IETF Logo Mail Archive

Re: [Uri-review] Requesting review for 'dvx' provisional registration draft

Ted Hardie <ted.ietf@gmail.com> Mon, 05 July 2021 08:29 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: uri-review@ietfa.amsl.com
Delivered-To: uri-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80E473A08B1 for <uri-review@ietfa.amsl.com>; Mon, 5 Jul 2021 01:29:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5WHkGcyU1MFY for <uri-review@ietfa.amsl.com>; Mon, 5 Jul 2021 01:29:37 -0700 (PDT)
Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAD0C3A08AE for <uri-review@ietf.org>; Mon, 5 Jul 2021 01:29:37 -0700 (PDT)
Received: by mail-oi1-x229.google.com with SMTP id b2so19973993oiy.6 for <uri-review@ietf.org>; Mon, 05 Jul 2021 01:29:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5dtCEyFREjVZAuMMyhHYU1813monDSU7DcGrA0XiB4A=; b=h5MXfHploEelbgfzEw9BL9reXO877Y6901mBcBDLT/aDvqbql8ynhzQpbt+8idxv5I xL89KSDWII0tteUtG2t1io6MwDH/vnvPHhcrGX6n3r7d1uR5JS0LMPjaWbOiNodKGCPu t1xJW8HojIY1eRjniAo9hyUIa8dXX8Ic3Vnh+wjRk48O7LAOabFrG7fcJEOvX42AWwor hTN7kfxuXJATlM5kOjPblYee7q7+d+QIjVEERqnUky+CmPj13URdf78S0LngeiYV59Br AiTw16l7xvjNkC0iWwuKvXRQnaXr2wt2gu9UFar3ymPNxnZWnMCh4iAptAhMWodp0gra Sezw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5dtCEyFREjVZAuMMyhHYU1813monDSU7DcGrA0XiB4A=; b=r7/90LbvDBgcqEw/oy57ORqdL8ysBuURvT4TFuyav+KlwtTj7aDTcCkZPNlcxL/dsF EMqPQtYQE/XNVsO5By7QlbPgqeQs0nDilGbO4KhRHM6oXwjOKzkHSagqD1PSVf6Sexj+ GPMqEejy+WFlUpzewcl9/8cxF4l81XGiDdVFdRqLSiABblw5Y0HJSc0UVLeqlXhL49jg LxWAT10gdaIYM2yWt+SXzHWObyA3Fx5QxyXdgpnM3r+TC6BsDl1bYybyg+FLLJSVKUtA IQ1IsLqMQTQ7tOXk1iOfkqUu59eg3xzd4SCPXbuUfeUvxdkLzqJNTXqujNT9qKabqMBi qQxQ==
X-Gm-Message-State: AOAM530BSdxv76R5hSfMnKAhw5UtCCkXtYYHudw/bmmaFab3MVrFe+U5 f7XGZ8KRtkMqPfINISIBXZIHNDaREzH7RJKqZ3jwUUpnCnQ=
X-Google-Smtp-Source: ABdhPJw6YZxNT2GzjadhkdHtSczRxMCpFKCcq/JGBl49f9v2OasRMXiiwuvXsMP31ILqKQoq6lmBWfHxt0QtZXW1wKE=
X-Received: by 2002:a05:6808:9ae:: with SMTP id e14mr9493720oig.74.1625473776006; Mon, 05 Jul 2021 01:29:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAD2stPT7+5s_+7BC8Xrv-phQj40+oOomT3f3bVarX=AuJXGJ8w@mail.gmail.com> <CA+9kkMBv2PP9J=ntZqOOMoxtcQ9afo-RuCvoF+_3-29+N55zwA@mail.gmail.com> <CAD2stPR+0OvBRnO9Ac36hcxYh+fRQbYFWzaq5DSR+xXqKGpMSA@mail.gmail.com> <CA+9kkMArHaE=vtP3TGgMzePtLuRvwoHAVKjL0-qAzkxz5ZQR5g@mail.gmail.com> <CAD2stPSNaeFE4twsFA9-waG55wNz1N4r48uCihJYzRR6U=1m_A@mail.gmail.com>
In-Reply-To: <CAD2stPSNaeFE4twsFA9-waG55wNz1N4r48uCihJYzRR6U=1m_A@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Mon, 05 Jul 2021 09:29:09 +0100
Message-ID: <CA+9kkMB_CKgKfhbkzuy3SE-W8Nmuw1bZtGV_-W4OPh-pqE_U6g@mail.gmail.com>
To: "C. Bastian | ORGAPLAN" <clemens.bastian@orgaplan.org>
Cc: uri-review@ietf.org
Content-Type: multipart/alternative; boundary="00000000000002b99205c65c1b9e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uri-review/wtjPqh_mQSawGtNu1nRFRt3WHtc>
Subject: Re: [Uri-review] Requesting review for 'dvx' provisional registration draft
X-BeenThere: uri-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proposed URI Schemes <uri-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uri-review>, <mailto:uri-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uri-review/>
List-Post: <mailto:uri-review@ietf.org>
List-Help: <mailto:uri-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uri-review>, <mailto:uri-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jul 2021 08:29:43 -0000

