifsxE9duAGIO4UvdNb+t0leYEW9fgx3ztz/cg=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=kzVD8VMZhaaNqtNIwayBHqG+RKmEMVQztU+XnlNrO+M+m4QhAo8h9Ong9aSdCJY86 1S7emH4ik+kIHtbbzMUABRTfrHfeG4i2/ZDFR/jPTvLiEt0bH53Iq1lNhwmUS0UUkJ bm3U0qcvG25e1q5gKlhbvuzku6FQE1zY857NArdo=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rfc-editor-org.20251104.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SchCKtYZKago for <uri-review@mail2.ietf.org>; Mon, 13 Apr 2026 10:47:15 -0700 (PDT)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id ACEAEDB74E69 for <uri-review@ietf.org>; Mon, 13 Apr 2026 10:47:15 -0700 (PDT)
Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-488b8bc6bc9so33649945e9.3 for <uri-review@ietf.org>; Mon, 13 Apr 2026 10:47:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rfc-editor-org.20251104.gappssmtp.com; s=20251104; t=1776102429; x=1776707229; darn=ietf.org; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=+B0pf1Hu2D0ZoO+EkwvMniPX/vev+VvbFlx6qzm+s9k=; b=Qg6gFcLLIuL5lD+kME1qwQrxTxD5RB2ZQlqjVr7usIWqWXh0BdhrnmsgwsCUB9/zt4 tTjWDgf/EFh6KcPdqi+2tfTkbdmYO3TzFWfW3y3nXWkSRNepVvwh/KNiDmA3k6Z/Scxb ZF4VWch1glIhIVWvLoOSJQaR5eOc1OEh/XgV2XkQokYqtAXF/tyfOcZo0rOTT3Byf6A7 1IkFmlt//zLuo7SMZNlVFn4jmeEmBQQ5mZV5XIo0DH7UGc3FblSjxZNbrBXHfjkkdaFu fj2RoeUo5kUl7djfdGAdcVmk/Gtpp6r2EM4DJHV9Yx/HfVVXeErwnWdGA7SL/2KLarQz 8w0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776102429; x=1776707229; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=+B0pf1Hu2D0ZoO+EkwvMniPX/vev+VvbFlx6qzm+s9k=; b=a/KwecRm5PgzjMAaph0BQnQP9Yib9Pc77pZ2Qhp7BpzuJ7V6nvbUiJDSi60M8qG42a b5yR+Ug0AnKjZax7H6+Kw7SxAK3KcSBv6Bdr05xS0k673wAF1J6kpS8C7NewtN96Twe7 a0WCov6WnDSc8pR5cpUCcjpg3i2mKrw3d2ZNI532gM1Sr7lJAvnOA8QZbxvBWN/mCsMR 5NDyac2JBEwaN9sQAeInk0HMTq8RQBF5zQkxj0X3C3z518RwnD45cqFOhw830XaPYeaW e03GhdGKAow1B+uo69aod/CQ6e6r5LKoxS+pqdEglkB/nXZvdGLYf4unCLtbd3o7WafP ia8g==
X-Forwarded-Encrypted: i=1; AFNElJ8BBhml/5+8qGGNhCPF2DOlzjtVwYTEVVtf28RryTbb4otNCRgwxR2Zxktea0xUvY2AhjlMiKbHXcyh@ietf.org
X-Gm-Message-State: AOJu0YwyZsqbf+D4zlys6wJt8cEqezu2H6YnzsZlQHoHxiDfLNJPRVi+ H9NA10/gWi0RbKy/TDwgG12aouJiiLCcIQEBmpeUXYkFmJty4snWX0fLT0RCpOsccmQDtQ==
X-Gm-Gg: AeBDievR4uWPaw8dJML6wb6A5l666fA/QDEL2vp2JQ5TSUhzwwEeqHHKS4nzSdCj52M kgzgI5j58jGQXLzlLjQS+IE3Fi8FoG9/kpHyYM4MEbRMzkUpJ2vvf+Dy/vvOqbjEhHkX0LSO22c M9NWAt+SSwc3mN0OJxZY+fkK4n2uEYCBUmAVi4PzDDhB7DG1xsgTCKMXuKWB4/X+oJEAxkFe+rA 3jQf8tB3yVrx7o3Z9eAAqeWjl9w29dj94lt5nrJPVU52GYcdgTivl8i+LBjCpeCcYJB+J48kBk9 0+Vc8Yul8H5YpiHSiE8I06kp5toYz6Er6fSCZL1W7U38G1IV88szRgTOro8N5lOxDp3TQq7WJ6T hSPQ/uuF53xkNeDn22mrp+3YkgdWuoWEZ74IkCH90e87KNj/oraIT1QjPgX7oe66Yt62yzp7EC+ heXJd5wofGTFxjn1ubBF5Re6K2GKSeyiBVdttPDUoOD5ZJzvh/dEG9Gk7Q8CN6xsD1ZhMUjaC78 22mGaKvYZrtpLb3E8zY8WoMaqY=
X-Received: by 2002:a05:600c:4e4d:b0:485:3193:6ddb with SMTP id 5b1f17b1804b1-488d6808507mr199643725e9.3.1776102428908; Mon, 13 Apr 2026 10:47:08 -0700 (PDT)
