idnits 2.17.1
draft-nottingham-site-meta-05.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
** You're using the IETF Trust Provisions' Section 6.b License Notice from
12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See
https://trustee.ietf.org/license-info/)
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
-- The draft header indicates that this document updates RFC2616, but the
abstract doesn't seem to mention this, which it should.
-- The draft header indicates that this document updates RFC2818, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
(Using the creation date from RFC2616, updated by this document, for
RFC5378 checks: 1997-10-16)
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (December 30, 2009) is 5231 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126)
-- Obsolete informational reference (is this intentional?): RFC 2616
(Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235)
Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 5 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group M. Nottingham
3 Internet-Draft E. Hammer-Lahav
4 Updates: 2616 2818 December 30, 2009
5 (if approved)
6 Intended status: Standards Track
7 Expires: July 3, 2010
9 Defining Well-Known URIs
10 draft-nottingham-site-meta-05
12 Abstract
14 This memo defines a path prefix for "well-known locations", "/.well-
15 known/" in selected URI schemes.
17 Status of this Memo
19 This Internet-Draft is submitted to IETF in full conformance with the
20 provisions of BCP 78 and BCP 79.
22 Internet-Drafts are working documents of the Internet Engineering
23 Task Force (IETF), its areas, and its working groups. Note that
24 other groups may also distribute working documents as Internet-
25 Drafts.
27 Internet-Drafts are draft documents valid for a maximum of six months
28 and may be updated, replaced, or obsoleted by other documents at any
29 time. It is inappropriate to use Internet-Drafts as reference
30 material or to cite them other than as "work in progress."
32 The list of current Internet-Drafts can be accessed at
33 http://www.ietf.org/ietf/1id-abstracts.txt.
35 The list of Internet-Draft Shadow Directories can be accessed at
36 http://www.ietf.org/shadow.html.
38 This Internet-Draft will expire on July 3, 2010.
40 Copyright Notice
42 Copyright (c) 2009 IETF Trust and the persons identified as the
43 document authors. All rights reserved.
45 This document is subject to BCP 78 and the IETF Trust's Legal
46 Provisions Relating to IETF Documents
47 (http://trustee.ietf.org/license-info) in effect on the date of
48 publication of this document. Please review these documents
49 carefully, as they describe your rights and restrictions with respect
50 to this document. Code Components extracted from this document must
51 include Simplified BSD License text as described in Section 4.e of
52 the Trust Legal Provisions and are provided without warranty as
53 described in the BSD License.
55 Table of Contents
57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
58 1.1. Appropriate Use of Well-Known URIs . . . . . . . . . . . . 3
59 2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 3
60 3. Well-Known URIs . . . . . . . . . . . . . . . . . . . . . . . . 4
61 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 4
62 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
63 5.1. The Well-Known URI Registry . . . . . . . . . . . . . . . . 5
64 5.1.1. Registration Template . . . . . . . . . . . . . . . . . 5
65 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
66 6.1. Normative References . . . . . . . . . . . . . . . . . . . 6
67 6.2. Informative References . . . . . . . . . . . . . . . . . . 6
68 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 6
69 Appendix B. Frequently Asked Questions . . . . . . . . . . . . . . 7
70 B.1. Aren't well-known locations bad for the Web? . . . . . . . 7
71 B.2. Why /.well-known? . . . . . . . . . . . . . . . . . . . . . 7
72 B.3. What impact does this have on existing mechanisms,
73 such as P3P and robots.txt? . . . . . . . . . . . . . . . . 7
74 B.4. Why aren't per-directory well-known locations defined? . . 7
75 Appendix C. Document History . . . . . . . . . . . . . . . . . . . 7
76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8
78 1. Introduction
80 It is increasingly common for Web-based protocols to require the
81 discovery of policy or metadata before making a request. For
82 example, the Robots Exclusion Protocol
83 specifies a way for automated processes to obtain permission to
84 access resources; likewise, the Platform for Privacy Preferences
85 [W3C.REC-P3P-20020416] tells user-agents how to discover privacy
86 policy beforehand.
88 While there are several ways to access per-resource metadata (e.g.,
89 HTTP headers, WebDAV's PROPFIND [RFC4918]), the perceived overhead
90 (either in terms of client-perceived latency, and/or deployment
91 difficulties) associated with them often precludes their use in these
92 scenarios.
