idnits 2.17.00 (12 Aug 2021) /tmp/idnits41100/draft-ietf-appsawg-uri-get-off-my-lawn-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC3986, but the abstract doesn't seem to directly say this. It does mention RFC3986 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC3986, updated by this document, for RFC5378 checks: 2002-11-01) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 23, 2014) is 2949 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 4395 (Obsoleted by RFC 7595) -- Obsolete informational reference (is this intentional?): RFC 5785 (Obsoleted by RFC 8615) -- Obsolete informational reference (is this intentional?): RFC 5988 (Obsoleted by RFC 8288) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 appsawg M. Nottingham 3 Internet-Draft 4 Updates: 3986 (if approved) April 23, 2014 5 Intended status: Best Current Practice 6 Expires: October 25, 2014 8 URI Design and Ownership 9 draft-ietf-appsawg-uri-get-off-my-lawn-04 11 Abstract 13 RFC3986 Section 1.1.1 defines URI syntax as "a federated and 14 extensible naming system wherein each scheme's specification may 15 further restrict the syntax and semantics of identifiers using that 16 scheme." In other words, the structure of a URI is defined by its 17 scheme. While it is common for schemes to further delegate their 18 substructure to the URI's owner, publishing independent standards 19 that mandate particular forms of URI substructure is inappropriate, 20 because that essentially usurps ownership. This document further 21 describes this problematic practice and provides some acceptable 22 alternatives for use in standards. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on October 25, 2014. 41 Copyright Notice 43 Copyright (c) 2014 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 1.1. Who This Document Is For . . . . . . . . . . . . . . . . 3 60 1.2. Notational Conventions . . . . . . . . . . . . . . . . . 4 61 2. Best Current Practices for Standardizing Structured URIs . . 4 62 2.1. URI Schemes . . . . . . . . . . . . . . . . . . . . . . . 4 63 2.2. URI Authorities . . . . . . . . . . . . . . . . . . . . . 4 64 2.3. URI Paths . . . . . . . . . . . . . . . . . . . . . . . . 5 65 2.4. URI Queries . . . . . . . . . . . . . . . . . . . . . . . 5 66 2.5. URI Fragment Identifiers . . . . . . . . . . . . . . . . 5 67 3. Alternatives to Specifying Structure in URIs . . . . . . . . 6 68 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 69 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 70 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 71 6.1. Normative References . . . . . . . . . . . . . . . . . . 7 72 6.2. Informative References . . . . . . . . . . . . . . . . . 7 73 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 7 74 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 76 1. Introduction 78 URIs [RFC3986] very often include structured application data. This 79 might include artifacts from filesystems (often occurring in the path 80 component), and user information (often in the query component). In 81 some cases, there can even be application-specific data in the 82 authority component (e.g., some applications are spread across 83 several hostnames to enable a form of partitioning or dispatch). 85 Furthermore, constraints upon the structure of URIs can be imposed by 86 an implementation; for example, many Web servers use the filename 87 extension of the last path segment to determine the media type of the 88 response. Likewise, pre-packaged applications often have highly 89 structured URIs that can only be changed in limited ways (often, just 90 the hostname and port they are deployed upon). 92 Because the owner of the URI (as defined in [webarch] 93 Section 2.2.2.1) is choosing to use the server or the software, this 94 can be seen as reasonable delegation of authority. When such 95 conventions are mandated by a party other than the owner, however, it 96 can have several potentially detrimental effects: 98 o Collisions - As more ad hoc conventions for URI structure become 99 standardized, it becomes more likely that there will be collisions 100 between them (especially considering that servers, applications 101 and individual deployments will have their own conventions). 103 o Dilution - When the information added to a URI is ephemeral, this 104 dilutes its utility by reducing its stability (see [webarch] 105 Section 3.5.1), and can cause several alternate forms of the URI 106 to exist (see [webarch] Section 2.3.1). 108 o Rigidity - Fixed URI syntax often interferes with desired 109 deployment patterns. For example, if an authority wishes to offer 110 several applications on a single hostname, it becomes difficult to 111 impossible to do if their URIs do not allow the required 112 flexibility. 