[urn] Re: Registration for `c2pa` URN

Peter Saint-Andre <stpeter@stpeter.im> Thu, 01 August 2024 19:19 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45537C1522A0 for <urn@ietfa.amsl.com>; Thu, 1 Aug 2024 12:19:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.808
X-Spam-Level:
X-Spam-Status: No, score=-2.808 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b="PwFOjFE6"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="q6Ju2XzL"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DPd1N7ha7xAV for <urn@ietfa.amsl.com>; Thu, 1 Aug 2024 12:19:07 -0700 (PDT)
Received: from fhigh7-smtp.messagingengine.com (fhigh7-smtp.messagingengine.com [103.168.172.158]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3292BC151531 for <urn@ietf.org>; Thu, 1 Aug 2024 12:19:07 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 6E1AB114AE2C; Thu, 1 Aug 2024 15:19:06 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Thu, 01 Aug 2024 15:19:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1722539946; x=1722626346; bh=zUtL0Kgq4Lz39lTOuUCYvWyX0mFYz9TVccK81oQcNrc=; b= PwFOjFE6vEfMvVAg0YLcdQMLODVGbw2L4DB0ZTXUkA1Kgx9myrrlkH2V7nP1/1z9 xejCWbAtNNxkkl5pk3Hge94sYe4qTs6feTjJ/s5QOovfATT6TDziT99B3SYybtJH n4jJlBBc8wpTU3+2PRSbUVZHgzPg9y1m9ANH3cqAxB9oHMMaH/lFXoE+jeREDLY0 itrH/UBT5Ie4ucSFh+D6U7BrPRJWHECwQV6QMAMbEZ/RgHr//QaNDC56fNXxlY47 bTJTMI71oZeYNag2R4OZ6H5On8rVUZTPHd0jrRPGOT25OUy8/+cBsztN25Wl3lKg GpWw7D4pV1ME9RlyAec07w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1722539946; x= 1722626346; bh=zUtL0Kgq4Lz39lTOuUCYvWyX0mFYz9TVccK81oQcNrc=; b=q 6Ju2XzLMYMORh4Dglsa2cumgSaYlGzJnXHYzUUa/gTJQ63zEJYw32rM7XjFTBqGg u6rhaUWp8949ZYYGM20u6vZIxSHF535FAOGFo+VjhOuYT3O4mciy1zQq0tft24WV wES7eIW+VbDHWmT83hRMqHrVDICE9E1hy+/GD5IcWgBpVkb5UNR2ah1b7zznlGAx 9ogl+3rqjll/kLRSogqaA2RmLh7yBZzrnuMtjIAzBqwoNF3ZE/B4/9hqG8ILBblN OHHWtPScCe/GvkscX5FNABcY9MuSqhBpRGGyKvqaMfAa1jzauuht80GxsgftglCF FwqjbhBzDFS+8S0TkOI0w==
X-ME-Sender: <xms:qt-rZpxFdGZtwtctSRBZyrL9yYn-BT_QDDHac6e7jnvKcGlIgRuwuA> <xme:qt-rZpTn0dG9ZYzlfdkg27UGgg-M6QPtcmrLAn7SgqnDH6IdJnV_SVmr2NYC4dwur ojWuzxJZn6NYZqPMw>
X-ME-Received: <xmr:qt-rZjXqPrh1qi61oFIZek3cDzcf4e7JhE5pL83NAGhY5yIB6O2pvI3khz5vOQDG>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrjeekgddufeeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepkfffgggfuffvvehfhfgjtgfgsehtkeertddtvdejnecuhfhrohhmpefrvght vghrucfurghinhhtqdetnhgurhgvuceoshhtphgvthgvrhesshhtphgvthgvrhdrihhmqe enucggtffrrghtthgvrhhnpeehkeffvdetgefgkeelfeevveffudffiedujedtjeeffeei heduheehieegueekjeenucffohhmrghinheptgdvphgrrdhorhhgpdhouhhtlhhoohhkrd gtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep shhtphgvthgvrhesshhtphgvthgvrhdrihhmpdhnsggprhgtphhtthhopedt
X-ME-Proxy: <xmx:qt-rZrjC9Bx9Ch0saHAcN72n3rcTxoP2wvKOEzWgO8VFqqHCPcCarA> <xmx:qt-rZrD8C4lzxLQ1gygIh6QUeNX1ytRks_YUIm_iiGSKiQIFS-H-Uw> <xmx:qt-rZkJTRzLjKSmWMiT-GXbhGCBZTY4UfIjqviiiviLBq8y9XgUaNA> <xmx:qt-rZqBQoewurKNZEsJL-Sgm4Aamz4Zn2-3Nw7gWzPBU7nNoTv7fxQ> <xmx:qt-rZm9T8A28HtMvVZzWnXioLfQiAYS_P3cy0opHeSlEa1b86jfBJpzV>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 1 Aug 2024 15:19:05 -0400 (EDT)
Message-ID: <115f84f9-8621-45da-9403-6ed6cfc1514b@stpeter.im>
Date: Thu, 01 Aug 2024 13:19:04 -0600
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Leonard Rosenthol <lrosenth=40adobe.com@dmarc.ietf.org>, "Dale R. Worley" <worley@ariadne.com>