Hi Clemens,

Thanks for this. There are some minor editorial issues that I'll send you
off-list, but I think this is probably far enough along to submit for
provisional.

regards,

Ted

On Fri, Jul 2, 2021 at 5:54 PM C. Bastian | ORGAPLAN <
clemens.bastian@orgaplan.org> wrote:

> Hello Ted,
>
> thanks again. Your thoughts are very appreciated and helpful.
> Here's our third version of the draft:
>
> Regarding the obligations for "key=value" pairs your idea helped us to
> shrink our specification and make more use of existing documentation.
> It now says:
>     * value MUST consist of unreserved and pct-encoded characters
> defined in RFC3986 (see the RFC3986 Appendix A. for the collected
> ABNF)
>     * The unreserved characters MAY be pct-encoded, but SHOULD NOT be
> encoded
>     * The reserved characters MUST be encoded using pct-encoding
>     * value MAY be empty, but it's not recommended
>
> And the updated security considerations:
>     A full security analysis and considerations are not yet available
> since the application which this scheme is part of is still under
> development. At the current state the scheme inherits the general
> security considerations of RFC 3986 Section 7.. We highly recommend:
>     Sensitive data SHOULD NOT be used in key=value pairs in forms
> accessible to observers
>     Implementations of this scheme SHOULD NOT trust a dvx-URI from an
> untrusted source
>     Security considerations will be updated as soon as the threat
> model becomes clearer.
>
> Published as the versions before at
> https://api.orgaplan.org/articles/uri-dvx-scheme-specification.html
>
> Looking forward on your feedback, Clemens
>
> Mit freundlichen Gruessen | Best regards
>
>
> Clemens Bastian | Technical Development & Integrations
>
> ORGAPLAN business solutions GmbH
>
>
> clemens.bastian@orgaplan.org
> T (Global) +49 | 511 | 999 71 0 73
>
>
> Office UK: HG4 Ripon (Harrogate, Northern Yorkshire)
>
> Office DE: 30926 Seelze / Velber (Hannover)
>
> Office DE: 06618 Naumburg (Saale)
>
>
> Firmensitz (nur: Verwaltung)
>
> bisher: Hanomaghof 2 | 30449 Hannover
>
> seit 15. Juni 2021: Gustav-Bratke-Str. 71 | DE - 30629 Hannover
>
> www.orgaplan.org
>
>
> ORGAPLAN business solutions entwickelt funktionsstarke Software für
> die kaufmännische und betriebliche Organisation und Information.
>
>
>
> Seit über 30 Jahren vertrauen namhafte Unternehmen im technischen
> Großhandel, der Fertigungs- und Lebensmittelindustrie sowie dem
> Sondermaschinenbau unseren Softwarelösungen.
>
>
>
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss...
>
>
>
> Am Fr., 2. Juli 2021 um 11:30 Uhr schrieb Ted Hardie <ted.ietf@gmail.com>:
> >
> > Hi Bastian,
> >
> > Thanks for your message.  I've read the updated document, and I have a
> few comments, but I believe I understand more fully your intent than with
> the initial version.  Thanks for the update.
> >
> > In the text on data within values, you say:
> >
> > The characters allowed in a value are either reserved or unreserved (or
> a percent character as part of a percent-encoding, see RFC3986 "Uniform
> Resource Identifier (URI): Generic Syntax" Section 2.1). Reserved
> characters are those characters that sometimes have special meaning, while
> unreserved characters have no such meaning. Using percent-encoding,
> characters which otherwise would not be allowed are represented using
> allowed characters
> >
> > If I understand you correctly, your intent could also be expressed by
> saying that "value" permits the unreserved and pct-encoded  productions
> from RFC 3986 (see the Appendix for the collected ABNF).  If you also
> wanted to permit the sub-delims, ":" , and "@", you could simply reuse the
> pchar production, which seems fairly close to your intent.  Since those are
> part of the base spec, either approach would be well understood by
> implementers.
> >
