Re: [Uri-review] Requesting review for 'dvx' provisional registration draft
Ted Hardie <ted.ietf@gmail.com> Fri, 02 July 2021 09:30 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: uri-review@ietfa.amsl.com
Delivered-To: uri-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EF7D3A1739 for <uri-review@ietfa.amsl.com>; Fri, 2 Jul 2021 02:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4dWaUHok9raU for <uri-review@ietfa.amsl.com>; Fri, 2 Jul 2021 02:30:16 -0700 (PDT)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 640E43A1736 for <uri-review@ietf.org>; Fri, 2 Jul 2021 02:30:16 -0700 (PDT)
Received: by mail-oi1-x230.google.com with SMTP id s17so10708290oij.0 for <uri-review@ietf.org>; Fri, 02 Jul 2021 02:30:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aPtCWncNHQ0ppVP9/iYk/La+85GAB+xcUz6bRaeNnCs=; b=YGNdR7xhQdGvJjrWykqIU1KKM9lXkJZJLF+XCxILhNXI4+C69U68Dizq/NIMg6cVtM uaCn7XjKJh07RxUNj3uCJ0SrTgTR0gjFzwthw/h7+DML04e1goUz/+tiscq7d+tKfSIA VH4cvMZnqQ+a6SpU/i3SeTe1af7HdxuyOLqurv+WZGXDdapRW+2Vk/cYLmN81iIViBmD GcrfYFeQS66Ri0CCDwS/52BFInT7lX0ECSggsPIfpZcuFjHs/nbZEy6Yl/eoF1PnQuIp /wPONr28b9YPieracblANsiNxEiuIFEXbVXBYQ3EzA7//YF2vQZRrNcv0u794bV5wW1/ vlYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aPtCWncNHQ0ppVP9/iYk/La+85GAB+xcUz6bRaeNnCs=; b=Jxrjra6AWAcu4D7l68zc+JNdDq+1uIVVTpEfUeN6ZWj1fnV3D6QYGtkES3x9RoeZIs LoEhFIHOae6XJtUB5dQLk8YjDl3XNq2Lirba1XJfRU0nNjpXEZgQX81LnZ7/1XKyn04X SeMnBLF9yNscFXLVY1NpSJe0nx6vIGwrj8nV/OfnO5/IQPgZO++Pzp6IFglRf7Hr9FiH W03VZ9DazEjFazaaL5h5P8WohYUeRXoY8OuqqZfIKCA5JrsrAAIhjGbaHC727O/Lwysw jUeVgdoQkZ/tOJ/We8PDmTzwZgA36iRRIGYBrB89oBKlMIcnwpSTSbPhg6vN3RZE5l7G fWkA==
X-Gm-Message-State: AOAM532DEAsg2UFoq6Z2sMJ5Rj/XNoHvaQKNYL3c1H5UKT/xRiQHm7L0 wox2VgeXI4oMhaGAUuCdVKstxVb3QjQR4BVpaGUoNvTtXX8=
X-Google-Smtp-Source: ABdhPJw6/pCY5lSkw4K7xW+emnW/xiMMtY2xxAi9hL1385Ye4y0SRExzuK9/rqm6k2rwQieVg+km09MoZ9Vzbw1Vi1E=
X-Received: by 2002:a05:6808:9ae:: with SMTP id e14mr11312490oig.74.1625218215095; Fri, 02 Jul 2021 02:30:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAD2stPT7+5s_+7BC8Xrv-phQj40+oOomT3f3bVarX=AuJXGJ8w@mail.gmail.com> <CA+9kkMBv2PP9J=ntZqOOMoxtcQ9afo-RuCvoF+_3-29+N55zwA@mail.gmail.com> <CAD2stPR+0OvBRnO9Ac36hcxYh+fRQbYFWzaq5DSR+xXqKGpMSA@mail.gmail.com>
In-Reply-To: <CAD2stPR+0OvBRnO9Ac36hcxYh+fRQbYFWzaq5DSR+xXqKGpMSA@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Fri, 02 Jul 2021 10:29:49 +0100
Message-ID: <CA+9kkMArHaE=vtP3TGgMzePtLuRvwoHAVKjL0-qAzkxz5ZQR5g@mail.gmail.com>
To: "C. Bastian | ORGAPLAN" <clemens.bastian@orgaplan.org>
Cc: uri-review@ietf.org
Content-Type: multipart/alternative; boundary="00000000000064b24e05c6209aa5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uri-review/q1jA-2QjL3PwjsubK4hugc0-xM8>
Subject: Re: [Uri-review] Requesting review for 'dvx' provisional registration draft
X-BeenThere: uri-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proposed URI Schemes <uri-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uri-review>, <mailto:uri-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uri-review/>
List-Post: <mailto:uri-review@ietf.org>
List-Help: <mailto:uri-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uri-review>, <mailto:uri-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jul 2021 09:30:22 -0000
Hi Bastian,
Thanks for your message. I've read the updated document, and I have a few
comments, but I believe I understand more fully your intent than with the
initial version. Thanks for the update.
