Please check this document. 319 and this other document. 320 and this third document. 321
322 323 325 Figure 5: Example HTML with relative ni URI 327 The authority field in an ni URI is not quite the same as that from 328 an HTTP URL, even though the same values (e.g. DNS names) may be 329 usefully used in both. For an ni URI, the authority does not control 330 nearly as much of the structure of the "right hand side" of the URI. 331 With ni URIs we also define standard query string attributes and of 332 cousrse have a strictly defined way to include the hash value. 334 Internationalisation of strings within ni names is handled exactly as 335 for http URIs - see [I-D.ietf-httpbis-p1-messaging] Section 2.7. 337 3.1. Content Type Query String Attribute 339 The semantics of a digest being used to establish a secure reference 340 from an authenticated source to an external source may be a function 341 of associated meta data such as the content type. The Content Type 342 "ct" parameter specifies the MIME Content Type of the associated data 343 as defined in [I-D.ietf-appsawg-media-type-regs]. See Section 9.5 344 for the associated IANA registry for ni parameter names. as shown in 345 Figure 6. Implementations of this specification MUST support parsing 346 the ct= query string attribute name. 348 ni:///sha-256-32;f4OxZQ?ct=text/plain 350 Figure 6: Example ni URI with Content Type 352 Protocols making use of ni URIs will need to specify how to verify 353 name-data integrity for the MIME Content Types that they need to 354 process and will need to take into account possible Content-Transfer- 355 Encodings and other aspects of MIME encoding. 357 Implementations of this specification SHOULD support name-data 358 integrity validation for at least the application/octet-stream 359 Content Type with no Content-Transfer-Encoding (which is equivalent 360 to binary or 8bit). Additional Content Types and Content-Transfer- 361 Encodings can of course also be supported, but are OPTIONAL. 363 If a) the user agent is sensitive to the Content Type and b) the ni 364 name used has a ct= query string attribute and c) the object is 365 retrieved (from a server) using a protocol that specifies a Content 366 Type, then, if the two Content Types match, all is well. If, in this 367 situation, the Content Types do not match, then the client SHOULD 368 ignore the Content Type received from the server and use that from 369 the ni name, or handle that situation as a potential security error. 370 Content Type matching rules are defined in [RFC2045] Section 5.1. 372 4. .well-known URI 374 We define a mapping between URIs following the ni URI scheme and HTTP 375 [RFC2616] or HTTPS [RFC2617] URLs that makes use of the .well-known 376 URI [RFC5785] by defining an "ni" suffix (see Section 9). 378 The HTTP(S) mapping MAY be used in any context where clients with 379 support for ni URIs are not available. 381 Since the .well-known name-space is not intended for general 382 information retrieval, if an application de-references a .well- 383 known/ni URL via HTTP(S), then it will often receive a 3xx HTTP re- 384 direction response. A server responding to a request for a .well- 385 known/ni URL will often therefore return a 3xx response and a client 386 sending such a request MUST be able to handle that, as should any 387 fully compliant HTTP [RFC2616] client. 389 For an ni name of the form "ni://n-authority/alg;val?query-string" 390 the corresponding HTTP(S) URL produced by this mapping is 391 "http://h-authority/.well-known/ni/alg/val?query-string", where 392 "h-authority" is derived as follows: If the ni name has a specified 393 authority (i.e., the n-authority is non-empty) then the h-authority 394 MUST have the same value. If the ni name has no authority specified 395 (i.e. the n-authority string is empty), a h-authority value MAY be 396 derived from the application context. For example, if the mapping is 397 being done in the context of a web page then the origin [RFC6454] for 398 that web site can be used. Of course, there are in general no 399 guarantees that the object named by the ni URI will be available via 400 the corresponding HTTP(S) URL. But in the case that any data is 401 returned, the retriever can determine whether or not it is content 402 that matches the ni URI. 404 If an application is presented with a HTTP(S) URL with "/.well- 405 known/ni/" as the start of its pathname component, then the reverse 406 mapping to an ni URI either including or excluding the authority 407 might produce an ni URI that is meaningful, but