IETF Logo Mail Archive

Re: [Uri-review] Requesting review for 'dvx' provisional registration draft

"C. Bastian | ORGAPLAN" <clemens.bastian@orgaplan.org> Fri, 02 July 2021 16:54 UTC

Return-Path: <clemens.bastian@elementsystems.de>
X-Original-To: uri-review@ietfa.amsl.com
Delivered-To: uri-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96BC53A24C0 for <uri-review@ietfa.amsl.com>; Fri, 2 Jul 2021 09:54:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.751
X-Spam-Level:
X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=orgaplan.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eTRe3xdX2R9V for <uri-review@ietfa.amsl.com>; Fri, 2 Jul 2021 09:54:48 -0700 (PDT)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B84C03A24BF for <uri-review@ietf.org>; Fri, 2 Jul 2021 09:54:47 -0700 (PDT)
Received: by mail-ej1-x62d.google.com with SMTP id nd37so17149229ejc.3 for <uri-review@ietf.org>; Fri, 02 Jul 2021 09:54:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orgaplan.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=3qwthjr95DuuKRu8/HNKyhR7wLtJdTd/cgMmobCq8kU=; b=HOcrt4PJQEQxIri0Jx+nnwJCAcQP3KZCm5ZV2P15mIk6/OMSXCNJVQS7CZgKQl21jn yvRLdCWCoo6+pvihixv+0S90JI4xcKkjddzjmzq8BNNsGqN0zpheOcxADA6pSqHMMK1m JzASI/CxK97L36MrMd906EvBxhccTJjXL86tA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=3qwthjr95DuuKRu8/HNKyhR7wLtJdTd/cgMmobCq8kU=; b=B1ePJj2PfRiq1E7wqHCvzXAP6xrBrrbSyhnGcAOpXO16gYobbCsBR/NeHfe/5S9J3W Rm7OBx/K79A38rfwW6iCeqTfWLe36z9MBzBvUo8y453SgA1uy2cg+z0Z8u5kHTmBF47N gfHzqVt4hfagxpvAN9geJc6p/3M/Hix6FT/vrxpbgG+j2UBL9jn9tQlLdOOGCcMVb9sO SN+NiP0vEc4+v78odxJa8aP2s51odLoU6cZ5oxxFGvQNDPZb4qnSbPV/LvhTefXXA06N 3RvSq9t6TbBwWoH62+HEsf3ZsXVAaBEspaQYOHE0V72Cb2ioilDUNdHXcb+iNnIK4qxv JpBA==
X-Gm-Message-State: AOAM532aczly1Yhx+YUN1pXjsXOeurxkhobFCvX5tRwlBKt9Il00gYNk ZJG2lSSOnxzuUlcCEbXtMu17zKA5Nwt8NqFBXvAKbA==
X-Google-Smtp-Source: ABdhPJyEdvwdiL65yZ4N7xuyDqAdIreAaRACEFNUTKm52WMvj1ZNO/R9LTaOJ0dJ26uXqIhFq3nJ1FVbzBdA1vyL9z0=
X-Received: by 2002:a17:906:c106:: with SMTP id do6mr710979ejc.116.1625244884421; Fri, 02 Jul 2021 09:54:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAD2stPT7+5s_+7BC8Xrv-phQj40+oOomT3f3bVarX=AuJXGJ8w@mail.gmail.com> <CA+9kkMBv2PP9J=ntZqOOMoxtcQ9afo-RuCvoF+_3-29+N55zwA@mail.gmail.com> <CAD2stPR+0OvBRnO9Ac36hcxYh+fRQbYFWzaq5DSR+xXqKGpMSA@mail.gmail.com> <CA+9kkMArHaE=vtP3TGgMzePtLuRvwoHAVKjL0-qAzkxz5ZQR5g@mail.gmail.com>
In-Reply-To: <CA+9kkMArHaE=vtP3TGgMzePtLuRvwoHAVKjL0-qAzkxz5ZQR5g@mail.gmail.com>
From: "C. Bastian | ORGAPLAN" <clemens.bastian@orgaplan.org>
Date: Fri, 02 Jul 2021 18:54:09 +0200
Message-ID: <CAD2stPSNaeFE4twsFA9-waG55wNz1N4r48uCihJYzRR6U=1m_A@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Cc: uri-review@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/uri-review/2KgYz6NGoWhvB-7NmZW7Y9Dwz38>
Subject: Re: [Uri-review] Requesting review for 'dvx' provisional registration draft
X-BeenThere: uri-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proposed URI Schemes <uri-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uri-review>, <mailto:uri-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uri-review/>
List-Post: <mailto:uri-review@ietf.org>
List-Help: <mailto:uri-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uri-review>, <mailto:uri-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jul 2021 16:54:53 -0000

Hello Ted,

thanks again. Your thoughts are very appreciated and helpful.
Here's our third version of the draft:

Regarding the obligations for "key=value" pairs your idea helped us to
shrink our specification and make more use of existing documentation.
It now says:
    * value MUST consist of unreserved and pct-encoded characters
defined in RFC3986 (see the RFC3986 Appendix A. for the collected
ABNF)
    * The unreserved characters MAY be pct-encoded, but SHOULD NOT be encoded
    * The reserved characters MUST be encoded using pct-encoding
    * value MAY be empty, but it's not recommended

And the updated security considerations:
    A full security analysis and considerations are not yet available
since the application which this scheme is part of is still under
development. At the current state the scheme inherits the general
security considerations of RFC 3986 Section 7.. We highly recommend:
    Sensitive data SHOULD NOT be used in key=value pairs in forms
accessible to observers
    Implementations of this scheme SHOULD NOT trust a dvx-URI from an
untrusted source
    Security considerations will be updated as soon as the threat
model becomes clearer.

