IETF Logo Mail Archive

[Uri-review] draft-grimminck-safe-ioc-sharing

"Independent Submissions Editor (Eliot Lear)" <rfc-ise@rfc-editor.org> Fri, 10 April 2026 15:37 UTC

Return-Path: <rfc-ise@rfc-editor.org>
X-Original-To: uri-review@mail2.ietf.org
Delivered-To: uri-review@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7ED14D994FFC for <uri-review@mail2.ietf.org>; Fri, 10 Apr 2026 08:37:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775835455; bh=+zBBtcR4zzH5BzyqOGcFv0OuU+yLR/AA45rdi0v1HZY=; h=Date:To:Cc:From:Subject; b=OouhSBIJT2xIgQczeOKl0VDNY2pGDFVLBi/wPB1wOP8UoZFNixi1AuGISFmOpale6 Nou7+rhLP/FFvnlXwb0rL598evVZgjjgyomVWndN1XXeZVY/vT1hCI4BbT75DDygYO FgTF8x5WcuUoxD29M+8UksgA7NndvnrwNw1UF1X0=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rfc-editor-org.20251104.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qQFLh8zdGqGA for <uri-review@mail2.ietf.org>; Fri, 10 Apr 2026 08:37:34 -0700 (PDT)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E7169D994DC0 for <uri-review@ietf.org>; Fri, 10 Apr 2026 08:37:20 -0700 (PDT)
Received: by mail-wr1-x42a.google.com with SMTP id ffacd0b85a97d-43cfce3a195so1381116f8f.2 for <uri-review@ietf.org>; Fri, 10 Apr 2026 08:37:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rfc-editor-org.20251104.gappssmtp.com; s=20251104; t=1775835434; x=1776440234; darn=ietf.org; h=subject:from:cc:to:content-language:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=BgqmZR0V8AJQy2p+xcfmTofkn0TGOQWMX7CR73Ci8L4=; b=Ao5TICvkIFGUUffbfLPbUtV3KZzbNGT/9Hu6zrkndy86FO5pGOvyuDr/Ccn8oQx4xl gN+mfFcC60/+MrxbfA0q5TrgImw5c/ZtSJFlP/4CGjllI2JwZ45NeWgVxBhb9M9QcIsu +BIoObbyy+Q39HqF0FLUVy5vPX4VGNniUff5tAz9thaDioHClfb01AqpruDgu+skKrb1 Hoe5ChkNnjHnjE/bw9sXx/O3LvyP16YFZjmwW++Vvtovvsw2866X08W8p9x7y9+jOGkM 26AKEgi78HND85pfrRSfb+ebOI6md2vZsFGSqhy22BSnwEY7WW8vgfZYSihdKB2WWmhJ tpEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775835434; x=1776440234; h=subject:from:cc:to:content-language:user-agent:mime-version:date :message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=BgqmZR0V8AJQy2p+xcfmTofkn0TGOQWMX7CR73Ci8L4=; b=Hze+aJU3IFPx9YYLxerBOTs3tHXgfhpLAXq+djBuLql9UI06J73T5YpDpQ514jaeAR 95t3xnopG/gEyM0/1bxFJZ3oJZ4skTFW0YLMEZAxiB8xpQ60RXzLruOgHwDRBomcMxkn 2VaHgQkHeKgvEmO6IzANKHfi/CImZwBGS+qRfhNqBI9pxjLqtUKBpSwYlodPFYV/8OPi SKDRg5L01nNknT5rhs4oKozIZ7JOplqgR2gSYP5+Hb5D+6fFXG5PEWZ0YBUFDHvRHfiT nna0VmMjxOviZtah6tt82haZR5AwV+tC+a6ktvd24oLmmxdnHbbevGd96FvqBJV88dAN Rrow==
X-Gm-Message-State: AOJu0Yz832awfFCBiwh+43AJlOex2YgFPxCRqOh5LQnzyWbpCP2in0Z1 EEHBiFdeH0JLwVHVD2pjZxNwAVWs65P9aTfNW2n7oYOrVad+3kmGy+fqqksCNgAL41aW2ExBFAj PRzQmPrs=
X-Gm-Gg: AeBDiesvzepDKUIGg4SUCc+ch42HqcIePp08DK7VSlmy6loW5ajBHa8rYquZ5RjjMTG j7k0a03hN60yzkhmCQu040KgV/3d1Jc0m9mKRvieG2T3eF1vnqN2D4za2Fr4a7/C2XGTfS6mFSM 6BtX3eyDNga0TljpCJAA4o7DoZznnwB9obGBDDqu2v28z9yBc+2GIFaPKqgKpCvzy2r+L2JGvkP z761EbZjvgImuTvUdtUGjnjkMIcKlyHJ0RXK0/SsQVomj01Yf9vhKrm2G1y6qhataXGuorepbzI LLnNSIyGwRrr8yu2oz1RZ3S+47WQ2jw4lGxr0wBZujCZazbGpRYInnE8cqMDwdoghqYpu8IyoUS wLX9WUnLwBX/DnmU7BWUM0G9GCJ40T4MmpG9IpBcko+ZGw8aKbln3kyjio7qEqThDs0LW3/2eHi 4SLryR9yKILJQGB3wwgFHOrAiTajF/Cm5a3vWpsjWGmnOHOZlwVbOfenU1Gpow1zga1HFPbqeGz 9tBv/0oMHG3ai8o+qs4giql