Received: from ?IPV6:2a0d:3344:6c0c:4c10:f438:fe6a:480c:2c27? ([2a0d:3344:6c0c:4c10:f438:fe6a:480c:2c27]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488d531f1f9sm373267665e9.1.2026.04.13.10.47.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 13 Apr 2026 10:47:08 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------lmKJ9pBc0RJPj2llvCUprW7B"
Message-ID: <ac2eb38c-6785-4e09-9373-58b50cbcbcd6@rfc-editor.org>
Date: Mon, 13 Apr 2026 20:47:06 +0300
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Graham Klyne <gk@ninebynine.org>, Stefan Grimminck <contact=40stefangrimminck.nl@dmarc.ietf.org>
References: <2Eq32vEqs9jQZEbb2Tup4mZm6PgHH2Xd9TB9jKh6JI9APoO8o2-Q5_jfumCa2F1lMVv5eFfVSVzYbZT2y4u4ejXdttFa9btZBfG2UopeCwI=@stefangrimminck.nl> <8DBA0E76-EC9B-44F8-BF9B-0EF8E94BE17A@ninebynine.org>
Content-Language: en-US
From: "Independent Submissions Editor (Eliot Lear)" <rfc-ise@rfc-editor.org>
In-Reply-To: <8DBA0E76-EC9B-44F8-BF9B-0EF8E94BE17A@ninebynine.org>
Message-ID-Hash: 5FQZB2OXNJS7CC7BXENVUHFVVB62GOBB
X-Message-ID-Hash: 5FQZB2OXNJS7CC7BXENVUHFVVB62GOBB
X-MailFrom: rfc-ise@rfc-editor.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-uri-review.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ted Hardie <ted.ietf@gmail.com>, uri-review@ietf.org, draft-grimminck-safe-ioc-sharing@ietf.org, Mark Baker <mark@coactus.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Uri-review] Re: draft-grimminck-safe-ioc-sharing
List-Id: Proposed URI Schemes <uri-review.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/uri-review/1TvAwrwEE6WVb3HOv-ft4h4ZanM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uri-review>
List-Help: <mailto:uri-review-request@ietf.org?subject=help>
List-Owner: <mailto:uri-review-owner@ietf.org>
List-Post: <mailto:uri-review@ietf.org>
List-Subscribe: <mailto:uri-review-join@ietf.org>
List-Unsubscribe: <mailto:uri-review-leave@ietf.org>

Greetings Graham,

It's early days and we're just seeking for direction at this point.

Thanks,

Eliot


On 13.04.2026 12:49, Graham Klyne wrote:
> A small point:  rather  than simply asking IANA to reserve the legacy 
> hxxp(s), it might be easier (for them) to include actual registration 
> templates, complete with rationale.  For example, along the lines of 
> https://www.iana.org/assignments/uri-schemes/historic/drop (with a 
> different description).
>
> #g
>
> (Added Mark Baker cc as current IANA reviewer)
>
> Sent from my iPhone
>
>> On 13 Apr 2026, at 10:33, Stefan Grimminck 
>> <contact=40stefangrimminck.nl@dmarc.ietf.org> wrote:
>>
>> 
>>
>> Hi Eliot, and URI Review team,
>>
>> Thank you for the technical feedback and for the acknowledgement of 
>> the utility in formalizing these operational conventions.
