IETF Logo Mail Archive

[urn] Re: Registration for `c2pa` URN

worley@ariadne.com Thu, 01 August 2024 18:23 UTC

Return-Path: <worley@alum.mit.edu>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F913C14F6AB for <urn@ietfa.amsl.com>; Thu, 1 Aug 2024 11:23:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.989
X-Spam-Level:
X-Spam-Status: No, score=-0.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcastmailservice.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJDv0DkX3HPJ for <urn@ietfa.amsl.com>; Thu, 1 Aug 2024 11:22:57 -0700 (PDT)
Received: from resqmta-a2p-640029.sys.comcast.net (resqmta-a2p-640029.sys.comcast.net [96.103.146.59]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EBFDC14F6B7 for <urn@ietf.org>; Thu, 1 Aug 2024 11:22:56 -0700 (PDT)
Received: from resomta-a2p-646770.sys.comcast.net ([96.103.145.230]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 256/256 bits) (Client did not present a certificate) by resqmta-a2p-640029.sys.comcast.net with ESMTPS id ZVbWsGdB7ovMQZaQ3siSfm; Thu, 01 Aug 2024 18:20:55 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastmailservice.net; s=20211018a; t=1722536455; bh=DfimcydGBFylUwjWcdKZ0k4TLb57K0qG47yn4hVoBC4=; h=Received:Received:Received:Received:From:To:Subject:Date: Message-ID:Xfinity-Spam-Result; b=Ma30Juga9zf/mdb4ACiriIjuY58X1vjrkHuJy8eQtOS61wf9ZK++UZi5sEWRSuf4M qyBp3mW17Etjkc5qhHG0ctTBlY5wfkfa75mAvisxSSgkbZJmf9DGw9MkZhfepC64ft I1K59hVVQCuMndR1NA7JN8AVLvoGWFUkcim7TnAXHBCZcfiEQI1d7I5RFT31mlCnOA 2ugGLJTw0WngwDf6L2xRu/Zg4RQeNu60mlD+kvb/h8/kkujHucLhtTrFg/gdt3wVdJ Vd+exK94HGZShKsgQSHQdvEz48ByiVBfUnpjeQC7xGFxMLJtf8Z90BYKHg65wKxIV4 3nwMQE/7YnnJQ==
Received: from hobgoblin.ariadne.com ([IPv6:2601:192:4a00:430::9a8a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 256/256 bits) (Client did not present a certificate) by resomta-a2p-646770.sys.comcast.net with ESMTPSA id ZaPhs3fVmvtH6ZaPiskX4t; Thu, 01 Aug 2024 18:20:34 +0000
Received: from hobgoblin.ariadne.com (localhost [127.0.0.1]) by hobgoblin.ariadne.com (8.16.1/8.16.1) with ESMTPS id 471IKXG3826780 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Thu, 1 Aug 2024 14:20:33 -0400
Received: (from worley@localhost) by hobgoblin.ariadne.com (8.16.1/8.16.1/Submit) id 471IKXvW826777; Thu, 1 Aug 2024 14:20:33 -0400
X-Authentication-Warning: hobgoblin.ariadne.com: worley set sender to worley@alum.mit.edu using -f
From: worley@ariadne.com
To: Leonard Rosenthol <lrosenth=40adobe.com@dmarc.ietf.org>
In-Reply-To: <DM8PR02MB8181343606D747A3E984B8DECDB02@DM8PR02MB8181.namprd02.prod.outlook.com> (lrosenth=40adobe.com@dmarc.ietf.org)
Sender: worley@ariadne.com
Date: Thu, 01 Aug 2024 14:20:33 -0400
Message-ID: <87ttg4ayvi.fsf@hobgoblin.ariadne.com>
X-CMAE-Envelope: MS4xfFLZHPBFKnuOj/ayof5llslH7yiRDEIgdjfFnW4BZAtq7Xote6LMPRDiW7dpOcWNy6ZwMzmoidx7I9JGsW43pC0fyuscpoFjhQnXYRrWAXZ4qeY+F/Z4 88A3LfcGFF31LpxhKhX2xkXc/9SgMGVzAjyrkuPOgBcUgsMtpc5j0co3RClpNC9MBmwcZDleuDWRugIJo98XzY+aip9WqMKnkeAbWxFEMMFDrGmt1AyllwIv +QlESEQ9ft9wrRS2FCIL8fh0/PdwG5wMQkNvWOkKDBI=
Message-ID-Hash: AKLUI723OFZAKOXVWMFDAQTPTDM2LOZ2
X-Message-ID-Hash: AKLUI723OFZAKOXVWMFDAQTPTDM2LOZ2
X-MailFrom: worley@alum.mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-urn.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: urn@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [urn] Re: Registration for `c2pa` URN
List-Id: Revisions to URN RFCs <urn.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/Oz3eXQEIltmwnWu3WkrhBPTzSpQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Owner: <mailto:urn-owner@ietf.org>
List-Post: <mailto:urn@ietf.org>
List-Subscribe: <mailto:urn-join@ietf.org>
List-Unsubscribe: <mailto:urn-leave@ietf.org>

The overall concept looks fine.  I have the following comments.

