IETF Logo Mail Archive

Re: [urn] corporate URN namespaces

John C Klensin <john-ietf@jck.com> Sat, 03 February 2024 01:15 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D00CFC14F697 for <urn@ietfa.amsl.com>; Fri, 2 Feb 2024 17:15:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hjr1EYSmxHOv for <urn@ietfa.amsl.com>; Fri, 2 Feb 2024 17:15:40 -0800 (PST)
Received: from bsa2.jck.com (ns.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1E32C14F68C for <urn@ietf.org>; Fri, 2 Feb 2024 17:15:40 -0800 (PST)
Received: from [198.252.137.10] (helo=PSB) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1rW4d8-000J4d-Pe; Fri, 02 Feb 2024 20:15:38 -0500
Date: Fri, 02 Feb 2024 20:15:31 -0500
From: John C Klensin <john-ietf@jck.com>
To: Peter Saint-Andre <stpeter@stpeter.im>, urn@ietf.org
Message-ID: <DE626E0D07A85AA8759E4B05@PSB>
In-Reply-To: <71308ab2-e1fd-4f39-80f1-d8dbb248260e@stpeter.im>
References: <6c0de4ca-dbc0-401d-b1df-34147ec9829b@stpeter.im> <0C274E40D3F576FC46A1D705@PSB> <7e4bec70-deb1-45e6-b432-c45ad365cdbb@stpeter.im> <9E698B7ECB692C39EE9ED28A@PSB> <71308ab2-e1fd-4f39-80f1-d8dbb248260e@stpeter.im>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/QKUa2l1dVzglE90bds49VLRunDM>
Subject: Re: [urn] corporate URN namespaces
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Feb 2024 01:15:41 -0000

(Barry, see inline)

--On Friday, February 2, 2024 16:49 -0700 Peter Saint-Andre
<stpeter@stpeter.im> wrote:

> I agree with 90% of your 10%. The remaining 1% inline.
> 
> On 2/1/24 6:22 AM, John C Klensin wrote:
>> Peter,
>> 
>> I agree with 90% of what you say.  Other 10% inline below.
>> 
>> --On Wednesday, January 31, 2024 11:53 -0700 Peter Saint-Andre
>> <stpeter@stpeter.im> wrote:
>> 
>>> Hi John, thanks for sharing your perspective. Comments
>>> inline.
>>> 
>>> On 1/30/24 8:32 AM, John C Klensin wrote:
>>> 
>>>> I wonder whether we could borrow a note from some very early
>>>> IANA registration policies and allow third-party
>>>> registrations, e.g., allow you or someone else who notices
>>>> one of these things to record the usage in the database as a
>>>> third-party registration.  If one of our primary goals for
>>>> having the registry is to avoid inadvertent name conflicts,
>>>> then knowing that (using your examples) LinkedIn is using
>>>> "li" for a namespace and Amazon is using "rtn", and both are
>>>> using them on the public Internet (embedded or not), there
>>>> would seem to be a public interest in having those names
>>>> registered.
>>> 
>>> RFC 8141 states:
>>> 
>>>      This document rests on two key assumptions:
>>> 
>>>      1.  Assignment of a URN is a managed process.
>>> 
>>>      2.  The space of URN namespaces is itself managed.
>>> 
>>> One thing I'm uncomfortable with here - not with your
>>> proposal but with the underlying situation - is the fact
>>> that if at some level we accept unregistered URN namespaces,
>>> then we're not living up to assumption #2.
>> 
>> Yes.
>> 
>>> Overall I'd say we have done a decent job of managing the
>>> space of URN namespaces: the vast majority of SDOs and other
>>> projects we've engaged with have worked in good faith to
>>> define their usage of URNs, and for the most part this
>>> discussion list has led to improved transparency regarding
>>> URN usage on the Internet. (To be clear, we've had a few
>>> failures along the way, e.g. namespaces we didn't get
>>> registered because the registrants ran out of energy or
>>> patience with the review team.)
>>> 
>>> It seems less than ideal to allow third-party registrations
>>> that are mere placeholders so that we can avoid conflicts.
>>> Indeed, those don't feel like *registrations* at all, in the
>>> sense of fulfilling our responsibility to manage the space of
>>> URN namespaces. (Furthermore, it feels disrespectful toward
>>> everyone who has properly registered their namespaces.)
>>> 
>>> I'm not completely opposed to what you suggest, but I'm not
>>> completely happy with it, either.
>> 
>> I agree and share your unhappiness.  I was just trying to
>> reflect what seems to be a general IETF trend that I would
>> describe as "forget all that other stuff and the reasons for
>> it, just get it registered to prevent conflicts".  That has
>> resulted in updates to several protocol specs moving, e.g.,
>> from "RFC or IESG-approved Experimental" to "Specification
>> Required" or lower.  That does not make me happy either, but
>> I recognize the reasoning and the trend.
>> 
>> Given that, and given that allowing third-party registrations
>> would presumably require an update to RFC 8141 anyway, let me
>> suggest a different alternative.   I haven't quite figured out
>> how this would be defined, much less what we would tell IANA
>> about naming (because any list they keep is called a registry)
>> but what would happen if created a separate list, not for
>> registration of a URN namespace but of names that had been
>> seen in the wild and, in violation of the clear intent of
>> 8141, had not gone through that process?
> 
> It might not surprise you that I had a similar thought.
> ("Great minds think alike" or "fools never differ"?)
> 
>> Such a listing would clearly require some minimal protection
>> against DoS attacks, but so would a third-party registration.
>> Submission of copies of web pages or messages would be a
>> start.
>> 
>> I think I'd rather see it as an IANA collection because
>> presence in that hall of shame might motivate some companies
>> to actually register but, if if that would be problematic, I
>> could see a wiki or github listing somewhere and a sentence
>> in the header of the IANA URN namespace registry that said
>> something like "an informal list of known names in use in
>> violation of the specs may be consulted to avoid
>> unintentional naming conflicts if one is considering a new
>> namespace and name".
> 
> To some extent, I think it depends on what we're trying to
> accomplish with this list. I see two main purposes:
> 
> 1. Encouraging organizations to register their namespaces
> 
> 2. Avoiding namespace conflicts
> 
> It's not clear to me that purpose #1 will be met more
> effectively with a public list than with reaching out to
> people we know at the offending organizations, but just
> possibly it might help. Do we know if this method has been
> successful with other registries?

No idea.  It might be reasonable to reach out to Barry Leiba
(don't remember whether he is on this list or not) because my
impression is that he has been one of the sensible people
pushing most strongly for "just get it registered somehow".  If
there have been successes, he would be likely to know.   But I
don't know that it is particularly useful knowledge because ...

If we disagree, it might be closer to 5% or 1% than 10%.  What I
was thinking, although I was no coherent enough to write down,
was that we should encourage third parties who notice such
things to reach out to "people they know" if they know anyone
and provide some mechanism for them to post a message to see if
anyone else can do some gentle arm-twisting otherwise (posting
to this list or even ietf@ietf.org might be reasonable).  Only
if those entreaties failed to produce a registration by the
organization involved, would the name be added to what I think
of as a "this name is in use by the the organization involves is
too anti-social, arrogant, or opposed to a URN system that works
well" list.  Of course, we wouldn't say that unless we could
figure out how to be really polite about it.

That sort of approach would constitute doing our best at the
"encouraging" part, providing some (at least minimal) pressure
on those who were not easily encouraged and, either way, address
purpose #2.

> Purpose #2 is more limited but potentially useful (and as you
> say could be met with a simple web page at a wiki or GitHub).

best,
   john

v2.30.2 | Report a Bug | By Email | System Status