there is no guarantee 408 that this will be the case. 410 When mapping from an ni URI to a .well-known URL, an implementation 411 will have to decide between choosing an "http" or "https" URL. If 412 the object referenced does in fact match the hash in the URL, then 413 there is arguably no need for additional data integrity, if the ni 414 URI or .well-known URL was received "securely." However TLS also 415 provides confidentiality, so there can still be reasons to use the 416 "https" URL scheme even in this case. Additionally, web server 417 policy such as [I-D.ietf-websec-strict-transport-sec] may dictate 418 that data might only be available over "https". In general however, 419 whether to use "http" or "https" is something that needs to be 420 decided by the application. 422 5. URL Segment Format 424 Some applications may benefit from using hashes in existing HTTP URLs 425 or other URLs. To do this one simply uses the "alg-val" production 426 from the ni name scheme ABNF which may be included for example in the 427 pathname, query string or even fragment components of HTTP URLs 428 [RFC2616]. In such cases there is nothing present in the URL that 429 ensures that a client can depend on compliance with this 430 specification, so clients MUST NOT assume that any URL with a 431 pathname component that matches the "alg-val" production was in fact 432 produced as a result of this specification. That URL might or might 433 not be related to this specification, only the context will tell. 435 6. Binary Format 437 If a more space-efficient version of the name is needed, the 438 following binary format can be used. The binary format name consists 439 of two fields: a header and the hash value. The header field defines 440 how the identifier has been created and the hash value contains a 441 (possibly truncated) result of a one-way hash over whatever is being 442 identified by the hash value. The binary format of a name is shown 443 in Figure 7. 445 0 1 2 3 446 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 447 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 448 |Res| Suite ID | Hash Value / 449 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 450 / ... / 451 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 452 / ... | 453 +-+-+-+-+-+-+-+-+ 455 Figure 7: Binary Name Format 457 The Res field is a reserved 2-bit field for future use and MUST be 458 set to zero for this specification. 460 The hash algorithm and truncation length are specified by the Suite 461 ID. For maintaining efficient encoding for the binary format, only a 462 few hash algorithms and truncation lengths are supported. See 463 Section 9.4 for details. 465 A hash value that is truncated to 120 bits will result in the overall 466 name being a 128-bit value which may be useful for protocols that can 467 easily use 128-bit identifiers. 469 7. Human-speakable (nih) URI Format 471 Sometimes a resource may need to be referred to via a name in a 472 format that is easy for humans to read out, and less likely to be 473 ambiguous when heard. This is intended to be usable for example over 474 the phone in order to confirm the (current or future) presence or 475 absence of a resource. This "confirmation" use-case described 476 further in Section 8.3 is the main current use-case for nih URIs. 478 The ni URI format is not well-suited for this, as, for example, 479 base64url uses both upper and lower case which can easily cause 480 confusion. For this particular purpose, ("speaking" the value of a 481 hash output) the more verbose but less ambiguous (when spoken) nih 482 URI scheme is defined. "nih" stands for "Named Information for 483 Humans." (Or possibly "Not Invented Here," which is clearly false, 484 and therefore worth including :-) 486 The justification for nih being a URI scheme is that that can help a 487 user agent for the speaker to better display the value, or help a 488 machine to better speak or recognise the value when spoken. We do 489 not include the query string since there is no way to ensure that its 490 value might be spoken unambiguously, and similarly for the authority, 491 where e.g. some internationalised forms of domain name might not be 492 easy to speak and comprehend easily. This leaves the hash value as 493 the only part of the ni URI that we feel can be usefully included. 