In the text on data within values, you say:
The characters allowed in a value are either reserved or unreserved (or a
percent character as part of a percent-encoding, see RFC3986 "Uniform
Resource Identifier (URI): Generic Syntax" Section 2.1
<https://datatracker.ietf.org/doc/html/rfc3986#section-2.1>). Reserved
characters are those characters that sometimes have special meaning, while
unreserved characters have no such meaning. Using percent-encoding,
characters which otherwise would not be allowed are represented using
allowed characters
If I understand you correctly, your intent could also be expressed by
saying that "value" permits the unreserved and pct-encoded productions
from RFC 3986 (see the Appendix for the collected ABNF). If you also
wanted to permit the sub-delims, ":" , and "@", you could simply reuse the
pchar production, which seems fairly close to your intent. Since those are
part of the base spec, either approach would be well understood by
implementers.
On the question of security considerations, BCP35 requires either a
security consideration section or a statement of why one cannot be made
available:
The scheme definition SHOULD include clear security considerations
(Section 3.7
<https://www.rfc-editor.org/rfc/rfc7595.html#section-3.7>) or explain
why a full security analysis is not
available (e.g., in a third-party scheme registration).
I'd suggest updating the template to note that the system of which this is
a part is a work in progress and that a full security consideration is thus
not yet available, but that the scheme inherits the general security
considerations of RFC 3986 and that sensitive data SHOULD NOT be used in
key value pairs in forms accessible to observers. That would seem to cover
the threats you're already aware of, and you can update the security
considerations as the threat model becomes clearer.
best regards,
Ted Hardie
On Thu, Jul 1, 2021 at 5:44 PM C. Bastian | ORGAPLAN <
clemens.bastian@orgaplan.org> wrote:
> Hello Ted,
>
> first of all: Let me thank you for the precious feedback and all the
> effort going through my draft.
>
> You're absolutely right in terms of the extensible <command> section.
> To be honest, and as the title indicates, this is a draft and changes
> can still be made. The scheme design is WiP and your feedback is
> appreciated. Now there are some more obligations and recommendations
> regarding the <command>:
> * MUST start with a letter (a-z)
> * MUST end with a letter (a-z) or a number (0-9)
> * MUST have a minimum length of 3 characters and a maximum length
> of 200 characters
> * SHOULD HAVE at least 3 alphanumeric characters between two
> special characters (`.`,`+`,`-`)
>
>
> The section about encoding of the key=value pairs has been updated as
> well to make it clearer (hopefully):
> All `key=value` pairs MUST use the UTF-8
> ([RFC3629](https://datatracker.ietf.org/doc/html/rfc3629)) character
> set. `key` and `value` MUST be separated by an equal sign (`=`).
>
> Naming of `key` has following obligations:
> * MUST start with a letter (a-z)
> * MUST have a minimum length of 1 character and a maximum length
> of 200 characters
> * MUST consist of alphanumeric characters (a-zA-Z0-9) (lowercase
> alphabet a-z, uppercase alphabet A-Z, numbers 0-9)
> * SHOULD be written in _camelCase_ annotation
>
> Data within `value` has following obligations:
> The characters allowed in a `value` are either reserved or
> unreserved (or a percent character as part of a percent-encoding
> [RFC3986 "Uniform Resource Identifier (URI): Generic Syntax"
> Section 2.1](https://datatracker.ietf.org/doc/html/rfc3986#section-2.1)).
> Reserved characters are those characters that sometimes have
> special meaning, while unreserved characters have no such meaning.
> Using percent-encoding, characters which otherwise would not be
> allowed are represented using allowed characters.
>
> The unreserved characters can be encoded, but SHOULD NOT be
> encoded. The reserved characters MUST be encoded using
> percent-encoding.
> List of reserved characters: `!*'();:@&=+$,/?%#[] ` (last
> character is a whitespace).
>
>
> We also updated the interoperability considerations as follows (thanks
> for the hint):
> Currently the only one known context of use is within the software
> application stack and it's ecosystem provided by ORGAPLAN business
> solutions. Uses outside of context should be handled with care.
