idnits 2.17.1 draft-nottingham-rfc7320bis-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([2], [3], [4], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. -- The draft header indicates that this document obsoletes RFC7320, but the abstract doesn't seem to directly say this. It does mention RFC7320 though, so this could be OK. -- The draft header indicates that this document updates RFC3986, but the abstract doesn't seem to directly say this. It does mention RFC3986 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC3986, updated by this document, for RFC5378 checks: 2002-11-01) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 20, 2019) is 1710 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 393 -- Looks like a reference, but probably isn't: '2' on line 395 -- Looks like a reference, but probably isn't: '3' on line 397 -- Looks like a reference, but probably isn't: '4' on line 399 -- Obsolete informational reference (is this intentional?): RFC 4395 (ref. 'BCP115') (Obsoleted by RFC 7595) -- Obsolete informational reference (is this intentional?): RFC 5785 (Obsoleted by RFC 8615) -- Obsolete informational reference (is this intentional?): RFC 5988 (Obsoleted by RFC 8288) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 11 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Nottingham 3 Internet-Draft August 20, 2019 4 Obsoletes: 7320 (if approved) 5 Updates: 3986 (if approved) 6 Intended status: Best Current Practice 7 Expires: February 21, 2020 9 URI Design and Ownership 10 draft-nottingham-rfc7320bis-00 12 Abstract 14 Section 1.1.1 of RFC 3986 defines URI syntax as "a federated and 15 extensible naming system wherein each scheme's specification may 16 further restrict the syntax and semantics of identifiers using that 17 scheme." In other words, the structure of a URI is defined by its 18 scheme. While it is common for schemes to further delegate their 19 substructure to the URI's owner, publishing independent standards 20 that mandate particular forms of URI substructure is inappropriate, 21 because that essentially usurps ownership. This document further 22 describes this problematic practice and provides some acceptable 23 alternatives for use in standards. 25 Note to Readers 27 _RFC EDITOR: please remove this section before publication_ 29 This is a proposed revision of RFC7320, aka BCP190. The -00 draft is 30 a copy of the published RFC; subsequent revisions will update it. 32 The issues list for this draft can be found at 33 https://github.com/mnot/I-D/labels/rfc7320 [1]. 35 The most recent (often, unpublished) draft is at 36 https://mnot.github.io/I-D/rfc7320/ [2]. 38 Recent changes are listed at https://github.com/mnot/I-D/commits/gh- 39 pages/rfc7320 [3]. 41 See also the draft's current status in the IETF datatracker, at 42 https://datatracker.ietf.org/doc/draft-nottingham-rfc7320/ [4]. 44 Status of This Memo 46 This Internet-Draft is submitted in full conformance with the 47 provisions of BCP 78 and BCP 79. 49 Internet-Drafts are working documents of the Internet Engineering 50 Task Force (IETF). Note that other groups may also distribute 51 working documents as Internet-Drafts. The list of current Internet- 52 Drafts is at https://datatracker.ietf.org/drafts/current/. 54 Internet-Drafts are draft documents valid for a maximum of six months 55 and may be updated, replaced, or obsoleted by other documents at any 56 time. It is inappropriate to use Internet-Drafts as reference 57 material or to cite them other than as "work in progress." 59 This Internet-Draft will expire on February 21, 2020. 61 Copyright Notice 63 Copyright (c) 2019 IETF Trust and the persons identified as the 64 document authors. All rights reserved. 66 This document is subject to BCP 78 and the IETF Trust's Legal 67 Provisions Relating to IETF Documents 68 (https://trustee.ietf.org/license-info) in effect on the date of 69 publication of this document. Please review these documents 70 carefully, as they describe your rights and restrictions with respect 71 to this document. Code Components extracted from this document must 72 include Simplified BSD License text as described in Section 4.e of 73 the Trust Legal Provisions and are provided without warranty as 74 described in the Simplified BSD License. 76 Table of Contents 78 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 79 1.1. Intended Audience . . . . . . . . . . . . . . . . . . . . 4 80 1.2. Notational Conventions . . . . . . . . . . . . . . . . . 5 81 2. Best Current Practices for Standardizing Structured URIs . . 5 82 2.1. URI Schemes . . . . . . . . . . . . . . . . . . . . . . . 5 83 2.2. URI Authorities . . . . . . . . . . . . . . . . . . . . . 5 84 2.3. URI Paths . . . . . . . . . . . . . . . . . . . . . . . . 5 85 2.4. URI Queries . . . . . . . . . . . . . . . . . . . . . . . 6 86 2.5. URI Fragment Identifiers . . . . . . . . . . . . . . . . 7 87 3. Alternatives to Specifying Structure in URIs . . . . . . . . 7 88 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 89 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 90 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 91 6.1. Normative References . . . . . . . . . . . . . . . . . . 8 92 6.2. Informative References . . . . . . . . . . . . . . . . . 8 93 6.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 94 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 9 95 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 97 1. Introduction 99 URIs [RFC3986] very often include structured application data. This 100 might include artifacts from filesystems (often occurring in the path 101 component) and user information (often in the query component). In 102 some cases, there can even be application-specific data in the 103 authority component (e.g., some applications are spread across 104 several hostnames to enable a form of partitioning or dispatch). 106 Furthermore, constraints upon the structure of URIs can be imposed by 107 an implementation; for example, many Web servers use the filename 108 extension of the last path segment to determine the media type of the 109 response. Likewise, prepackaged applications often have highly 110 structured URIs that can only be changed in limited ways (often, just 111 the hostname and port on which they are deployed). 