>>
>> I want to clear up what might be a misunderstanding first. The 
>> "illegal characters in the scheme" framing may have given the 
>> impression that the draft proposes something like h**p (asterisk 
>> substitution). The actual canonical form in the current draft is 
>> [scheme] bracketing:
>>
>> http://example.com/path <http://example.com/path> -> 
>>  [http]://example[.]com/path
>> mailto:user@example.com <mailto:user@example.com> -> 
>>  [mailto]:user[@]example[.]com
>>
>> Hopefully, your e-mail clients demonstrate this as well by not 
>> linkifying them :)
>>
>> The opening "[" is not permitted in a URI scheme name per RFC 3986 
>> Section 3.1, so the result cannot be confused with a valid URI or 
>> collide with any IANA registration. It scales to any scheme ([https], 
>> [ftp], [smb], [sftp]) without needing a per-scheme mapping table, and 
>> it is consistent with how the draft already handles dots and at-signs.
>>
>> The legacy tokens hxxp and hxxps are documented as fielded but NOT 
>> RECOMMENDED for new output. The reason they are not recommended is 
>> that character substitution does not scale. Each scheme needs its own 
>> mapping and there is no predictable rule (sftp could become sfxp, 
>> sxtp or sxxp). Legacy substitution prevents deterministic 
>> de-obfuscation because distinct protocols like SMTP and SFTP could 
>> collapse into identical tokens, whereas bracketing ensures a unique, 
>> reversible mapping. Furthermore, a substituted string like hxxp still 
>> looks like a syntactically valid scheme name, meaning future protocol 
>> obfuscations could collide with existing registrations.
>>
>> Bracket wrapping avoids these problems while standardizing how 
>> indicators are shared in a scalable way. Implementations are expected 
>> to recognize hxxp and hxxps during de-obfuscation for backward 
>> compatibility. Practitioners who already rely on hxxp can keep doing 
>> so, and tooling will handle both forms if the implementer chooses to.
>>
>> Based on the review feedback, I'm planning the following changes for -09:
>>
>>   * Adding RFC 5891 (IDNA 2008) as a reference for the
>>     Internationalized Domain Names edge case. Appreciate the pointer,
>>     and correction that RFC 3490 is obsoleted by RFC 5891.
>>
>>   * Reframing the IPv6 rationale in Step 3. The text currently states
>>     that IPv6 "does not trigger auto-linking in typical software,"
>>     which I agree should not be presented as a permanent
>>     justification. I plan to replace this with a technical rationale.
>>
>> Regarding the DISPATCH question: I presented a previous version of 
>> this draft to SECDISPATCH last April and received supportive feedback 
>> from Eric Rescorla, Rich Salz, and Andrew S2.
>>
>> Thanks again for your time and expertise.
>>
>>
>> Best regards,
>>
>> Stefan Grimminck
>>
>>
>> On Sunday, April 12th, 2026 at 11:42, Independent Submissions Editor 
>> (Eliot Lear) <rfc-ise@rfc-editor.org> wrote:
>>>
>>> Hi URI Review team,
>>>
>>> Thanks very much for your comments. Ted, in answer to your question, 
>>> I am not aware that this work has been presented to the IETF. Stefan 
>>> may do so if he wishes, and I would assist him if he wishes to see 
>>> the work DISPATCHed. Stefan, please take note that at least one 
>>> reviewer here prefers the way you originally approached the work, 
>>> and revise as you see fit. Also, please take note of Martin's 
>>> concerns below.
>>>
>>> Eliot
>>>
>>> ps: I will be unavailabe for the next two weeks. Expect responses 
>>> after that point.
>>>
>>> On 11.04.2026 04:09, Martin J. Dürst wrote:
>>>> Hello Eliot, others,
>>>>
>>>> One detail that caught my eye is in 
>>>> https://www.ietf.org/archive/id/draft-grimminck-safe-ioc-sharing-08.html#name-step-3-host:
>>>>
>>>> >>>>
>>>> IPv6 addresses use colon-hexadecimal notation inside square 
>>>> brackets (e.g., "[2001:db8::1]"), which does not trigger 
>>>> auto-linking in typical software; the entire bracket-enclosed 
>>>> literal, including any dots within it (e.g., the dots in 
>>>> "::ffff:192.0.2.1"), MUST be left unchanged.
