[Uri-review] Re: draft-grimminck-safe-ioc-sharing
"Independent Submissions Editor (Eliot Lear)" <rfc-ise@rfc-editor.org> Tue, 28 April 2026 11:29 UTC
Return-Path: <rfc-ise@rfc-editor.org>
X-Original-To: uri-review@mail2.ietf.org
Delivered-To: uri-review@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 40EC3E4AAE32 for <uri-review@mail2.ietf.org>; Tue, 28 Apr 2026 04:29:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777375770; bh=VZUWoSRLG/BirgG0n1nZOXk4Ah4b7si9q2i4kqTQ0Cg=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=Sk8Dr3ORXOxwdUAAbJgmsqUzpMS0Hl1df3ipi1lNChDw3yv4KcjIHIFi+19oGrj08 cCOKz7bFP4TSYMw1fYPnRL/d2RDpplvgGxcghBkz2QD5SR5/8lwuvbUjgqq4rnHnCr zS5H3jPWpHg5ZCKCCfLh8bCNRpdUwI4w02ne2dr4=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rfc-editor-org.20251104.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S70vEEJiiaSj for <uri-review@mail2.ietf.org>; Tue, 28 Apr 2026 04:29:29 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 63AB9E4AAE22 for <uri-review@ietf.org>; Tue, 28 Apr 2026 04:29:29 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id 38308e7fff4ca-38e7d983f79so86482281fa.0 for <uri-review@ietf.org>; Tue, 28 Apr 2026 04:29:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rfc-editor-org.20251104.gappssmtp.com; s=20251104; t=1777375762; x=1777980562; darn=ietf.org; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=aSI3o1T3Iw2nsvab4/OXOlOq/RB5yZcBKzpxFJGrZe4=; b=Q1MrUHvEASXcSXVLRUBZMrx0D/Pm0hGkAk5w9S6YHoZQqLzwgSad4/1JIFd2pUo3Xq 1U2x4/q+121zrX1hz5LfJRj385A97XEB9OuAAkpNgrjYRtAN/R1I60HdD2u8D6UndvNx dVbMdCYvlgGzQZ0hijr3HqUd6DOG5d+a6/CidvfDp8BwxTi27RZhzOusBO4VaKavl+iQ SRuM8on7UX8cdg0t7BbVW+cp0rt1+K9iDWtcdjBEEDLGyRdnVswYmfB/RSh+7EKtla+v O0S0mO8TGW6Nekm6LNrVFvkeOu0AIcCjgCdAd1OADEuXvTLwejHT2YFy15XAIo1bTlHI bXeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777375762; x=1777980562; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=aSI3o1T3Iw2nsvab4/OXOlOq/RB5yZcBKzpxFJGrZe4=; b=qambh2ixAyBP/xEylGtePtRvFGKU59zpSnfZ8doEC4aRkGcvslK+FLp/FSxfsWR43v IXn/mhk//fCSWmTqCBJfL7ERY2/VP7HV28uC0HzSeGIlZi859pwD7Hz/KAoVxTduiOJK kfCL2Vpvvcmne+LT+avVeIzAdqC5Q26fPsWEzAtsY6JJ+2kgzptSPRyBAjo8op9uYcQk Mx5CCFKYLOpbIOB8Tndly7KpbmGMVVN/OsvaLtG/+CMBFBUEqZH+EgGsHU21W7N6P9II m3Jtmue71YAKZenrx3APxTfCkTFrDcQr0a4/i78SCrLoxVG4TQjH13OMTlk8NZTsQX4P Pt/g==
X-Forwarded-Encrypted: i=1; AFNElJ8UAMdZuB09+SJFLbPws7Ls4olkVHXAvm/KoKcKhjSUDbs0n0qgBVFnTKS9JCWu4kkjA1lIdwOlgYWm@ietf.org
X-Gm-Message-State: AOJu0YyamisQqYm8G1HqR8NSzQoV5gESl2V88bNK0rdJGhkgXmrYTpB0 jKhH0D/gnJNnfAd1LcvQHkWva9+W6gaOK+niEJAfkqshKGV6vXG3mwac7pNQUfEkSnq3bw==
X-Gm-Gg: AeBDievRR4/2yxCaH4IaVcpg3y+wR2/RT7WyXvFaTnhevUIbtYUQBAHpkj39s3X4PP2 2Y8pK/OUIf7sKUJpLqU+oFQOJoi0AzzK7kdXhrGszN4R+YYj8QAWF+VsqOvL2VYA+SOjdCRzKSY 0bXcQq+Tn8Dg/AfXfrM66FAKKG4oF2vey2RCGFaQbQ2z5M69ljeygjKSKG4sDeadSUq+aQgJKFC lUumE8aRY4mETewD9YFFRmeevF5LLCuNTxa3cH+6pC06HOop56R/vl+I1hcrS9dAtC35HvFRxnK TOimRxKm6FzZ7l4R+jbi+jHv1KYs6Sp4VfR8USqvLoyHO4wKxwye+z2dVvDhoNo2EnS6b4YKI96 16QVXuIccbKBwoim9dfB2wKlA1ZIzN7RPIOQ2WoenkjO4uGss47UUja8u071xFJ2p98lZ5B2EJ6 FrqRnCaFhf9Y7EnkSjSayTLL4xNdeHC3s7y/9soUtOzjTphIc9pK217dnu5JkDCmLIWswEQ0w86 giLq3DgmoDqthDn/N1IlTq0MHdt/Cwpl3ExLg==