494 But since speakers or listeners (or speech recognition) may err, we 495 also include a check-digit to catch common errors, and allow for the 496 inclusion of "-" separators to make nih URIs more easy to read out. 498 Fields in nih URIs are separated by a semi-colon (;) character. The 499 first field is a hash algorithm string, as in the ni URI format. The 500 hash value is represented using lower-case ASCII hex characters, for 501 example an octet with the decimal value 58 (0x3A) is encoded as '3a'. 502 This is the same as base16 encoding as defined in RFC 4648 [RFC4648] 503 except using lower-case letters. Separators ("-" characters) MAY be 504 interspersed in the hash value in any way to make those easier to 505 read, typically grouping four or six characters with a separator 506 between. 508 The hash value is OPTIONALLY followed by a semi-colon ';' then a 509 checkdigit. The checkdigit MUST be calculated using Luhn's mod N 510 algorithm (with N=16) as defined in [ISOIEC7812], (see also 511 http://en.wikipedia.org/wiki/Luhn_mod_N_algorithm). The input to the 512 calculation is the ASCII-HEX encoded hash value (i.e. "sepval" in the 513 ABNF production below) but with all "-" separator characters first 514 stripped out. This maps the ASCII-HEX so that 515 '0'=0,...'9'=9,'a'=10,...'f'=15. None of the other fields, nor any 516 "-" separators, are input when calculating the checkdigit. 518 humanname = "nih:" alg-sepval [ ";" checkdigit ] 519 alg-sepval = alg ";" sepval 520 sepval = 1*(ahlc / "-") 521 ahlc = DIGIT / "a" / "b" / "c" / "d" / "e" / "f" 522 ; DIGIT is defined in RFC 5234 and is 0-9 523 checkdigit = ahlc 525 Figure 8: Human-speakable syntax 527 For algorithms that have a Suite ID reserved (see Figure 11), the alg 528 field MAY contain the ID value as a ASCII encoded decimal number 529 instead of the hash name string (for example, "3" instead of "sha- 530 256-120"). Implementations MUST be able to match the decimal ID 531 values for the algorithms and hash lengths that they support even if 532 they do not support the binary format. 534 There is no such thing as a relative nih URI. 536 8. Examples 537 8.1. Hello World! 539 The following ni URI is generated from the text "Hello World!" 540 (without the quotes, being 12 characters), using the sha-256 541 algorithm shown with and without an authority field: 543 ni:///sha-256;f4OxZX_x_FO5LcGBSKHWXfwtSx-j1ncoSt3SABJtkGk 545 ni://example.com/sha-256;f4OxZX_x_FO5LcGBSKHWXfwtSx-j1ncoSt3SABJtkGk 547 The following HTTP URL represents a mapping from the previous ni name 548 based on the algorithm outlined above. 550 http://example.com/.well-known/ni/sha-256/ 551 f4OxZX_x_FO5LcGBSKHWXfwtSx-j1ncoSt3SABJtkGk 553 8.2. Public Key Examples 555 Given the DER-encoded SubjectPublicKeyInfo in Figure 9 we derive the 556 names shown in Figure 10 for this value. 558 0000000 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 559 0000020 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 560 0000040 00 a2 5f 83 da 9b d9 f1 7a 3a 36 67 ba fd 5a 94 561 0000060 0e cf 16 d5 5a 55 3a 5e d4 03 b1 65 8e 6d cf a3 562 0000100 b7 db a4 e7 cc 0f 52 c6 7d 35 1d c4 68 c2 bd 7b 563 0000120 9d db e4 0a d7 10 cd f9 53 20 ee 0d d7 56 6e 5b 564 0000140 7a ae 2c 5f 83 0a 19 3c 72 58 96 d6 86 e8 0e e6 565 0000160 94 eb 5c f2 90 3e f3 a8 8a 88 56 b6 cd 36 38 76 566 0000200 22 97 b1 6b 3c 9c 07 f3 4f 97 08 a1 bc 29 38 9b 567 0000220 81 06 2b 74 60 38 7a 93 2f 39 be 12 34 09 6e 0b 568 0000240 57 10 b7 a3 7b f2 c6 ee d6 c1 e5 ec ae c5 9c 83 569 0000260 14 f4 6b 58 e2 de f2 ff c9 77 07 e3 f3 4c 97 cf 570 0000300 1a 28 9e 38 a1 b3 93 41 75 a1 a4 76 3f 4d 78 d7 571 0000320 44 d6 1a e3 ce e2 5d c5 78 4c b5 31 22 2e c7 4b 572 0000340 8c 6f 56 78 5c a1 c4 c0 1d ca e5 b9 44 d7 e9 90 573 0000360 9c bc ee b0 a2 b1 dc da 6d a0 0f f6 ad 1e 2c 12 574 0000400 a2 a7 66 60 3e 36 d4 91 41 c2 f2 e7 69 39 2c 9d 575 0000420 d2 df b5 a3 44 95 48 7c 87 64 89 dd bf 05 01 ee 576 0000440 dd 02 03 01 00 01 578 0000000 53 26 90 57 e1 2f e2 b7 4b a0 7c 89 25 60 a2 d7 579 0000020 53 87 7e b6 2f f4 4d 5a 19 00 25 30 ed 97 ff e4 581 Figure 9: A SubjectPublicKeyInfo used in examples and its sha-256 582 hash 584 +-------------------------------------------------------------------+ 585 | URI: | 586 | ni:///sha-256;UyaQV-Ev4rdLoHyJJWCi11OHfrYv9E1aGQAlMO2X_-Q | 587 +-------------------------------------------------------------------+ 588 | .well-known URL (split over 2 lines): | 589 | http://example.com/.well-known/ni/sha256/ | 590 | UyaQV-Ev4rdLoHyJJWCi11OHfrYv9E1aGQAlMO2X_-Q | 591 +-------------------------------------------------------------------+ 592 | URL Segment: | 593 | sha-256;UyaQV-Ev4rdLoHyJJWCi11OHfrYv9E1aGQAlMO2X_-Q | 594 +-------------------------------------------------------------------+ 595 | Binary