IETF Logo Mail Archive

Re: [Uri-review] URI Scheme "ves:"

Jim Zubov <ietf-list@commercebyte.com> Mon, 20 December 2021 17:20 UTC

Return-Path: <ietf-list@commercebyte.com>
X-Original-To: uri-review@ietfa.amsl.com
Delivered-To: uri-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0BD43A1143 for <uri-review@ietfa.amsl.com>; Mon, 20 Dec 2021 09:20:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=commercebyte.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nmx2x7TvfRyo for <uri-review@ietfa.amsl.com>; Mon, 20 Dec 2021 09:20:36 -0800 (PST)
Received: from ocean1.commercebyte.com (ocean1.commercebyte.com [104.131.120.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D40E83A10E8 for <uri-review@ietf.org>; Mon, 20 Dec 2021 09:20:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=commercebyte.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:References:In-Reply-To:Subject:To:From:Date; bh=wl5lB7seQLqFTC+ByICYAnpX10keNj2t+SPFfE3bIzI=; b=hWPju+Y16Hc2anCcKeNwciGV9bzc+RT3jc+YuXO7l+8CI7s4ywcTZE9mw1huylLqsu8O36h4tTNyxfWYROZzOODWrNfes17dbWSug+JxADfp3FC5GHFeDADwiroMEBooFY3OM2t9EuAvGSd5rD260L9RZqQXFHNN9CKJi5nTw/M=;
Received: from 50-79-151-250-static.hfc.comcastbusiness.net ([50.79.151.250]:14386 helo=[127.0.0.1]) by ocean1.commercebyte.com with esmtpsa (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.82) (envelope-from <ietf-list@commercebyte.com>) id 1mzMKw-0001fe-2R; Mon, 20 Dec 2021 12:20:34 -0500
Received: from [206.81.2.95]:7120 (helo=[127.0.0.1]) by [172.16.0.104]:49954 (localhost) with VESmail ESMTP Proxy 1.58 (encrypt=FALSE mode=FALLBACK); Mon, 20 Dec 2021 12:20:33 -0500
Date: Mon, 20 Dec 2021 12:20:27 -0500
From: Jim Zubov <ietf-list@commercebyte.com>
To: uri-review@ietf.org, Michael Wojcik <Michael.Wojcik@microfocus.com>, "uri-review@ietf.org" <uri-review@ietf.org>
User-Agent: K-9 Mail for Android
In-Reply-To: <DM6PR18MB27007CD6DFFA9D5C9AAB2C5DF97B9@DM6PR18MB2700.namprd18.prod.outlook.com>
References: <e2dbbdce-f91d-a555-20c5-53a971be8d20@vesvault.com> <CAHBU6ivqJ8GL=gM35K33h0YRzrO0Bs4cd+To6YPezL78+aNNTQ@mail.gmail.com> <17b8d4be-9ba1-e3b5-b84a-6185185dc8ba@vesvault.com> <6280a74d-04aa-8ca8-5df9-3fd8e73afa92@gmx.de> <4A853B10-1BD5-4334-9588-0759BB1D3327@commercebyte.com> <a531d37d-cdc5-8f77-735c-9e842c0d3eb1@gmx.de> <DM6PR18MB27007CD6DFFA9D5C9AAB2C5DF97B9@DM6PR18MB2700.namprd18.prod.outlook.com>
Message-ID: <55319A7B-55EB-4ACE-91E6-C3FD4929F0B6@commercebyte.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----2MATJW5729EUQKSATTQJPN3GHMQP5J"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ocean1.commercebyte.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - commercebyte.com
X-Get-Message-Sender-Via: ocean1.commercebyte.com: authenticated_id: jz@nixob.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/uri-review/oQ81PyLXSbZdn2TpkEH4nzO9_2g>
Subject: Re: [Uri-review] URI Scheme "ves:"
X-BeenThere: uri-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proposed URI Schemes <uri-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uri-review>, <mailto:uri-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uri-review/>
List-Post: <mailto:uri-review@ietf.org>
List-Help: <mailto:uri-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uri-review>, <mailto:uri-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Dec 2021 17:20:56 -0000

Julian & Michael -
I must agree. It will be cleaner to keep the scheme specifications strictly compliant, while individual libraries and clients may allow some leeway that's not documented in the scheme, covered by their own security assessment.
I revised the specs pdf (same link as before) to reflect this.

On December 20, 2021 9:24:24 AM EST, Michael Wojcik <Michael.Wojcik@microfocus.com> wrote:
>> From: Uri-review <uri-review-bounces@ietf.org> On Behalf Of Julian Reschke
>> Sent: Monday, 20 December, 2021 05:26
>> 
>> Am 18.12.2021 um 22:10 schrieb Jim Zubov:
>> > ...
>> >
>> > I specified the violations, specifically stripped url encoding, that the
>> > software SHOULD understand, and libVES is fact DOES understand. The uri
>> > parts is still recommended to be properly url encoded to comply with the
>> > standards.
>> > ...
>> 
>> I believe this is an incredibly bad decision, because it means that
>> consumers of the URIs can't simply use conforming URI parsers.
>
>Historically, this sort of thing has also led to security vulnerabilities, due to mismatches in the tolerances of filters and end servers. Non-canonical UTF-8 sequences are one example.
>
>The Postel Interoperability Principle was useful in the early days of internets (and then of *the* Internet) to get things off the ground. These days it's a liability. Be strict in what you accept.
>
>-- 
>Michael Wojcik
>
>_______________________________________________
>Uri-review mailing list
>Uri-review@ietf.org
>https://www.ietf.org/mailman/listinfo/uri-review

v2.23.0 | Report a Bug | By Email