94 When this happens, it is common to designate a "well-known location"
95 for such metadata, so that it can be easily located. However, this
96 approach has the drawback of risking collisions, both with other such
97 designated "well-known locations" and with pre-existing resources.
99 To address this, this memo defines a path prefix in HTTP(S) URIs for
100 these "well-known locations", "/.well-known/". Future specifications
101 that need to define a resource for such site-wide metadata can
102 register their use to avoid collisions and minimise impingement upon
103 sites' URI space.
105 1.1. Appropriate Use of Well-Known URIs
107 There are a number of possible ways that applications could use Well-
108 known URIs. However, in keeping with the Architecture of the World-
109 Wide Web [W3C.REC-webarch-20041215], well-known URIs are not intended
110 for general information retrieval, or establishment of large URI
111 name-spaces on the Web. Rather, they are designed to facilitate
112 discovery of information on a site when it isn't practical to use
113 other mechanisms; for example, when discovering policy that needs to
114 be evaluated before a resource is accessed, or when using multiple
115 round-trips is judged detrimental to performance.
117 As such, the well-known URI space was created with the expectation
118 that it will be used to make site-wide policy information and other
119 metadata available directly (if sufficiently concise), or provide
120 references to other URIs that provide such metadata.
122 2. Notational Conventions
124 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
125 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
126 document are to be interpreted as described in RFC 2119 [RFC2119].
128 3. Well-Known URIs
130 A well-known URI is a URI [RFC3986] whose path component begins with
131 the characters "/.well-known/", and whose scheme is "HTTP", "HTTPS",
132 or another scheme which has explicitly been specified to use well-
133 known URIs.
135 Applications that wish to mint new well-known URIs MUST register
136 them, following the procedures in Section 5.1.
138 For example, if an application registers the name 'example', the
139 corresponding well-known URI on 'http://www.example.com/' would be
140 'http://www.example.com/.well-known/example'.
142 Registered names MUST conform to the segment-nz production in
143 [RFC3986].
145 Note that this specification defines neither how to determine the
146 authority to use for a particular context, nor the scope of the
147 metadata discovered by dereferencing the well-known URI; both should
148 be defined by the application itself.
150 Typically, a registration will reference a specification that defines
151 the format and associated media type to be obtained by dereferencing
152 the well-known URI.
154 It MAY also contain additional information, such as the syntax of
155 additional path components, query strings and/or fragment identifiers
156 to be appended to the well-known URI, or protocol-specific details
157 (e.g., HTTP [RFC2616] method handling).
159 Note that this specification also does not define a format or media-
160 type for the resource located at "/.well-known/" and clients should
161 not expect a resource to exist at that location.
163 4. Security Considerations
165 This memo does not specify the scope of applicability of metadata or
166 policy obtained from a well-known URI, and does not specify how to
167 discover a well-known URI for a particular application. Individual
168 applications using this mechanism must define both aspects.
170 Applications minting new well-known URIs, as well as administrators
171 deploying them, will need to consider several security-related
172 issues, including (but not limited to) exposure of sensitive data,
173 denial of service attacks (in addition to normal load issues), server
174 and client authentication, vulnerability to DNS rebinding attacks,
175 and attacks where limited access to a server grants the ability to
176 affect how well-known URIs are served.
178 5. IANA Considerations
180 5.1. The Well-Known URI Registry
182 This document establishes the well-known URI registry.
184 Well-known URIs are registered on the advice of one or more
185 Designated Experts (appointed by the IESG or their delegate), with a
186 Specification Required (using terminology from [RFC5226]). However,
187 to allow for the allocation of values prior to publication, the
188 Designated Expert(s) may approve registration once they are satisfied
189 that such a specification will be published.
191 Registration requests should be sent to the [TBD]@ietf.org mailing
192 list for review and comment, with an appropriate subject (e.g.,
193 "Request for well-known URI: example").
195 [[NOTE TO RFC-EDITOR: The name of the mailing list should be
196 determined in consultation with the IESG and IANA. Suggested name:
197 wellknown-uri-review. ]]
199 Before a period of 14 days has passed, the Designated Expert(s) will
200 either approve or deny the registration request, communicating this
201 decision both to the review list and to IANA. Denials should include
202 an explanation and, if applicable, suggestions as to how to make the
203 request successful. Registration requests that are undetermined for
204 a period longer than 21 days can be brought to the IESG's attention
205 (using the iesg@iesg.org mailing list) for resolution.