X-Received: by 2002:a05:6512:1282:b0:5a4:50:ac71 with SMTP id 2adb3069b0e04-5a746415f40mr1134690e87.13.1777375761786; Tue, 28 Apr 2026 04:29:21 -0700 (PDT)
Received: from ?IPV6:2a02:1210:2c9b:e200:259e:118d:d6cf:af65? ([2a02:1210:2c9b:e200:259e:118d:d6cf:af65]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a7462ca631sm559684e87.9.2026.04.28.04.29.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 28 Apr 2026 04:29:20 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------L0ZtKSvOpL3nwooVmgYWyyyB"
Message-ID: <85ec7098-3ffb-4173-ba04-bcea9e7edac1@rfc-editor.org>
Date: Tue, 28 Apr 2026 13:29:17 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Stefan Grimminck <contact@stefangrimminck.nl>
References: <e100c374-1323-4e10-942e-7c956b46f9e3@rfc-editor.org> <CA+9kkMCs_eWXGcS5uScro7bRoFX=7AJq1o76W-8bCXp-K9-Hsw@mail.gmail.com> <070fe9bb-2c33-4c41-a1d6-06f7efa15491@it.aoyama.ac.jp> <ce84a0a1-f56a-479c-9052-328b9a4a4332@rfc-editor.org> <2Eq32vEqs9jQZEbb2Tup4mZm6PgHH2Xd9TB9jKh6JI9APoO8o2-Q5_jfumCa2F1lMVv5eFfVSVzYbZT2y4u4ejXdttFa9btZBfG2UopeCwI=@stefangrimminck.nl> <98bcc796-83b1-43cb-a654-ac75cf8d1a4c@it.aoyama.ac.jp> <DD6OFtYhxxdD33WnL1wWU5xfuQlJRq0CHuYopGRJjYQH35FzcC5Asnh1Gt6zCq5fod1pXl4bssbjeFTcmdLEJZONuHBb2CNPNWHOxcsUiCM=@stefangrimminck.nl> <prpBDWv9p7Cn_xwgagjm8vtIQtRWmJkyLoSHOoU2i-ejdU66R7YcmRt3FImTE9VE4NqIKN5eyBUoNjkV7hXDdm3FIR3HzINaG2KDoCwaeJw=@stefangrimminck.nl>
Content-Language: en-US
From: "Independent Submissions Editor (Eliot Lear)" <rfc-ise@rfc-editor.org>
In-Reply-To: <prpBDWv9p7Cn_xwgagjm8vtIQtRWmJkyLoSHOoU2i-ejdU66R7YcmRt3FImTE9VE4NqIKN5eyBUoNjkV7hXDdm3FIR3HzINaG2KDoCwaeJw=@stefangrimminck.nl>
Message-ID-Hash: O6TUFST2QIXA3RARN2J5L5MXAP4OM4GA
X-Message-ID-Hash: O6TUFST2QIXA3RARN2J5L5MXAP4OM4GA
X-MailFrom: rfc-ise@rfc-editor.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-uri-review.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ted Hardie <ted.ietf@gmail.com>, uri-review@ietf.org, draft-grimminck-safe-ioc-sharing@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Uri-review] Re: draft-grimminck-safe-ioc-sharing
List-Id: Proposed URI Schemes <uri-review.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/uri-review/fOTlt_qEfHkqsoPsCnAvobWZCxU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uri-review>
List-Help: <mailto:uri-review-request@ietf.org?subject=help>
List-Owner: <mailto:uri-review-owner@ietf.org>
List-Post: <mailto:uri-review@ietf.org>
List-Subscribe: <mailto:uri-review-join@ietf.org>
List-Unsubscribe: <mailto:uri-review-leave@ietf.org>
Stefan,
I'm pretty happy with what I'm seeing. A few remaining nits:
* The IANA considerations isn't still quite nailed down, and this has
to be finished before going to the IESG for review. There are two
choices:
o Do not ask for re-assignment of hxxp or hxxps, in which case you
should empty IANA considerations and replace it with ["RFC
Editor to remove this section"] and "No IANA actions are required".
OR
o You may ask the IANA to reassign those two schemes to this
draft. At the least you should contact the original assignee.
If there is agreement, this should be a pretty easy thing. You
may also ask for a permanent allocation, but the process will
get dragged out.