> > On the question of security considerations, BCP35 requires either a
> security consideration section or a statement of why one cannot be made
> available:
> >
> >       The scheme definition SHOULD include clear security considerations
> >       (Section 3.7) or explain why a full security analysis is not
> >       available (e.g., in a third-party scheme registration).
> >
> > I'd suggest updating the template to note that the system of which this
> is a part is a work in progress and that a full security consideration is
> thus not yet available, but that the scheme inherits the general security
> considerations of RFC 3986 and that sensitive data SHOULD NOT be used in
> key value pairs in forms accessible to observers.  That would seem to cover
> the threats you're already aware of, and you can update the security
> considerations as the threat model becomes clearer.
> >
> > best regards,
> >
> > Ted Hardie
> >
> > On Thu, Jul 1, 2021 at 5:44 PM C. Bastian | ORGAPLAN <
> clemens.bastian@orgaplan.org> wrote:
> >>
> >> Hello Ted,
> >>
> >> first of all: Let me thank you for the precious feedback and all the
> >> effort going through my draft.
> >>
> >> You're absolutely right in terms of the extensible <command> section.
> >> To be honest, and as the title indicates, this is a draft and changes
> >> can still be made. The scheme design is WiP and your feedback is
> >> appreciated. Now there are some more obligations and recommendations
> >> regarding the <command>:
> >>     * MUST start with a letter (a-z)
> >>     * MUST end with a letter (a-z) or a number (0-9)
> >>     * MUST have a minimum length of 3 characters and a maximum length
> >> of 200 characters
> >>     * SHOULD HAVE at least 3 alphanumeric characters between two
> >> special characters (`.`,`+`,`-`)
> >>
> >>
> >> The section about encoding of the key=value pairs has been updated as
> >> well to make it clearer (hopefully):
> >>     All `key=value` pairs MUST use the UTF-8
> >> ([RFC3629](https://datatracker.ietf.org/doc/html/rfc3629)) character
> >> set. `key` and `value` MUST be separated by an equal sign (`=`).
> >>
> >>     Naming of `key` has following obligations:
> >>     * MUST start with a letter (a-z)
> >>     * MUST have a minimum length of 1 character and a maximum length
> >> of 200 characters
> >>     * MUST consist of alphanumeric characters (a-zA-Z0-9) (lowercase
> >> alphabet a-z, uppercase alphabet A-Z, numbers 0-9)
> >>     * SHOULD be written in _camelCase_ annotation
> >>
> >>     Data within `value` has following obligations:
> >>     The characters allowed in a `value` are either reserved or
> >> unreserved (or a percent character as part of a percent-encoding
> >>     [RFC3986 "Uniform Resource Identifier (URI): Generic Syntax"
> >> Section 2.1](https://datatracker.ietf.org/doc/html/rfc3986#section-2.1)
> ).
> >>     Reserved characters are those characters that sometimes have
> >> special meaning, while unreserved characters have no such meaning.
> >>     Using percent-encoding, characters which otherwise would not be
> >> allowed are represented using allowed characters.
> >>
> >>     The unreserved characters can be encoded, but SHOULD NOT be
> >> encoded. The reserved characters MUST be encoded using
> >> percent-encoding.
> >>     List of reserved characters: `!*'();:@&=+$,/?%#[] ` (last
> >> character is a whitespace).
> >>
> >>
> >> We also updated the interoperability considerations as follows (thanks
> >> for the hint):
> >>     Currently the only one known context of use is within the software
> >> application stack and it's ecosystem provided by ORGAPLAN business
> >> solutions. Uses outside of context should be handled with care.
> >>
> >> Last but not least we updated the security considerations. Since this
> >> is a provisional registration and the uri is still WiP we do not have
> >> a well qualified security consideration yet. Is this required for a