207 5.1.1. Registration Template
209 URI suffix: The name requested for the well-known URI, relative to
210 "/.well-known/"; e.g., "example".
211 Change controller: For standards-track RFCs, state "IETF". For
212 others, give the name of the responsible party. Other details
213 (e.g., postal address, e-mail address, home page URI) may also be
214 included.
216 Specification document(s): Reference to document that specifies the
217 field, preferably including a URI that can be used to retrieve a
218 copy of the document. An indication of the relevant sections may
219 also be included, but is not required.
220 Related information: Optionally, citations to additional documents
221 containing further relevant information.
223 6. References
225 6.1. Normative References
227 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
228 Requirement Levels", BCP 14, RFC 2119, March 1997.
230 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
231 Resource Identifier (URI): Generic Syntax", STD 66,
232 RFC 3986, January 2005.
234 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
235 IANA Considerations Section in RFCs", BCP 26, RFC 5226,
236 May 2008.
238 6.2. Informative References
240 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
241 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
242 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
244 [RFC4918] Dusseault, L., "HTTP Extensions for Web Distributed
245 Authoring and Versioning (WebDAV)", RFC 4918, June 2007.
247 [W3C.REC-P3P-20020416]
248 Marchiori, M., "The Platform for Privacy Preferences 1.0
249 (P3P1.0) Specification", W3C REC REC-P3P-20020416,
250 April 2002.
252 [W3C.REC-webarch-20041215]
253 Jacobs, I. and N. Walsh, "Architecture of the World Wide
254 Web, Volume One", World Wide Web Consortium
255 Recommendation REC-webarch-20041215, December 2004,
256 .
258 Appendix A. Acknowledgements
260 We would like to acknowledge the contributions of everyone who
261 provided feedback and use cases for this draft; in particular, Phil
262 Archer, Dirk Balfanz, Adam Barth, Tim Bray, Brian Eaton, Brad
263 Fitzpatrick, Joe Gregorio, Paul Hoffman, Barry Leiba, Ashok Malhotra,
264 Breno de Medeiros, John Panzer, and Drummond Reed. However, they are
265 not responsible for errors and omissions.
267 Appendix B. Frequently Asked Questions
269 B.1. Aren't well-known locations bad for the Web?
271 They are, but for various reasons -- both technical and social --
272 they are commonly used, and their use is increasing. This memo
273 defines a "sandbox" for them, to reduce the risks of collision and to
274 minimise the impact upon pre-existing URIs on sites.
276 B.2. Why /.well-known?
278 It's short, descriptive and according to search indices, not widely
279 used.
281 B.3. What impact does this have on existing mechanisms, such as P3P and
282 robots.txt?
284 None, until they choose to use this mechanism.
286 B.4. Why aren't per-directory well-known locations defined?
288 Allowing every URI path segment to have a well-known location (e.g.,
289 "/images/.well-known/") would increase the risks of colliding with a
290 pre-existing URI on a site, and generally these solutions are found
291 not to scale well, because they're too "chatty".
293 Appendix C. Document History
295 [[RFC Editor: please remove this section before publication.]]
297 o -05
298 * Note that lack of a decision by the expert can be appealed to
299 the IESG.
300 * Clarify status of specifications suitable for registration.
301 * Add reference for Robots Exclusion Protocol.
302 * Clarify appropriate use cases.
303 o -04
304 * Restrict to HTTP(S) by default.
305 * Shorten review SLA to 14 days.
307 * Allow for multiple designated experts.
308 * Identify mailing list for request submission and discussion.
309 o -03
310 * Add fragment identifiers to list of things an application might
311 define.
312 * Note that the /.well-known/ URI doesn't have anything there.
313 o -02
314 * Rewrote to just define a namespace for well-known URIs.
315 * Changed discussion forum to apps-discuss.
316 o -01
317 * Changed "site-meta" to "host-meta" after feedback.
318 * Changed from XML to text-based header-like format.
319 * Remove capability for generic inline content.
320 * Added registry for host-meta fields.
321 * Clarified scope of metadata application.
322 * Added security consideration about HTTP vs. HTTPS, expanding
323 scope.
325 Authors' Addresses
327 Mark Nottingham
329 Email: mnot@mnot.net
330 URI: http://www.mnot.net/
332 Eran Hammer-Lahav
334 Email: eran@hueniverse.com
335 URI: http://hueniverse.com/