name (ASCII hex encoded) with 120-bit truncated hash value | 596 | which is Suite ID 0x03: | 597 | 0353 2690 57e1 2fe2 b74b a07c 8925 60a2 | 598 +-------------------------------------------------------------------+ 599 | Human-speakable form of a name for this key (truncated to 120 bits| 600 | in length) with checkdigit: | 601 | nih:sha-256-120;5326-9057-e12f-e2b7-4ba0-7c89-2560-a2;f | 602 +-------------------------------------------------------------------+ 603 | Human-speakable form of a name for this key (truncated to 32 bits | 604 | in length) with checkdigit and no "-" separators: | 605 | nih:sha-256-32;53269057;b | 606 +-------------------------------------------------------------------+ 607 | Human-speakable form using decimal presentation of the | 608 | algorithm ID (sha-256-120) with checkdigit: | 609 | nih:3;532690-57e12f-e2b74b-a07c89-2560a2;f | 610 +-------------------------------------------------------------------+ 612 Figure 10: Example Names 614 8.3. nih Usage Example 616 Alice has set up a server node with an RSA key pair. She uses an ni 617 URI as the name for the public key that corresponds to the private 618 key on that box. Alice's node might identify itself using that ni 619 URI in some protocol. 621 Bob would like to believe that its really Alice's node when his node 622 interacts with the network and asks his friend Alice to tell him what 623 public key she uses. Alice hits the "tell someone the name of the 624 public key" button on her admin user interface, and that displays the 625 nih URI and says "tell this to your buddy." She phones Bob and reads 626 the nih URI to him. 628 Bob types that in to his "manage known nodes" admin application, (or 629 lets that application listen to part of the call), which can 630 regenerate the ni URI and store that or some equivalent. Then when 631 Bob's node interacts with Alice's node it can more safely accept a 632 signature or encrypt data to Alice's node. 634 9. IANA Considerations 636 9.1. Assignment of ni URI Scheme 638 The procedures for registration of a URI scheme are specified in RFC 639 4395 [RFC4395]. The following is the proposed assignment template. 641 URI scheme name: ni 643 Status: Permanent 645 URI scheme syntax. See Section 3 647 URI scheme semantics. See Section 3 649 Encoding considerations. See Section 3 651 Applications/protocols that use this URI scheme name: General 652 applicability. 654 Interoperability considerations: Defined here. 656 Security considerations: See Section 10 658 Contact: Stephen Farrell, stephen.farrell@cs.tcd.ie 660 Author/Change controller: IETF 662 References: As specified in this document 664 9.2. Assignment of nih URI Scheme 666 The procedures for registration of a URI scheme are specified in RFC 667 4395 [RFC4395]. The following is the proposed assignment template. 669 URI scheme name: nih 671 Status: Permanent 673 URI scheme syntax. See Section 7 675 URI scheme semantics. See Section 7 677 Encoding considerations. See Section 7 678 Applications/protocols that use this URI scheme name: General 679 applicability. 681 Interoperability considerations: Defined here. 683 Security considerations: See Section 10 685 Contact: Stephen Farrell, stephen.farrell@cs.tcd.ie 687 Author/Change controller: IETF 689 References: As specified in this document 691 9.3. Assignment of .well-known 'ni' URI 693 The procedures for registration of a Well Known URI entry are 694 specified in RFC 5785 [RFC5785]. The following is the proposed 695 assignment template. 697 URI suffix: ni 699 Change controller: IETF 701 Specification document(s): This document 703 Related information: None 705 9.4. Creation of ni Hash Algorithm Registry 707 IANA is requested to create a new registry for hash algorithms as 708 used in the name formats specified here and called the "ni Hash 709 Algorithm Registry". Future assignments are to be made through 710 Expert Review [RFC5226]. This registry has five fields, the suite 711 ID, the hash algorithm name string, the truncation length, the 712 underlying algorithm reference and a status field that indicates if 713 algorithm is current or deprecated and should no longer be used. The 714 status field can have the value "current" or "deprecated". Other 715 values are reserved for possible future definition. 717 If the status is "current", then that does not necessarily mean that 718 the algorithm is "good" for any particular purpose, since the 719 cryptographic strength requirements will be set by other applications 720 or protocols. 