X-Received: by 2002:a05:6000:18a9:b0:43d:4de9:50b with SMTP id ffacd0b85a97d-43d642bde29mr5095093f8f.50.1775835433493; Fri, 10 Apr 2026 08:37:13 -0700 (PDT)
Received: from ?IPV6:2a02:1210:2c9b:e200:c02:55d4:8367:1889? ([2a02:1210:2c9b:e200:c02:55d4:8367:1889]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d63e5c98fsm8965688f8f.35.2026.04.10.08.37.12 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 10 Apr 2026 08:37:12 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------k0czKqsxJWBTEpl3KY5LAIsq"
Message-ID: <e100c374-1323-4e10-942e-7c956b46f9e3@rfc-editor.org>
Date: Fri, 10 Apr 2026 17:37:12 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: uri-review@ietf.org
From: "Independent Submissions Editor (Eliot Lear)" <rfc-ise@rfc-editor.org>
Message-ID-Hash: LSLBNYK2CKJNFVW6CJN4JCFLAMNIEMSF
X-Message-ID-Hash: LSLBNYK2CKJNFVW6CJN4JCFLAMNIEMSF
X-MailFrom: rfc-ise@rfc-editor.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-uri-review.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-grimminck-safe-ioc-sharing@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Uri-review] draft-grimminck-safe-ioc-sharing
List-Id: Proposed URI Schemes <uri-review.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/uri-review/WPgkTMqi9PAtTeHAnjkIo7GZ32Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uri-review>
List-Help: <mailto:uri-review-request@ietf.org?subject=help>
List-Owner: <mailto:uri-review-owner@ietf.org>
List-Post: <mailto:uri-review@ietf.org>
List-Subscribe: <mailto:uri-review-join@ietf.org>
List-Unsubscribe: <mailto:uri-review-leave@ietf.org>

Dear URI reviewers,

The Independent Submissions Editor has received a publication request 
for draft-grimminck-safe-ioc-sharing.  This draft intentionally makes 
certain URIs unresolvable during transport.  I am contacting you because 
there are several legacy use cases, two in particular: http-> hxxp and 
https -> hxxps.  I have no doubt, but that these indicators of 
compromise (IOC) transformations are widely accepted as a convention.  I 
note that an old draft, draft-salgado-hxxp-01 has provisionally 
registered these schemes.  This is sufficient to limit damage with those 
particular schemes.  There can be other schemes that may be used to 
reference compromised content.

I have several questions for this group:

  * Stefan is considering a more generic approach that uses illegal
    characters in the scheme (*) for other schemes.  Do you agree that
    is appropriate?
  * Would you like the registration for hxxp and hxxps to move to this
    work, should it progress?
  * Would you like to mark the registrations as permanent as part of
    that process?
  * Would you like to perform a review of the draft?  Reviewer guidance
    can be found at https://www.rfc-editor.org/materials/reviewer.guide.txt.

Regards,

Eliot

v2.46.0 | Report a Bug | By Email | System Status