References: <DM8PR02MB8181343606D747A3E984B8DECDB02@DM8PR02MB8181.namprd02.prod.outlook.com> <87ttg4ayvi.fsf@hobgoblin.ariadne.com> <DM8PR02MB8181D0D0CDB79E455004F32ECDB22@DM8PR02MB8181.namprd02.prod.outlook.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <DM8PR02MB8181D0D0CDB79E455004F32ECDB22@DM8PR02MB8181.namprd02.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: QGA5CJRT5URVHKNHQDROR5BJPZKDSU4Y
X-Message-ID-Hash: QGA5CJRT5URVHKNHQDROR5BJPZKDSU4Y
X-MailFrom: stpeter@stpeter.im
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-urn.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "urn@ietf.org" <urn@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [urn] Re: Registration for `c2pa` URN
List-Id: Revisions to URN RFCs <urn.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/FwVwrKHkKFfvnRsJm_dSLyPZQbo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Owner: <mailto:urn-owner@ietf.org>
List-Post: <mailto:urn@ietf.org>
List-Subscribe: <mailto:urn-join@ietf.org>
List-Unsubscribe: <mailto:urn-leave@ietf.org>

Hi Leonard, thanks for the quick turnaround.

To simplify the ABNF, you could re-use some of the rules from RFC 3986 
or RFC 5234 rather than (apparently) redefining them here.

Other than that, it looks good to me.

Peter

On 8/1/24 12:58 PM, Leonard Rosenthol wrote:
> Here is the revised registration proposal.   The links to 2.1 will be 
> live tomorrow (2-Aug-2024).
> 
> Leonard
> 
> Namespace Identifier:  c2pa
> 
> Version:  1
> 
> Date:  2024-07-30
> 
> Registrant:
> 
> Leonard Rosenthol, on behalf of C2PA (Coalition for Content Provenance 
> and Authenticity)
> 
> info@c2pa.org <mailto:info@c2pa.org>, 1-215-808-4978
> 
> Purpose:
> 
> Each C2PA Manifest (aka Content Credential) created to incorporate 
> provenance information about a given asset is given a unique identifier 
> which has historically been an incorrectly formatted UUID URN.  This 
> proposal, in conjunction with an updated specification, will define a 
> new `c2pa` URN namespace for this purpose.
> 
> The `c2pa` URN will consist of a UUID URN (as per RFC 9562), with the 
> namespace changed to 'c2pa' and additional information that is specific 
> to C2PA added.  These URNs are non-resolvable, serving as unique 
> identifiers. In this way, the ability to unambiguously compare them is 
> of significant importance.
> 
> Syntax:
> 
> A `c2pa` URN shall consist of two mandatory and two optional components, 
> in the following order, with `:`'s between each section.
> 
>                  - URN identifier (`urn:c2pa`): REQUIRED
> 
>                  - UUID v4, in string representation (as per RFC 9562, 
> section 4): REQUIRED
> 
>                  - Claim Generator identifier string : OPTIONAL
> 
>                  - Version and Reason string : OPTIONAL
> 
> When present, the "Claim Generator identifier" string shall consist of 
> no more than 32 characters from the ASCII range (as per RFC 20), but 
> which are not Control Characters (RFC 20, 5.2), Graphic Characters (RFC 
> 20, 5.3), the `:` or the `_`.
> 
> When present, the "Version and Reason" string shall consist of a `v` 
> followed by a monotonically increasing integer, starting with 1, 
> followed by an underscore (`_`) and then an integer representing the 
> reason for the re-labeling.