>>>> >>>>
>>>>
>>>> The part up to the semicolon is most probably true, but leaving 
>>>> this unchanged would make it more difficult to fix that. We 
>>>> shouldn't put additional blocks in front of IPv6 deployment and 
>>>> usage, even if they are small.
>>>>
>>>> An additional comment below.
>>>>
>>>> On 2026-04-11 01:09, Ted Hardie wrote:
>>>>> Hi Eliot,
>>>>>
>>>>> As a meta-question was this draft brought to the IETF before going 
>>>>> to the
>>>>> ISE? I don't see any record of it in places I would expect (DISPATCH,
>>>>> SAAG), but my records may be incomplete.
>>>>>
>>>>> After a quick read, this actually seems like something that the 
>>>>> IETF should
>>>>> consider, as there are some aspects of it that probably need wider 
>>>>> review.
>>>>> An example here is Section 9, which references how to handle IDNs. It
>>>>> describes punycode, but the overall IDNA standard should be 
>>>>> referenced,
>>>>> probably especially RFC 3490, Section 3.1.
>>>>
>>>> Which is obsoleted by RFC 5890.
>>>>
>>>> Regards, Martin.
>>>>
>>>>> On the question related to the existing registration, RFC 7595 says:
>>>>>
>>>>> There must not already be an entry with the same scheme name. In
>>>>> the unfortunate case that there are multiple, different uses of
>>>>> the same scheme name, the Designated Expert can approve a request
>>>>> to modify an existing entry to note the separate use.
>>>>>
>>>>> I would first contact Hugo Salgado, the original registrant, to 
>>>>> see if he
>>>>> would be willing to work with this author on the draft and to 
>>>>> transfer the
>>>>> registration. Since the use is functionally the same (though the
>>>>> surrounding advice is different), I don't see a particular need to 
>>>>> shift
>>>>> the registration, but if this is desired and the original 
>>>>> registrant is
>>>>> unavailable, I believe the designated expert could invoke the 
>>>>> clause above
>>>>> and add the new document.
>>>>>
>>>>> regards,
>>>>>
>>>>> Ted Hardie
>>>>>
>>>>> On Fri, Apr 10, 2026 at 4:38 PM Independent Submissions Editor 
>>>>> (Eliot Lear)
>>>>> <rfc-ise@rfc-editor.org> wrote:
>>>>>
>>>>>> Dear URI reviewers,
>>>>>>
>>>>>> The Independent Submissions Editor has received a publication 
>>>>>> request for
>>>>>> draft-grimminck-safe-ioc-sharing. This draft intentionally makes 
>>>>>> certain
>>>>>> URIs unresolvable during transport. I am contacting you because 
>>>>>> there are
>>>>>> several legacy use cases, two in particular: http-> hxxp and 
>>>>>> https ->
>>>>>> hxxps. I have no doubt, but that these indicators of compromise 
>>>>>> (IOC)
>>>>>> transformations are widely accepted as a convention. I note that 
>>>>>> an old
>>>>>> draft, draft-salgado-hxxp-01 has provisionally registered these 
>>>>>> schemes.
>>>>>> This is sufficient to limit damage with those particular schemes. 
>>>>>> There
>>>>>> can be other schemes that may be used to reference compromised 
>>>>>> content.
>>>>>>
>>>>>> I have several questions for this group:
>>>>>>
>>>>>> - Stefan is considering a more generic approach that uses illegal
>>>>>> characters in the scheme (*) for other schemes. Do you agree that is
>>>>>> appropriate?
>>>>>> - Would you like the registration for hxxp and hxxps to move to this
>>>>>> work, should it progress?
>>>>>> - Would you like to mark the registrations as permanent as part of
>>>>>> that process?
>>>>>> - Would you like to perform a review of the draft? Reviewer guidance
>>>>>> can be found at 
>>>>>> https://www.rfc-editor.org/materials/reviewer.guide.txt
>>>>>> .
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Eliot
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Uri-review mailing list -- uri-review@ietf.org
>>>>>> To unsubscribe send an email to uri-review-leave@ietf.org
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Uri-review mailing list -- uri-review@ietf.org
>>>>> To unsubscribe send an email to uri-review-leave@ietf.org
>>>>
>>
>> _______________________________________________
>> Uri-review mailing list -- uri-review@ietf.org
>> To unsubscribe send an email to uri-review-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status