722 A request to mark an entry as "deprecated" can be done by sending a 723 mail to the Designated Expert. Before approving the request, the 724 community MUST be consulted via a "call for comments" of at least two 725 weeks by sending a mail to the IETF discussion list. 727 Initial values are specified below. The Designated Expert SHOULD 728 generally approve additions that reference hash algorithms that are 729 widely used in other IETF protocols. In addition, the Designated 730 Expert SHOULD NOT accept additions where the underlying hash function 731 (with no truncation) is considered weak for collisions. Part of the 732 reasoning behind this last point is that inclusion of code for weak 733 hash functions, e.g. the MD5 algorithm, can trigger costly false- 734 positives if code is audited for inclusion of obsolete ciphers. 736 The suite ID field ("ID") can be empty, or can have values between 0 737 and 63, inclusive. Because there are only 64 possible values, this 738 field is OPTIONAL (leaving it empty if omitted). Where the binary 739 format is not expected to be used for a given hash algorithm, this 740 field SHOULD be omitted. If an entry is registered without a suite 741 ID, the Designated Expert MAY allow for later allocation of a suite 742 ID, if that appears warranted. The Designated Expert MAY consult the 743 community via a "call for comments" by sending a mail to the IETF 744 discussion list before allocating a suite ID. 746 ID Hash name string Value length Reference Status 747 0 Reserved 748 1 sha-256 256 bits [SHA-256] current 749 2 sha-256-128 128 bits [SHA-256] current 750 3 sha-256-120 120 bits [SHA-256] current 751 4 sha-256-96 96 bits [SHA-256] current 752 5 sha-256-64 64 bits [SHA-256] current 753 6 sha-256-32 32 bits [SHA-256] current 754 32 Reserved 756 Figure 11: Suite Identifiers 758 The Suite ID value 32 is reserved for compatibility with ORCHIDs 759 [RFC4843]. 761 The referenced hash algorithm matching to the Suite ID, truncated to 762 the length indicated, according to the description given in 763 Section 2, is used for generating the hash. The Designated Expert is 764 responsible for ensuring that the document referenced for the hash 765 algorithm meets the "specification required" rule." 767 9.5. Creation of ni Parameter Registry 769 IANA is requested to create a new registry entitled "Named 770 Information URI Parameter Definitions". 772 The policy for future assignments to the registry is Expert Review, 773 and as for the ni Hash Algorithm Registry above, the Designated 774 Expert is responsible for ensuring that the document referenced for 775 the paramater definition meets the "specification required" rule." 777 The fields in this registry are the parameter name, a description and 778 a reference. The parameter name MUST be such that it is suitable for 779 use as a query string parameter name in an ni URI. (See Section 3.) 781 The initial contents of the registry are: 783 Parameter Meaning Reference 784 ----------- -------------------------------------------- --------- 785 ct Content Type [RFC-THIS] 787 10. Security Considerations 789 No secret information is required to generate or verify a name of the 790 form described here. Therefore a name like this can only provide 791 evidence for the integrity for the referenced object and the proof of 792 integrity provided is only as good as the proof of integrity for the 793 name from which we started. In other words, the hash value can 794 provide a name-data integrity binding between the name and the bytes 795 returned when the name is de-referenced using some protocol. 797 Disclosure of a name value does not necessarily entail disclosure of 798 the referenced object but may enable an attacker to determine the 799 contents of the referenced object by reference to a search engine or 800 other data repository or, for a highly formatted object with little 801 variation, by simply guessing the value and checking if the digest 802 value matches. So the fact that these names contain hashes does not 803 protect the confidentiality of the object that was input to the hash. 805 The integrity of the referenced content would be compromised if a 806 weak hash function were used. SHA-256 is currently our preferred 807 hash algorithm which is why we've only added SHA-256 based suites to 808 the initial IANA registry. 810 If a truncated hash value is used, certain security properties will 811 be affected. In general a hash algorithm is designed to produce 812 sufficient bits to prevent a 'birthday attack' collision occurring. 