> 
> An ABNF for a `c2pa` URN looks like:
> 
>                  c2pa_urn = c2pa-namespace UUID [":" claim-generator] 
> [":" version-reason]
> 
>                  c2pa-namespace = "urn:c2pa:"
> 
>                  ; this definition is taken from RFC 9562
> 
>                  UUID     =  4hexOctet "-"
> 
>                                                                  
> 2hexOctet "-"
> 
>                                                                  
> 2hexOctet "-"
> 
>                                                                  
> 2hexOctet "-"
> 
>                                                                  6hexOctet
> 
>                  hexOctet = HEXDIG HEXDIG
> 
>                  DIGIT    = %x30-39
> 
>                  HEXDIG   = DIGIT / "A" / "B" / "C" / "D" / "E" / "F"
> 
>                  ; ASCII, but not Control Characters, Graphic 
> Characters, `:` or `_`
> 
>                  visible-char-except-space-colon-underscore = %x21-2B / 
> %x2D-3A / %x3C-7E / %x80-FF
> 
>                  ; claim-generator-identifier is a string of
> 
>                  ;               1 to 32 
> visible-char-except-space-colon-underscore
> 
>                  claim-generator = ":" claim-generator-identifier
> 
>                  claim-generator-identifier = 
> 1*32visible-char-except-space-colon-underscore
> 
>                  ; version-reason is a string consisting of a "v" 
> followed by
> 
>                  ;               a positive integer, an underscore and a 
> second positive integer
> 
>                  version-reason = ":v" version "_" reason
> 
>                  version = 1*DIGIT
> 
>                  reason = 1*DIGIT
> 
> EXAMPLES:
> 
>                  - `urn:c2pa:F9168C5E-CEB2-4FAA-B6BF-329BF39FA1E4`
> 
>                  - `urn:c2pa:F9168C5E-CEB2-4FAA-B6BF-329BF39FA1E4:acme`
> 
>                  - `urn:c2pa:F9168C5E-CEB2-4FAA-B6BF-329BF39FA1E4:acme:v2_1`
> 
>                  - `urn:c2pa:F9168C5E-CEB2-4FAA-B6BF-329BF39FA1E4:v2_1`
> 
> Assignment:
> 
> URNs conforming to this scheme are self-assigned, based on the creation 
> of the UUID (as per RFC 9562) and the optional inclusion of the Claim 
> Generator identifier string and Version and Reason. This process is 
> described at 
> https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_unique_identifiers <https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_unique_identifiers>
> 
> Security and Privacy:
> 
> No known security or privacy issues exist for this specific URN, 
> however, the C2PA specification maintains a "Information Security" 
> section 
> (https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_information_security <https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_information_security>) which documents any known threats and harms related to the core C2PA specification.
> 
> Interoperability:
> 
> A standard UUID URN can be "losslessly upgraded" to a `c2pa` UUID, if 
> there were to exist a workflow that required doing so.  Beyond that, no 
> known concerns or requirements around interoperability exist.
> 
> Resolution:
> 
> As mentioned earlier in this document, these URNs are non-resolvable, 
> serving as unique identifiers. In this way, the ability to unambiguously 
> compare them is of significant importance.
> 
> Documentation:
> 
> https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html <https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html>
> 
> Additional Information:  NONE
> 
> Revision Information:  N/A
> 
> *From: *Dale R. Worley <worley@ariadne.com>
> *Date: *Thursday, August 1, 2024 at 2:23 PM
> *To: *Leonard Rosenthol <lrosenth@adobe.com>
> *Cc: *urn@ietf.org <urn@ietf.org>
> *Subject: *Re: [urn] Registration for `c2pa` URN
> 
> EXTERNAL: Use caution when clicking on links or opening attachments.
> 
> 
> The overall concept looks fine.  I have the following comments.
> 
>> Namespace Identifier:  c2pa
>>
>> Version:  1
>>
>> Date:  2024-07-30
>>
>> Registrant:
>> Leonard Rosenthol, on behalf of C2PA (Coalition for Content Provenance
>> and Authenticity)
>> lrosenth@adobe.com<mailto:lrosenth@adobe.com <mailto:lrosenth@adobe.com>>, 1-215-808-4978
> 
> As Peter says, the contact identification should be chosen to be stable
> as long as possible.
> 
>> Purpose:
>>
>> Each C2PA Manifest (aka Content Credential) created to incorporate
>> provenance information about a given asset is given a unique
>> identifier which has historically been an incorrectly formatted UUID
>> URN.  This proposal, in conjunction with an updated specification,
>> will define a new `c2pa` URN syntax for this purpose.
> 
> Change "URN syntax" to "URN namespace".
> 
>> The `c2pa` URN will consist of a UUID URN (as per RFC 9562) with
> 
> You probably want to add "the namespace changed to 'c2pa', with" here.
> 
>> additional information, specific to C2PA added.  These URNs are
>> non-resolvable, simply serving as unique identifiers. In this way, the
>> ability to unambiguously compare them is of significant importance.