> >> provisional registration?
> >>
> >> Thanks again for your time Ted, the updated specification is available
> >> at https://api.orgaplan.org/articles/uri-dvx-scheme-specification.html
> >>
> >> Looking forward hearing your thoughts and possible improvements!
> >>
> >>
> >>
> >> Am Do., 1. Juli 2021 um 14:24 Uhr schrieb Ted Hardie <
> ted.ietf@gmail.com>:
> >> >
> >> > Hi Clemens,
> >> >
> >> > Thanks for your note.  There appears to be no collision with an
> existing registered scheme, so that's good news.  In going through the
> syntax, I did have some questions, if you don't mind.
> >> >
> >> > My reading is that there are two current commands, open and close,
> but that you intend for the syntax to be extensible.  The permitted
> characters for new commands are a-z0-9.+-, and there is no restriction on
> their ordering.  That would mean 99open, +-7a, even + as a bare operator
> would be valid; is that your intent, or did you also want to have minimum
> lengths and require certain patterns?
> >> >
> >> > For "the interoperability considerations", you might simply mention
> that there is currently only one known context of use (the ORGAPLAN
> context, listed below), and that uses of this outside that context may or
> may not conform.
> >> >
> >> > For security considerations, I could not quite parse what you meant:
> >> >
> >> > For security reasons it's prohibited to include sensitive or private
> information in the uri. This applies in particular to the key=value pairs.
> The restrictions on a requested resource or command need to be checked by
> the application which evaluates the uri
> >> >
> >> > For example, are you indicating that the URI might be carried in a
> plain text protocol, and thus be observable to an attacker with access to
> the path?  If that's the threat model, it would appear  the application
> that evaluates the URI (on receipt), might be acting too late to prevent
> observation.   In general you might want to reference rFC 3552 for text on
> how security considerations text is constructed.
> >> >
> >> > Thanks again for sending this note,
> >> >
> >> > regards,
> >> >
> >> > Ted Hardie
> >> >
> >> >
> >> > Your document says "The encoding of the key=value pairs follow the
> rules defined in RFC3986 "Uniform Resource Identifier (URI): Generic
> Syntax" Section 2" .  It's not entirely clear to me which part of that
> section you wish to draw the reader's attention to.  Is it possible you
> meant section 3.4, which describes path elements and mentions key value
> pairs?
> >> >
> >> >
> >> >
> >> >
> >> > On Thu, Jul 1, 2021 at 5:54 AM C. Bastian | ORGAPLAN <
> clemens.bastian@orgaplan.org> wrote:
> >> >>
> >> >> Hello! I hope you can provide me some feedback on this draft for a
> >> >> provisional registration of the scheme 'dvx'.
> >> >> Here's my current draft, any feedback and hints are appreciated. Best
> >> >> greetings Clemens
> >> >>
> >> >> Scheme name:
> >> >>       dvx
> >> >>
> >> >> Status:
> >> >>      Provisional
> >> >>
> >> >> Applications/protocols that use this scheme name:
> >> >>      The ERP software solution named "DVX" by ORGAPLAN business
> >> >> solutions (www.orgaplan.org)
> >> >>
> >> >> Contact:
> >> >>      Registration applicant: Clemens Bastian <
> clemens.bastian@orgaplan.org>
> >> >>      Scheme creator: ORGAPLAN business solutions GmbH <
> info@orgaplan.org>
> >> >>
> >> >> Change controller:
> >> >>      Someone who is verified to represent ORGAPLAN business solutions
> >> >> GmbH (see 'Contact')
> >> >>
> >> >> References:
> >> >>      Specification:
> >> >> https://api.orgaplan.org/articles/uri-dvx-scheme-specification.html
> >> >>
> >> >> _______________________________________________
> >> >> Uri-review mailing list
> >> >> Uri-review@ietf.org
> >> >> https://www.ietf.org/mailman/listinfo/uri-review
>

v2.23.0 | Report a Bug | By Email