IETF Logo Mail Archive

comments on draft-giralt-schac-ns-00

Alfred Hönes <ah@tr-sys.de> Tue, 31 March 2009 22:08 UTC

Return-Path: <A.Hoenes@tr-sys.de>
X-Original-To: urn-nid@core3.amsl.com
Delivered-To: urn-nid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1F79D3A6997 for <urn-nid@core3.amsl.com>; Tue, 31 Mar 2009 15:08:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.938
X-Spam-Level: **
X-Spam-Status: No, score=2.938 tagged_above=-999 required=5 tests=[AWL=-0.613, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, HELO_EQ_DE=0.35, MANGLED_LIST=2.3, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZSjKMdbp1yBq for <urn-nid@core3.amsl.com>; Tue, 31 Mar 2009 15:08:39 -0700 (PDT)
Received: from WOTAN.TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by core3.amsl.com (Postfix) with ESMTP id 2B0CE3A6AC5 for <urn-nid@ietf.org>; Tue, 31 Mar 2009 15:08:37 -0700 (PDT)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3) id AA101507250; Wed, 1 Apr 2009 00:07:30 +0200
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id AAA21466; Wed, 1 Apr 2009 00:07:28 +0200 (MESZ)
From: Alfred Hönes <ah@tr-sys.de>
Message-Id: <200903312207.AAA21466@TR-Sys.de>
Subject: comments on draft-giralt-schac-ns-00
To: victoriano@uma.es, rodney.mcduff@uq.edu.au
Date: Wed, 01 Apr 2009 00:07:27 +0200
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 8bit
Cc: urn-nid@ietf.org
X-BeenThere: urn-nid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: discussion of new namespace identifiers for URNs <urn-nid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/urn-nid>, <mailto:urn-nid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/urn-nid>
List-Post: <mailto:urn-nid@ietf.org>
List-Help: <mailto:urn-nid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn-nid>, <mailto:urn-nid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2009 22:08:41 -0000

Hello,
after studying the Internet-Draft authored by you,
            draft-giralt-schac-ns-00,
I'd like to submit a few comments.

After discussing the more significant issues I found in (A), the
editorials in section (B) below are presented in textual order.

I use change bars ('|' in column 1) and occasionally
up/down pointing marker lines ('^^^'/'vvv') to emphasize
the location of textual issues and/or proposed corrections.


(A)  Major issues

(A.1)  target resources ?

I did not understand from the draft text what kind of resources
shall be assigned 'schac' URNs.  That needs to be much more explicit.
Are that the abstract entities like schemas, object classes,
attributes, or the like,
or instances of persons, organizations, physical entities ?

The applicable security considerations will -- to a large extent --
depend on the kind and (e.g. legal, material) value of the resources.

One particularly critical and ambiguous phrase is
"a common way for expressing personal data" (in Section 1, 1st para)


(A.2)  Section 2, 'Syntactic structure' clause -- ABNF issue

The draft defines the syntax as:

            SCHAC-NSS    =   1*(subStChar) 0*(":" 1*(subStChar))

|           subStChar       =   trans / "%" HEXDIG HEXDIG

            trans                =   ALPHA / DIGIT / other / reserved

            other                =   "(" / ")" / "+" / "," / "-" / "." /
                                         "=" / "@" / ";" / "$" /
                                         "_" / "!" / "*" / "'"

|           reserved           =   "%" / "/" / "?" / "#"

[ BTW: columnar alignment of the rules would enhance the readability! ]

For <subStChar>,  "%" plays the role of a Reserved character used to
introduce the hex encoded 'escape sequences'.
But <trans> allows <reserved>, which in turn admits "%".

Thus way, the syntax is highly ambiguous.

I would reasonably expect the requirement to escape a literal "%"
as "%25", and to not admit "%" in <reserved>.

