Re: [urn] I-D Action: draft-saintandre-urn-example-00

Keith Moore <moore@network-heretics.com> Wed, 09 January 2013 04:28 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D7EE1F0CF8 for <urn@ietfa.amsl.com>; Tue, 8 Jan 2013 20:28:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.524
X-Spam-Level:
X-Spam-Status: No, score=-3.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LCDqj9NlOz9h for <urn@ietfa.amsl.com>; Tue, 8 Jan 2013 20:27:59 -0800 (PST)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) by ietfa.amsl.com (Postfix) with ESMTP id 92E791F0CB3 for <urn@ietf.org>; Tue, 8 Jan 2013 20:27:59 -0800 (PST)
Received: from compute1.internal (compute1.nyi.mail.srv.osa [10.202.2.41]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id E4FEE20A47; Tue, 8 Jan 2013 23:27:58 -0500 (EST)
Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute1.internal (MEProxy); Tue, 08 Jan 2013 23:27:58 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; s=smtpout; bh=E5e1CMT8hctSJxUAA/dbWJ yfu4M=; b=rbfTAxfZxHvyZFCjFthQTXKOHdJSKBA3C5Go5B6Bx0dre/CiAin0Nw wtCLcMlb1QTf3mKM/QFULQFErjGtCzKohF84GX5L2cSF1ddN7XU17a1yFqAkBc6U HxL0XeR1wwijcJxSTnu1YpyC92uQKw1KSV8cLoFuFBL9rJJ8DYm6I=
X-Sasl-enc: PXPtXTO7ceKvess68OpRmbFO/VsyiKb6j87x1j4Zk761 1357705678
Received: from [192.168.1.20] (unknown [65.16.145.177]) by mail.messagingengine.com (Postfix) with ESMTPA id 099A44827A2; Tue, 8 Jan 2013 23:27:57 -0500 (EST)
Message-ID: <50ECF1CC.6030208@network-heretics.com>
Date: Tue, 08 Jan 2013 23:27:56 -0500
From: Keith Moore <moore@network-heretics.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <201208162101.XAA08756@TR-Sys.de> <502DF26E.3050406@gmx.de> <50EB1560.3060602@stpeter.im>
In-Reply-To: <50EB1560.3060602@stpeter.im>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Cc: urn@ietf.org
Subject: Re: [urn] I-D Action: draft-saintandre-urn-example-00
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/urn>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2013 04:28:00 -0000

On 01/07/2013 01:35 PM, Peter Saint-Andre wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Old thread alert!
>
> On 8/17/12 1:27 AM, Julian Reschke wrote:
>> On 2012-08-16 23:01, Alfred � wrote:
>>> (no hat)
>>>
>>> On 08/16/2012, Keith Moore wrote:
>>>> On 08/14/2012 09:59 AM, Andy Newton wrote:
>>>>> Given that URNs are suppose to have permanence or persistence
>>>>> or whatever we are calling it today and a resolution
>>>>> mechanism, this desire to shoehorn identifiers that need to
>>>>> qualify as a URI into the URN system might be wrong. An
>>>>> identifier that must be a URI does not necessarily need or
>>>>> have all the properties to be a URN. Just an observation.
>>>> +1
>>>>
>>>> URNs were intended to be _resource names_, i.e. names of
>>>> resources rather than merely unique identifiers.  The
>>>> expectation was that such resources would generally be at least
>>>> potentially accessible over the network, and that it would be
>>>> possible to resolve such names to resource locations.
>>>> Everyone agreed that it should be possible to assign URNs to
>>>> resources that were not resolvable, or at least not resolvable
>>>> for the time being.  But the idea that URNs are appropriate for
>>>> use whenever someone needed a unique non-resolvable identifier
>>>> that qualifies as a URI, always has struck me as bizarre and
>>>> contrary to the intended purpose of URNs.
>>>>
>>>> Keith
>>> +1 (for both statements)
>> For the record: -1-
>>
>> urn:uuid: is used a lot in practice, and I simply don't see a
>> practical problem with it.
Whether something works well in practice, and whether something conforms 
to the intent of a standard, are of course two separate questions.

Again, URNs were designed to identify resources.   If people use them 
for other things, that's not a problem so long as such use doesn't 
degrade the intended utility of URNs.   It's not like the protocol 
police are going to chase down the users of UUID URNs and put them in 
jail if those UUIDs weren't chosen to refer to resources.  And of course 
you can't tell by looking what is named by a URN  - and that is a 
feature, not a bug.

But just because people find uses for URNs that weren't intended, 
doesn't mean that the URN standard should be changed to encompass those 
uses.  This _would_ degrade the utility of URNs.

To be clear, there's nothing in principle wrong with a UUID URN. What's 
wrong is using a UUID URN just because what you need is a unique 
identifier that doesn't refer to a resource, and you want that unique ID 
to be some sort of URI.   Yes, it probably does little harm most of the 
time, but it's still not a good idea to promote the practice.

> Are you saying these shouldn't be URIs in the first place, or that
> a separate URI scheme would have been ok (in which case those would
> be URNs as well, just not using the "URN" URI scheme, no?).
I'm saying that whoever insisted that it was a good idea to use URIs of 
any kind as unique identifiers, just because they happened to contain 
DNS names (which we already knew were not unique over time), was adding 
needless complexity to the network in exchange for marginal, probably 
negative, utility.  UUIDs by themselves would have worked just fine.[*] 
   Misuse of URNs in this way is just a small part of the resulting 
collateral damage.

[*]  Well, almost just fine.  I've seen security holes in web services 
that relied on UUID URNs as transaction IDs and were vulnerable to 
trivial UUID guessing attacks.   But the general problem is with adding 
more layers which aren't well understood. People who don't understand 
security protocols shouldn't be picking what to use as nonces, people 
who don't understand URNs shouldn't be designing protocols around 
them.   etc.

Keith