813 To ensure that the difficulty of discovering two pieces of content 814 that result in the same digest with a work factor O(2^x) by brute 815 force requires a digest length of 2x. Many security applications 816 only require protection against a 2nd pre-image attack which only 817 requires a digest length of x to achieve the same work factor. 818 Basically, the shorter the hash value used, the less security benefit 819 you can possibly get. 821 An important thing to keep in mind is not to make the mistake of 822 thinking two names are the same when they aren't. For example, a 823 name with a 32 bit truncated sha-256 hash is not the same as a name 824 with the full 256 bits of hash output, even if the hash value for one 825 is a prefix of that for the other. 827 The reason for this is that if an application treats those as the 828 same name then that might open up a number of attacks. For example, 829 if I publish an object with the full hash, then I probably (in 830 general) don't want some other application to treat a name with just 831 the first 32 bits of that as referring to the same thing, since the 832 32 bit name will have lots of colliding objects. If ni or nih URIs 833 become widely used, there will be many cases where names will occur 834 more than once in application protocols, and it'll be unpredictable 835 which instance of the name would be used for name-data integrity 836 checking, leading to threats. For this reason, we require that the 837 algorithm, length and value all match before we consider two names to 838 be the same. 840 The fact that an ni URI includes a domain name in the authority field 841 by itself implies nothing about the relationship between the owner of 842 the domain name and any content referenced by that URI. While a 843 name-data integrity service can be provided using ni URIs, that does 844 not in any sense validate the authority part of the name. For 845 example, there is nothing to stop anyone creating an ni URI 846 containing a hash of someone else's content. Application developers 847 MUST NOT assume any relationship between the registrant of the domain 848 name that is part of an ni URI and some matching content just because 849 the ni URI matches that content. 851 If name-data integrity is successfully validated, and the hash is 852 strong and long enough, then the "web origin" [RFC6454] for the bytes 853 of the named object is really going to be the place from which you 854 got the ni name and not the place from which you got the bytes of the 855 object. This appears to offer a potential benefit if using ni names 856 for, for example, scripts included from a HTML page accessed via 857 server-authenticated https. If name-data integrity is not validated 858 (and it is optional), or fails, then the web origin is, as usual, the 859 place from which the object bytes were received. Applications making 860 use of ni names SHOULD take this into account in their trust models. 862 Some implementations might mis-handle ni URIs that include non-base64 863 characters, whitespace or other non-conforming strings and that could 864 lead to erroneously considering names to be the same when they are 865 not. An ni URI that is malformed in such ways MUST NOT be treated as 866 matching any other ni URI. Implementers need to check the behaviour 867 of libraries for such parsing problems. 869 11. Acknowledgements 871 This work has been supported by the EU FP7 project SAIL. The authors 872 would like to thank SAIL participants to our naming discussions, 873 especially Jean-Francois Peltier, for their input. 875 The authors would also like to thank Carsten Bormann, Martin Durst, 876 Tobias Heer, Bjoern Hoehrmann, Tero Kivinen, Barry Leiba, Larry 877 Masinter, David McGrew, Alexey Melnikov, Bob Moskowitz, Jonathan 878 Rees, Eric Rescorla, Zach Shelby, Martin Thomas, for their comments 879 and input to the document. Thanks, in particular, to James Manger 880 for correcting the examples. 882 12. References 884 12.1. Normative References 886 [I-D.ietf-appsawg-media-type-regs] 887 Freed, N., Klensin, J., and T. Hansen, "Media Type 888 Specifications and Registration Procedures", 889 draft-ietf-appsawg-media-type-regs-14 (work in progress), 890 June 2012. 892 [I-D.ietf-httpbis-p1-messaging] 893 Fielding, R., Lafon, Y., and J. Reschke, "HTTP/1.1, part 894 1: URIs, Connections, and Message Parsing", 895 draft-ietf-httpbis-p1-messaging-19 (work in progress), 896 March 2012. 898 [ISOIEC7812] 899 ISO, ""ISO/IEC 7812-1:2006 Identification cards -- 900 Identification of issuers -- Part 1: Numbering system",", 901 October 2006,