* Please could you add a statement in your introduction that this
informational specification is not a Internet standard, nor does it
have community consensus? If you want this to be a standard, and
Ted suggested that might be a good route, we could see about that
with the IETF.
* Please consider adding acknowledgments for those who provided feedback.
I've asked for one additional commissioned review, but if that doesn't
happen, we'll move one.
Eliot
On 28.04.2026 10:31, Stefan Grimminck wrote:
> Hi Eliot, Martin, and URI-review team,
>
> Thank you again to everyone for the review of -08. I have published -09 incorporating the feedback from this thread:
> https://datatracker.ietf.org/doc/draft-grimminck-safe-ioc-sharing/09/
>
> The main changes:
>
> 1. IPv6 literals are now obfuscated (Step 3). Colons inside an IPv6 literal become "[:]", and any embedded IPv4 dots become "[.]". The outer brackets of an IP-literal are preserved because removing them would break RFC 3986 authority syntax.
> Examples:"http://[2001:db8::1]:8080" becomes "[http]://[2001[:]db8[:][:]1]:8080"; bare "2001:db8::1" becomes "2001[:]db8[:][:]1".
> 2. The IDNA edge-case text in Section 9 now cites RFC 5890 explicitly.
> 3. The "does not trigger auto-linking" justification for leaving IPv6 untouched has been removed.
>
> To validate the spec against real-world URL shapes, I built a Go reference implementation and ran it against the Web Platform Tests URL corpus (879 inputs):
> https://github.com/StefanGrimminck/safeioc
>
> CI run (per-item audit trail, see TEST section):
> https://github.com/StefanGrimminck/safeioc/actions/runs/24891319062/job/72884133848
>
> Thanks again, and looking forward to next steps.
>
> Best regards,
>
> Stefan Grimminck
>
>
>
> On Saturday, April 18th, 2026 at 13:25, Stefan Grimminck<contact@stefangrimminck.nl> wrote:
>
>> Hi Martin,
>>
>> Thank you for the TR58 reference. Initially, I set out to codify existing behaviors, but it became clear that a lot of legacy mechanisms do not scale (e.g., character substitution). This led to documenting a path forward with the scheme bracketing seen in the current text.
>>
>> I agree that this should include IPv6 to ensure consistency. It was initially omitted due to the currently low frequency of IPv6 occurrences and the existing use of brackets within IPv6 syntax. I am creating a test setup to validate a solution for IPv6 and will share results.
>>
>> Best regards,
>>
>> Stefan Grimminck
>>
>>
>> On Tuesday, April 14th, 2026 at 11:00, Martin J. Dürst<duerst@it.aoyama.ac.jp> wrote:
>>
>>> Hello Stefan,
>>>
>>> First, please also have a look athttps://www.unicode.org/reports/tr58/,
>>> which may be relevant for your work.
>>>
>>> On 2026-04-13 18:33, Stefan Grimminck wrote:
>>>
>>>> Based on the review feedback, I'm planning the following changes for -09:
>>>> - Reframing the IPv6 rationale in Step 3. The text currently states that IPv6 "does not trigger auto-linking in typical software," which I agree should not be presented as a permanent justification. I plan to replace this with a technical rationale.
>>> Sorry to disagree, but this is NOT about justification. Why do you
>>> obfuscase domain names and IPv4 literals, but not IPv6 literals? If
>>> attacks with the former are possible, I'm sure attacks with the later
>>> also should be possible, and obfuscation has to address this.
>>>
>>> Regards, Martin.
>>>
>>>
>>>
- [Uri-review] draft-grimminck-safe-ioc-sharing Independent Submissions Editor (Eliot Lear)
- [Uri-review] Re: draft-grimminck-safe-ioc-sharing Frank Denis
- [Uri-review] Re: draft-grimminck-safe-ioc-sharing Ted Hardie
- [Uri-review] Re: draft-grimminck-safe-ioc-sharing Martin J. Dürst
- [Uri-review] Re: draft-grimminck-safe-ioc-sharing Independent Submissions Editor (Eliot Lear)
- [Uri-review] Re: draft-grimminck-safe-ioc-sharing Stefan Grimminck
- [Uri-review] Re: draft-grimminck-safe-ioc-sharing Graham Klyne
- [Uri-review] Re: draft-grimminck-safe-ioc-sharing Independent Submissions Editor (Eliot Lear)
- [Uri-review] Re: draft-grimminck-safe-ioc-sharing Martin J. Dürst
- [Uri-review] Re: draft-grimminck-safe-ioc-sharing Stefan Grimminck
- [Uri-review] Re: draft-grimminck-safe-ioc-sharing Stefan Grimminck
- [Uri-review] Re: draft-grimminck-safe-ioc-sharing Independent Submissions Editor (Eliot Lear)
- [Uri-review] Re: draft-grimminck-safe-ioc-sharing Graham Klyne
- [Uri-review] Re: draft-grimminck-safe-ioc-sharing Eric Burger