Published as the versions before at
https://api.orgaplan.org/articles/uri-dvx-scheme-specification.html

Looking forward on your feedback, Clemens

Mit freundlichen Gruessen | Best regards


Clemens Bastian | Technical Development & Integrations

ORGAPLAN business solutions GmbH


clemens.bastian@orgaplan.org
T (Global) +49 | 511 | 999 71 0 73


Office UK: HG4 Ripon (Harrogate, Northern Yorkshire)

Office DE: 30926 Seelze / Velber (Hannover)

Office DE: 06618 Naumburg (Saale)


Firmensitz (nur: Verwaltung)

bisher: Hanomaghof 2 | 30449 Hannover

seit 15. Juni 2021: Gustav-Bratke-Str. 71 | DE - 30629 Hannover

www.orgaplan.org


ORGAPLAN business solutions entwickelt funktionsstarke Software für
die kaufmännische und betriebliche Organisation und Information.



Seit über 30 Jahren vertrauen namhafte Unternehmen im technischen
Großhandel, der Fertigungs- und Lebensmittelindustrie sowie dem
Sondermaschinenbau unseren Softwarelösungen.




Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss...



Am Fr., 2. Juli 2021 um 11:30 Uhr schrieb Ted Hardie <ted.ietf@gmail.com>:
>
> Hi Bastian,
>
> Thanks for your message.  I've read the updated document, and I have a few comments, but I believe I understand more fully your intent than with the initial version.  Thanks for the update.
>
> In the text on data within values, you say:
>
> The characters allowed in a value are either reserved or unreserved (or a percent character as part of a percent-encoding, see RFC3986 "Uniform Resource Identifier (URI): Generic Syntax" Section 2.1). Reserved characters are those characters that sometimes have special meaning, while unreserved characters have no such meaning. Using percent-encoding, characters which otherwise would not be allowed are represented using allowed characters
>
> If I understand you correctly, your intent could also be expressed by saying that "value" permits the unreserved and pct-encoded  productions from RFC 3986 (see the Appendix for the collected ABNF).  If you also wanted to permit the sub-delims, ":" , and "@", you could simply reuse the pchar production, which seems fairly close to your intent.  Since those are part of the base spec, either approach would be well understood by implementers.
>
> On the question of security considerations, BCP35 requires either a security consideration section or a statement of why one cannot be made available:
>
>       The scheme definition SHOULD include clear security considerations
>       (Section 3.7) or explain why a full security analysis is not
>       available (e.g., in a third-party scheme registration).
>
> I'd suggest updating the template to note that the system of which this is a part is a work in progress and that a full security consideration is thus not yet available, but that the scheme inherits the general security considerations of RFC 3986 and that sensitive data SHOULD NOT be used in key value pairs in forms accessible to observers.  That would seem to cover the threats you're already aware of, and you can update the security considerations as the threat model becomes clearer.
>
> best regards,
>
> Ted Hardie
>
> On Thu, Jul 1, 2021 at 5:44 PM C. Bastian | ORGAPLAN <clemens.bastian@orgaplan.org> wrote:
>>
>> Hello Ted,
>>
>> first of all: Let me thank you for the precious feedback and all the
>> effort going through my draft.
>>
>> You're absolutely right in terms of the extensible <command> section.
>> To be honest, and as the title indicates, this is a draft and changes
>> can still be made. The scheme design is WiP and your feedback is
>> appreciated. Now there are some more obligations and recommendations
>> regarding the <command>:
>>     * MUST start with a letter (a-z)
>>     * MUST end with a letter (a-z) or a number (0-9)
>>     * MUST have a minimum length of 3 characters and a maximum length
>> of 200 characters
>>     * SHOULD HAVE at least 3 alphanumeric characters between two
>> special characters (`.`,`+`,`-`)
>>
>>
>> The section about encoding of the key=value pairs has been updated as
>> well to make it clearer (hopefully):
>>     All `key=value` pairs MUST use the UTF-8
>> ([RFC3629](https://datatracker.ietf.org/doc/html/rfc3629)) character
>> set. `key` and `value` MUST be separated by an equal sign (`=`).
>>
>>     Naming of `key` has following obligations:
>>     * MUST start with a letter (a-z)
>>     * MUST have a minimum length of 1 character and a maximum length
>> of 200 characters
>>     * MUST consist of alphanumeric characters (a-zA-Z0-9) (lowercase
>> alphabet a-z, uppercase alphabet A-Z, numbers 0-9)
>>     * SHOULD be written in _camelCase_ annotation
>>
>>     Data within `value` has following obligations:
>>     The characters allowed in a `value` are either reserved or
>> unreserved (or a percent character as part of a percent-encoding