> 
> Though it seems from the 3rd and 4th fields, the URNs aren't *just*
> unique identifiers, the identifier is tagged with some semantic
> information.  So you might want to expand on that here.
> 
>> Syntax:
>>
>> A `c2pa` URN shall consist of two mandatory and two optional
>> components, in the following order, with `:`'s between each section.
>>
>>                 - URN identifier (`urn:c2pa`): REQUIRED
>>                 - UUID v4, in string representation (as per RFC 9562, section 4): REQUIRED
>>                 - Claim Generator identifier string : OPTIONAL
>>                 - Version and Reason string (as described below) : OPTIONAL
> 
> You really ought to provide ABNF here.  E.g., this text says that the
> 3rd and 4th parts are both optional, but it's not clear, if only one of
> them is present in a URN, which one is present.  It appears from the
> examples that if the 4th part is present, then the 3rd (or at least the
> colon that starts it) must be.  What you're looking for is something
> like:
> 
> c2pa_urn = "urn:c2pa:"
>             UUID         ; from RFC 4122
>             [ ":" [ claim_generator ]
>               [ ":" version_reason ] ]
> 
> Of course, we need some idea what the syntax of "claim_generator" is.
> At least it must not contain a colon!
> 
>> When present, the "Version and Reason" string shall consist of a `v`
>> followed by a monotonically increasing integer, starting with 1,
>> followed by an underscore (`_`) and then an integer representing the
>> reason for the re-labeling.
> 
> version_reason = version "_" reason
> version        = "v" %31-39 *%30-39    ; "v" and a positive decimal 
> integer (see RFC 2234)
> 
> But it's not clear what the syntax or semantics of "reason" is.
> 
>> EXAMPLES:
>>
>>                 - `urn:c2pa:F9168C5E-CEB2-4FAA-B6BF-329BF39FA1E4`
>>                 - `urn:c2pa:F9168C5E-CEB2-4FAA-B6BF-329BF39FA1E4:acme`
>>                 - `urn:c2pa:F9168C5E-CEB2-4FAA-B6BF-329BF39FA1E4:acme:v2_1`
> 
> It's always good to have examples!
> 
>> Assignment:
>>
>> URNs conforming to this scheme are self-assigned, based on the
>> creation of the UUID (as per RFC 9562) and the optional inclusion of
>> the Claim Generator identifier string and Version and Reason.
> 
> It would be helpful to have some description of the syntax and semantics
> of the claim_generator and reason fields.  If the C2PA web specification
> has a concise description, a link to that would be sufficient.
> 
>> Security and Privacy:
>>
>> No known security or privacy issues exist.
> 
> As Peter says, not only does
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fc2pa.org%2Fspecifications%2Fspecifications%2F2.0%2Fspecs%2FC2PA_Specification.html%23_information_security&data=05%7C02%7Clrosenth%40adobe.com%7C75ff36116eaa4590625608dcb256fab2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C638581333851216505%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=MvnKaCNhSylJNrm0Y%2FoirFWaBgZq4Mhq3%2BeHZ8X9CF0%3D&reserved=0 <https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_information_security>
> give extensive security discussion (which might just be pointed to here)
> but its existence shows that there *are* known security issues,
> contradicting this text.
> 
>> Interoperability:
>>
>> A standard UUID URN can be "losslessly upgraded" to a `c2pa` UUID, if
>> there were to exist a workflow that required doing so.  Beyond that,
>> no known concerns or requirements around interoperability exist.
>>
>> Resolution:  N/A
> 
> You might want to move the sentences "These URNs are non-resolvable ..."
> to this section.
> 
>> Documentation:  https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fc2pa.org%2Fspecifications%2Fspecifications%2F2.1%2Fspecs%2FC2PA_Specification.html&data=05%7C02%7Clrosenth%40adobe.com%7C75ff36116eaa4590625608dcb256fab2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C638581333851225220%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=x5Su58QKqIG9cJJS1UN7Xv8SkLV1%2F0bdAB9ouEjUm6Q%3D&reserved=0 <https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html>
>>
>> NOTE: Version 2.1 is not yet published but will contain this documentation when published
> 
> How shall we handle this?  It's not proper to register a URN namespace
> if its references do not exist.  Is there an earlier version of the
> specification which is "good enough" to link to as documentation?
> 
> Of course, when new version(s) of the C2PA spec are published, it's easy
> enough to register a new version of the URN to update the documentation
> pointer.
> 
>> Additional Information:  NONE
>>
>> Revision Information:  N/A
> 
> Dale
> 
> 
> _______________________________________________
> urn mailing list -- urn@ietf.org
> To unsubscribe send an email to urn-leave@ietf.org