114 o Operational Difficulty - Supporting some URI conventions can be 115 difficult in some implementations. For example, specifying that a 116 particular query parameter be used precludes the use of Web 117 servers that serve the response from a filesystem. Likewise, an 118 application that fixes a base path for its operation (e.g., "/v1") 119 makes it impossible to deploy other applications with the same 120 prefix on the same host. 122 o Client Assumptions - When conventions are standardized, some 123 clients will inevitably assume that the standards are in use when 124 those conventions are seen. This can lead to interoperability 125 problems; for example, if a specification documents that the "sig" 126 URI query parameter indicates that its payload is a cryptographic 127 signature for the URI, it can lead to undesirable behavior. 129 Publishing an independent standard that constrains an existing URI 130 structure in ways which aren't explicitly allowed by [RFC3986] (e.g., 131 by defining it in the URI scheme) is usually inappropriate, because 132 the structure of a URI needs to be firmly under the control of its 133 owner, and the IETF (as well as other organizations) should not usurp 134 it. 136 This document explains best current practices for establishing URI 137 structures, conventions and formats in standards. It also offers 138 strategies for specifications to avoid violating these guidelines in 139 Section 3. 141 1.1. Who This Document Is For 143 This document's requirements primarily target a few different types 144 of specifications: 146 o Protocol Extensions ("extensions") - specifications that offer new 147 capabilities to potentially any identifier, or a large subset; 148 e.g., a new signature mechanism for 'http' URIs, or metadata for 149 any URI. 151 o Applications Using URIs ("applications") - specifications that use 152 URIs to meet specific needs; e.g., a HTTP interface to particular 153 information on a host. 155 Requirements that target the generic class "Specifications" apply to 156 all specifications, including both those enumerated above and others. 158 Note that this specification ought not be interpreted as preventing 159 the allocation of control of URIs by parties that legitimately own 160 them, or have delegated that ownership; for example, a specification 161 might legitimately define the semantics of a URI on the IANA.ORG Web 162 site as part of the establishment of a registry. 164 1.2. Notational Conventions 166 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 167 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 168 document are to be interpreted as described in [RFC2119]. 170 2. Best Current Practices for Standardizing Structured URIs 172 This section updates [RFC3986] by setting limitations on how other 173 specifications may define structure and semantics within URIs. Best 174 practices differ depending on the URI component, as described below. 176 2.1. URI Schemes 178 Applications and extensions MAY require use of specific URI 179 scheme(s); for example, it is perfectly acceptable to require that an 180 application support 'http' and 'https' URIs. However, applications 181 SHOULD NOT preclude the use of other URI schemes in the future, 182 unless they are clearly specific to the nominated schemes. 184 A specification that defines substructure within a URI scheme MUST do 185 so in the defining document for that URI scheme, or by modifying 186 [RFC4395]. 188 2.2. URI Authorities 190 Scheme definitions define the presence, format and semantics of an 191 authority component in URIs; all other specifications MUST NOT 192 constrain, or define the structure or the semantics for URI 193 authorities, unless they update the scheme registration itself. 195 For example, an extension or application cannot say that the "foo" 196 prefix in "foo_app.example.com" is meaningful or triggers special 197 handling in URIs. 199 2.3. URI Paths 201 Scheme definitions define the presence, format, and semantics of a 202 path component in URIs; all other specifications MUST NOT constrain, 203 or define the structure or the semantics for any path component. 205 The only exception to this requirement is registered "well-known" 206 URIs, as specified by [RFC5785]. See that document for a description 207 of the applicability of that mechanism. 209 For example, an application cannot specify a fixed URI path "/myapp", 210 since this usurps the host's control of that space. Specifying a 211 fixed path relative to another (e.g., {whatever}/myapp) is also bad 212 practice (even if "whatever" is discovered as suggested in 213 Section 3); while doing so might prevent collisions, it does not 214 avoid the potential for operational difficulties discussed in 215 Section 1. 