> Namespace Identifier:  c2pa
> 
> Version:  1
> 
> Date:  2024-07-30
> 
> Registrant:
> Leonard Rosenthol, on behalf of C2PA (Coalition for Content Provenance
> and Authenticity)
> lrosenth@adobe.com<mailto:lrosenth@adobe.com>, 1-215-808-4978

As Peter says, the contact identification should be chosen to be stable
as long as possible.

> Purpose:
> 
> Each C2PA Manifest (aka Content Credential) created to incorporate
> provenance information about a given asset is given a unique
> identifier which has historically been an incorrectly formatted UUID
> URN.  This proposal, in conjunction with an updated specification,
> will define a new `c2pa` URN syntax for this purpose.

Change "URN syntax" to "URN namespace".

> The `c2pa` URN will consist of a UUID URN (as per RFC 9562) with

You probably want to add "the namespace changed to 'c2pa', with" here.

> additional information, specific to C2PA added.  These URNs are
> non-resolvable, simply serving as unique identifiers. In this way, the
> ability to unambiguously compare them is of significant importance.

Though it seems from the 3rd and 4th fields, the URNs aren't *just*
unique identifiers, the identifier is tagged with some semantic
information.  So you might want to expand on that here.

> Syntax:
> 
> A `c2pa` URN shall consist of two mandatory and two optional
> components, in the following order, with `:`'s between each section.
> 
>                 - URN identifier (`urn:c2pa`): REQUIRED
>                 - UUID v4, in string representation (as per RFC 9562, section 4): REQUIRED
>                 - Claim Generator identifier string : OPTIONAL
>                 - Version and Reason string (as described below) : OPTIONAL

You really ought to provide ABNF here.  E.g., this text says that the
3rd and 4th parts are both optional, but it's not clear, if only one of
them is present in a URN, which one is present.  It appears from the
examples that if the 4th part is present, then the 3rd (or at least the
colon that starts it) must be.  What you're looking for is something
like:

c2pa_urn = "urn:c2pa:"
           UUID         ; from RFC 4122
           [ ":" [ claim_generator ]
             [ ":" version_reason ] ]

Of course, we need some idea what the syntax of "claim_generator" is.
At least it must not contain a colon!

> When present, the "Version and Reason" string shall consist of a `v`
> followed by a monotonically increasing integer, starting with 1,
> followed by an underscore (`_`) and then an integer representing the
> reason for the re-labeling.

version_reason = version "_" reason
version        = "v" %31-39 *%30-39    ; "v" and a positive decimal integer (see RFC 2234)

But it's not clear what the syntax or semantics of "reason" is.

> EXAMPLES:
> 
>                 - `urn:c2pa:F9168C5E-CEB2-4FAA-B6BF-329BF39FA1E4`
>                 - `urn:c2pa:F9168C5E-CEB2-4FAA-B6BF-329BF39FA1E4:acme`
>                 - `urn:c2pa:F9168C5E-CEB2-4FAA-B6BF-329BF39FA1E4:acme:v2_1`

It's always good to have examples!

> Assignment:
> 
> URNs conforming to this scheme are self-assigned, based on the
> creation of the UUID (as per RFC 9562) and the optional inclusion of
> the Claim Generator identifier string and Version and Reason.

It would be helpful to have some description of the syntax and semantics
of the claim_generator and reason fields.  If the C2PA web specification
has a concise description, a link to that would be sufficient.

> Security and Privacy:
> 
> No known security or privacy issues exist.

As Peter says, not only does
https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_information_security
give extensive security discussion (which might just be pointed to here)
but its existence shows that there *are* known security issues,
contradicting this text.

> Interoperability:
> 
> A standard UUID URN can be "losslessly upgraded" to a `c2pa` UUID, if
> there were to exist a workflow that required doing so.  Beyond that,
> no known concerns or requirements around interoperability exist.
> 
> Resolution:  N/A

You might want to move the sentences "These URNs are non-resolvable ..."
to this section.

> Documentation:  https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html
> 
> NOTE: Version 2.1 is not yet published but will contain this documentation when published

How shall we handle this?  It's not proper to register a URN namespace
if its references do not exist.  Is there an earlier version of the
specification which is "good enough" to link to as documentation?

Of course, when new version(s) of the C2PA spec are published, it's easy
enough to register a new version of the URN to update the documentation
pointer.

> Additional Information:  NONE
> 
> Revision Information:  N/A

Dale

v2.31.3 | Report a Bug | By Email | System Status