Thus, I suggest to use the following revised ABNF:

            SCHAC-NSS    =   1*(subStChar) 0*(":" 1*(subStChar))

|           subStChar    =   trans / "%" HEXDIG HEXDIG

|           trans        =   ALPHA / DIGIT / other / reserved

|           other        =   "(" / ")" / "+" / "," / "-" / "." / "="
|                          / "@" / ";" / "$" / "_" / "!" / "*" / "'"

|           reserved     =   "/" / "?" / "#"




(A.3)  Section 2, 'Identifier resolution' clause, last para

The draft says:

      All registries MUST publish their URNs over an HTTPS link that
|     presents a server certificate by a recognized CA, that does not
|     produce an alert in the user's browser.

What is a "recognized CA" ?   Don't touch a hornets nest!

The requirement in the last phrase is in direct conflict to freedom
in site/system local security policy.  This registration cannot
enforce *any* CA certificate to be installed as 'silent' trust
anchors, or some EE certificates to be accepted, by *all* browsers
without user intervention; e.g. the secutity aware user might
want to personally inspect all certificates.

A reasonable requirement I could envision instead would be for
TERENA to publish a list of qualified CA's and deemed as 'recognized'
for the purpose of 'schac' URN resolution and the "security grade"
required for the web server EE certificates, or for TERENA to maintain
a public trust anchor repository that guarantee these properties.


(A.4)  Section 6 -- IANA Considerations

The draft says:

|  This document makes no request of IANA.
|
|  Note to RFC Editor: this section may be removed on publication as an
|  RFC.

Ooops!
Isn't the main purpose of the draft to register an URN NID ??

For simplicity, please think of IANA as a clerical robot reading the
instructions in the IANA Considerations section and performing the
tasks described there during the RFC publication process.
The purpose of this section is to give IANA a starting point for
operating on a draft, whithout having to read the whoel document
(cf. RFC 5226).

Please replace the above nonsensical text by a concise clause,
for instance:

|  In accordance wuth BCP 66 [11], IANA is asked to register the Formal
|  URN Namespace 'schac' in the Registry of URN Namespaces, using the
|  registration template presented in Section 2 of this document.



(B)  editorial linear walk-through

(B.1)  Section 1.1, 1st para

In the last line, please correct:

|  input from all participants national person schemas.[3]
---                           v                        v   v
|  input from all participants' national person schemas [3].


(B.2)  Section 2, 'Identifier assignment' clause, 1st para

The text talks about "entities of global international or
European interest" and "multi-country organizations".

What is an "organizational Internet DNS name" for these (last line) ??

  -  any domain name immediately below .INT , or
  -  any domain name subordinated to   .INT , or
  -  any domain name immediately below .EU , or
  -  any domain name subordinated to   .EU , or
  -  any domain name immediately below .ASIA , or
  -  any domain name subordinated to   .ASIA , or
  -  any domain name immediately below .ORG , or
  -  any domain name subordinated to   .ORG , or
  -  some selection, or
  -  any of the above, or
  -  ??

Note: 9 lines down, "terena.org" appears in an example.

Please be much more precise.

BTW: With regard to the expansion of "DNS": Domain Name System,
     please avoid the troublesome self-replicating term "DNS name"
     in favor of "Domain Name" or more precisely:
     "FQDN" (Fully Qualified Domain Name).

(B.3)  Section 2, 'Identifier assignment' clause, 2nd para

s/such as any string can convey/such that any string can convey/   ?
       ^^                            ^^^^


(B.4)  Section 2, 'Identifier assignment' clause, 4th para

o    s/this namespaces/these namespaces/
         ^^              ^^^

o    s/the requestors [...] domain/the requestor's [...] domain/


(B.5)  Section 2, 'Validation mechanism' clause

Please insert the missing trailing full-stop (period) at the end
of the first sentence, in front of "Presence".


(B.6)  Section 4, last para

s/This values/These values/
    ^^          ^^^

(B.7)  Section 7

The updated IANA Considerations -- see (A.4) above -- make normative
use of RFC 3406.  Therefore, ref. entry [11] in Section 7.2 needs
to be promoted to Normative and hence moved into Section 7.1.


Best regards,
  Alfred Hönes.

-- 

+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.-Phys.  |
| Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax: -18         |
| D-71254  Ditzingen     |  E-Mail:  ah@TR-Sys.de                     |
+------------------------+--------------------------------------------+

v2.23.0 | Report a Bug | By Email