217 2.4. URI Queries 219 The presence, format and semantics of the query component of URIs is 220 dependent upon many factors, and MAY be constrained by a scheme 221 definition. Often, they are determined by the implementation of a 222 resource itself. 224 Applications SHOULD NOT directly specify the syntax of queries, as 225 this can cause operational difficulties for deployments that do not 226 support a particular form of a query. 228 Extensions MUST NOT specify the format or semantics of queries. 230 For example, an extension that indicates that all query parameters 231 with the name "sig" indicate a cryptographic signature is not 232 conforming; doing so would collide with potentially pre-existing 233 query parameters on sites, and lead clients to assume that any 234 matching query parameter is a signature. 236 2.5. URI Fragment Identifiers 238 Media type definitions (as per [RFC6838]) SHOULD specify the fragment 239 identifier syntax(es) to be used with them; other specifications MUST 240 NOT define structure within the fragment identifier, unless they are 241 explicitly defining one for reuse by media type definitions. 243 For example, an application that defines common fragment identifiers 244 across media types not controlled by it is not conforming, and would 245 engender interoperability problems with handlers for those media 246 types (because the new, non-standard syntax is not expected). 248 3. Alternatives to Specifying Structure in URIs 250 Given the issues described in Section 1, the most successful strategy 251 for applications and extensions that wish to use URIs is to use them 252 in the fashion they were designed: as links that are exchanged as 253 part of the protocol, rather than statically specified syntax. 254 Several existing specifications can aid in this. 256 [RFC5988] specifies relation types for Web links. By providing a 257 framework for linking on the Web, where every link has a relation 258 type, context and target, it allows applications to define a link's 259 semantics and connectivity. 261 [RFC6570] provides a standard syntax for URI Templates that can be 262 used to dynamically insert application-specific variables into a URI 263 to enable such applications while avoiding impinging upon URI owners' 264 control of them. 266 [RFC5785] allows specific paths to be 'reserved' for standard use on 267 URI schemes that opt into that mechanism ('http' and 'https' by 268 default). Note, however, that this is not a general "escape valve" 269 for applications that need structured URIs; see that specification 270 for more information. 272 Specifying more elaborate structures in an attempt to avoid 273 collisions is not an acceptable solution, and does not address the 274 issues in Section 1. For example, prefixing query parameters with 275 "myapp_" does not help, because the prefix itself is subject to the 276 risk of collision (since it is not "reserved"). 278 4. Security Considerations 280 This document does not introduce new protocol artifacts with security 281 considerations. It prohibits some practices that might lead to 282 vulnerabilities; for example, if a security-sensitive mechanism is 283 introduced by assuming that a URI path component or query string has 284 a particular meaning, false positives might be encountered (due to 285 sites that already use the chosen string). See also [RFC6943]. 287 5. IANA Considerations 289 There are no direct IANA actions specified in this document. 291 6. References 293 6.1. Normative References 295 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 296 Requirement Levels", BCP 14, RFC 2119, March 1997. 298 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 299 Resource Identifier (URI): Generic Syntax", STD 66, RFC 300 3986, January 2005. 302 [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type 303 Specifications and Registration Procedures", BCP 13, RFC 304 6838, January 2013. 306 [webarch] Jacobs, I. and N. Walsh, "Architecture of the World Wide 307 Web, Volume One", December 2004, 308 . 310 6.2. Informative References 312 [RFC4395] Hansen, T., Hardie, T., and L. Masinter, "Guidelines and 313 Registration Procedures for New URI Schemes", BCP 35, RFC 314 4395, February 2006. 316 [RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known 317 Uniform Resource Identifiers (URIs)", RFC 5785, April 318 2010. 320 [RFC5988] Nottingham, M., "Web Linking", RFC 5988, October 2010. 322 [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., 323 and D. Orchard, "URI Template", RFC 6570, March 2012. 325 [RFC6943] Thaler, D., "Issues in Identifier Comparison for Security 326 Purposes", RFC 6943, May 2013. 328 Appendix A. Acknowledgments 330 Thanks to David Booth, Dave Crocker, Tim Bray, Anne van Kesteren, 331 Martin Thomson, Erik Wilde, Dave Thaler and Barry Leiba for their 332 suggestions and feedback. 334 Author's Address 336 Mark Nottingham 338 Email: mnot@mnot.net 339 URI: http://www.mnot.net/