>>     [RFC3986 "Uniform Resource Identifier (URI): Generic Syntax"
>> Section 2.1](https://datatracker.ietf.org/doc/html/rfc3986#section-2.1)).
>>     Reserved characters are those characters that sometimes have
>> special meaning, while unreserved characters have no such meaning.
>>     Using percent-encoding, characters which otherwise would not be
>> allowed are represented using allowed characters.
>>
>>     The unreserved characters can be encoded, but SHOULD NOT be
>> encoded. The reserved characters MUST be encoded using
>> percent-encoding.
>>     List of reserved characters: `!*'();:@&=+$,/?%#[] ` (last
>> character is a whitespace).
>>
>>
>> We also updated the interoperability considerations as follows (thanks
>> for the hint):
>>     Currently the only one known context of use is within the software
>> application stack and it's ecosystem provided by ORGAPLAN business
>> solutions. Uses outside of context should be handled with care.
>>
>> Last but not least we updated the security considerations. Since this
>> is a provisional registration and the uri is still WiP we do not have
>> a well qualified security consideration yet. Is this required for a
>> provisional registration?
>>
>> Thanks again for your time Ted, the updated specification is available
>> at https://api.orgaplan.org/articles/uri-dvx-scheme-specification.html
>>
>> Looking forward hearing your thoughts and possible improvements!
>>
>>
>>
>> Am Do., 1. Juli 2021 um 14:24 Uhr schrieb Ted Hardie <ted.ietf@gmail.com>:
>> >
>> > Hi Clemens,
>> >
>> > Thanks for your note.  There appears to be no collision with an existing registered scheme, so that's good news.  In going through the syntax, I did have some questions, if you don't mind.
>> >
>> > My reading is that there are two current commands, open and close, but that you intend for the syntax to be extensible.  The permitted characters for new commands are a-z0-9.+-, and there is no restriction on their ordering.  That would mean 99open, +-7a, even + as a bare operator would be valid; is that your intent, or did you also want to have minimum lengths and require certain patterns?
>> >
>> > For "the interoperability considerations", you might simply mention that there is currently only one known context of use (the ORGAPLAN context, listed below), and that uses of this outside that context may or may not conform.
>> >
>> > For security considerations, I could not quite parse what you meant:
>> >
>> > For security reasons it's prohibited to include sensitive or private information in the uri. This applies in particular to the key=value pairs. The restrictions on a requested resource or command need to be checked by the application which evaluates the uri
>> >
>> > For example, are you indicating that the URI might be carried in a plain text protocol, and thus be observable to an attacker with access to the path?  If that's the threat model, it would appear  the application that evaluates the URI (on receipt), might be acting too late to prevent observation.   In general you might want to reference rFC 3552 for text on how security considerations text is constructed.
>> >
>> > Thanks again for sending this note,
>> >
>> > regards,
>> >
>> > Ted Hardie
>> >
>> >
>> > Your document says "The encoding of the key=value pairs follow the rules defined in RFC3986 "Uniform Resource Identifier (URI): Generic Syntax" Section 2" .  It's not entirely clear to me which part of that section you wish to draw the reader's attention to.  Is it possible you meant section 3.4, which describes path elements and mentions key value pairs?
>> >
>> >
>> >
>> >
>> > On Thu, Jul 1, 2021 at 5:54 AM C. Bastian | ORGAPLAN <clemens.bastian@orgaplan.org> wrote:
>> >>
>> >> Hello! I hope you can provide me some feedback on this draft for a
>> >> provisional registration of the scheme 'dvx'.
>> >> Here's my current draft, any feedback and hints are appreciated. Best
>> >> greetings Clemens
>> >>
>> >> Scheme name:
>> >>       dvx
>> >>
>> >> Status:
>> >>      Provisional
>> >>
>> >> Applications/protocols that use this scheme name:
>> >>      The ERP software solution named "DVX" by ORGAPLAN business
>> >> solutions (www.orgaplan.org)
>> >>
>> >> Contact:
>> >>      Registration applicant: Clemens Bastian <clemens.bastian@orgaplan.org>
>> >>      Scheme creator: ORGAPLAN business solutions GmbH <info@orgaplan.org>
>> >>
>> >> Change controller:
>> >>      Someone who is verified to represent ORGAPLAN business solutions
>> >> GmbH (see 'Contact')
>> >>
>> >> References:
>> >>      Specification:
>> >> https://api.orgaplan.org/articles/uri-dvx-scheme-specification.html
>> >>
>> >> _______________________________________________
>> >> Uri-review mailing list
>> >> Uri-review@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/uri-review

v2.23.0 | Report a Bug | By Email