>
> Last but not least we updated the security considerations. Since this
> is a provisional registration and the uri is still WiP we do not have
> a well qualified security consideration yet. Is this required for a
> provisional registration?
>
> Thanks again for your time Ted, the updated specification is available
> at https://api.orgaplan.org/articles/uri-dvx-scheme-specification.html
>
> Looking forward hearing your thoughts and possible improvements!
>
>
>
> Am Do., 1. Juli 2021 um 14:24 Uhr schrieb Ted Hardie <ted.ietf@gmail.com>:
> >
> > Hi Clemens,
> >
> > Thanks for your note. There appears to be no collision with an existing
> registered scheme, so that's good news. In going through the syntax, I did
> have some questions, if you don't mind.
> >
> > My reading is that there are two current commands, open and close, but
> that you intend for the syntax to be extensible. The permitted characters
> for new commands are a-z0-9.+-, and there is no restriction on their
> ordering. That would mean 99open, +-7a, even + as a bare operator would be
> valid; is that your intent, or did you also want to have minimum lengths
> and require certain patterns?
> >
> > For "the interoperability considerations", you might simply mention that
> there is currently only one known context of use (the ORGAPLAN context,
> listed below), and that uses of this outside that context may or may not
> conform.
> >
> > For security considerations, I could not quite parse what you meant:
> >
> > For security reasons it's prohibited to include sensitive or private
> information in the uri. This applies in particular to the key=value pairs.
> The restrictions on a requested resource or command need to be checked by
> the application which evaluates the uri
> >
> > For example, are you indicating that the URI might be carried in a plain
> text protocol, and thus be observable to an attacker with access to the
> path? If that's the threat model, it would appear the application that
> evaluates the URI (on receipt), might be acting too late to prevent
> observation. In general you might want to reference rFC 3552 for text on
> how security considerations text is constructed.
> >
> > Thanks again for sending this note,
> >
> > regards,
> >
> > Ted Hardie
> >
> >
> > Your document says "The encoding of the key=value pairs follow the rules
> defined in RFC3986 "Uniform Resource Identifier (URI): Generic Syntax"
> Section 2" . It's not entirely clear to me which part of that section you
> wish to draw the reader's attention to. Is it possible you meant section
> 3.4, which describes path elements and mentions key value pairs?
> >
> >
> >
> >
> > On Thu, Jul 1, 2021 at 5:54 AM C. Bastian | ORGAPLAN <
> clemens.bastian@orgaplan.org> wrote:
> >>
> >> Hello! I hope you can provide me some feedback on this draft for a
> >> provisional registration of the scheme 'dvx'.
> >> Here's my current draft, any feedback and hints are appreciated. Best
> >> greetings Clemens
> >>
> >> Scheme name:
> >> dvx
> >>
> >> Status:
> >> Provisional
> >>
> >> Applications/protocols that use this scheme name:
> >> The ERP software solution named "DVX" by ORGAPLAN business
> >> solutions (www.orgaplan.org)
> >>
> >> Contact:
> >> Registration applicant: Clemens Bastian <
> clemens.bastian@orgaplan.org>
> >> Scheme creator: ORGAPLAN business solutions GmbH <
> info@orgaplan.org>
> >>
> >> Change controller:
> >> Someone who is verified to represent ORGAPLAN business solutions
> >> GmbH (see 'Contact')
> >>
> >> References:
> >> Specification:
> >> https://api.orgaplan.org/articles/uri-dvx-scheme-specification.html
> >>
> >> _______________________________________________
> >> Uri-review mailing list
> >> Uri-review@ietf.org
> >> https://www.ietf.org/mailman/listinfo/uri-review
>
- [Uri-review] Requesting review for 'dvx' provisio… C. Bastian | ORGAPLAN
- Re: [Uri-review] Requesting review for 'dvx' prov… Ted Hardie
- Re: [Uri-review] Requesting review for 'dvx' prov… C. Bastian | ORGAPLAN
- Re: [Uri-review] Requesting review for 'dvx' prov… Ted Hardie
- Re: [Uri-review] Requesting review for 'dvx' prov… C. Bastian | ORGAPLAN
- Re: [Uri-review] Requesting review for 'dvx' prov… Tim Bray
- Re: [Uri-review] Requesting review for 'dvx' prov… Ted Hardie
- Re: [Uri-review] Requesting review for 'dvx' prov… Ted Hardie
- Re: [Uri-review] Requesting review for 'dvx' prov… C. Bastian | ORGAPLAN