113 Because the owner of the URI (as defined in [webarch] 114 Section 2.2.2.1) is choosing to use the server or the application, 115 this can be seen as reasonable delegation of authority. However, 116 when such conventions are mandated by a party other than the owner, 117 it can have several potentially detrimental effects: 119 o Collisions - As more ad hoc conventions for URI structure become 120 standardized, it becomes more likely that there will be collisions 121 between them (especially considering that servers, applications, 122 and individual deployments will have their own conventions). 124 o Dilution - When the information added to a URI is ephemeral, this 125 dilutes its utility by reducing its stability (see [webarch] 126 Section 3.5.1), and can cause several alternate forms of the URI 127 to exist (see [webarch] Section 2.3.1). 129 o Rigidity - Fixed URI syntax often interferes with desired 130 deployment patterns. For example, if an authority wishes to offer 131 several applications on a single hostname, it becomes difficult to 132 impossible to do if their URIs do not allow the required 133 flexibility. 135 o Operational Difficulty - Supporting some URI conventions can be 136 difficult in some implementations. For example, specifying that a 137 particular query parameter be used with "HTTP" URIs precludes the 138 use of Web servers that serve the response from a filesystem. 139 Likewise, an application that fixes a base path for its operation 140 (e.g., "/v1") makes it impossible to deploy other applications 141 with the same prefix on the same host. 143 o Client Assumptions - When conventions are standardized, some 144 clients will inevitably assume that the standards are in use when 145 those conventions are seen. This can lead to interoperability 146 problems; for example, if a specification documents that the "sig" 147 URI query parameter indicates that its payload is a cryptographic 148 signature for the URI, it can lead to undesirable behavior. 150 Publishing a standard that constrains an existing URI structure in 151 ways that aren't explicitly allowed by [RFC3986] (usually, by 152 updating the URI scheme definition) is inappropriate, because the 153 structure of a URI needs to be firmly under the control of its owner, 154 and the IETF (as well as other organizations) should not usurp it. 156 This document explains some best current practices for establishing 157 URI structures, conventions, and formats in standards. It also 158 offers strategies for specifications to avoid violating these 159 guidelines in Section 3. 161 1.1. Intended Audience 163 This document's requirements target the authors of specifications 164 that constrain the syntax or structure of URIs or parts of them. Two 165 classes of such specifications are called out specifically: 167 o Protocol Extensions ("extensions") - specifications that offer new 168 capabilities that could apply to any identifier, or to a large 169 subset of possible identifiers; e.g., a new signature mechanism 170 for 'http' URIs, or metadata for any URI. 172 o Applications Using URIs ("applications") - specifications that use 173 URIs to meet specific needs; e.g., an HTTP interface to particular 174 information on a host. 176 Requirements that target the generic class "Specifications" apply to 177 all specifications, including both those enumerated above and others. 179 Note that this specification ought not be interpreted as preventing 180 the allocation of control of URIs by parties that legitimately own 181 them, or have delegated that ownership; for example, a specification 182 might legitimately define the semantics of a URI on IANA's Web site 183 as part of the establishment of a registry. 185 There may be existing IETF specifications that already deviate from 186 the guidance in this document. In these cases, it is up to the 187 relevant communities (i.e., those of the URI scheme as well as that 188 which produced the specification in question) to determine an 189 appropriate outcome; e.g., updating the scheme definition, or 190 changing the specification. 192 1.2. Notational Conventions 194 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 195 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 196 document are to be interpreted as described in [RFC2119]. 198 2. Best Current Practices for Standardizing Structured URIs 200 This section updates [RFC3986] by setting limitations on how other 201 specifications may define structure and semantics within URIs. Best 202 practices differ depending on the URI component, as described below. 204 2.1. URI Schemes 206 Applications and extensions MAY require use of specific URI 207 scheme(s); for example, it is perfectly acceptable to require that an 208 application support 'http' and 'https' URIs. However, applications 209 SHOULD NOT preclude the use of other URI schemes in the future, 210 unless they are clearly only usable with the nominated schemes. 212 A specification that defines substructure within a specific URI 213 scheme MUST do so in the defining document for that URI scheme. A 214 specification that defines substructure for URI schemes overall MUST 215 do so by modifying [BCP115] (an exceptional circumstance). 217 2.2. URI Authorities 219 Scheme definitions define the presence, format and semantics of an 220 authority component in URIs; all other specifications MUST NOT 221 constrain, or define the structure or the semantics for URI 222 authorities, unless they update the scheme registration itself. 224 For example, an extension or application ought not say that the "foo" 225 prefix in "foo_app.example.com" is meaningful or triggers special 226 handling in URIs. 228 However, applications MAY nominate or constrain the port they use, 229 when applicable. For example, BarApp could run over port nnnn 230 (provided that it is properly registered). 232 2.3. URI Paths 234 Scheme definitions define the presence, format, and semantics of a 235 path component in URIs; all other specifications MUST NOT constrain, 236 or define the structure or the semantics for any path component. 238 The only exception to this requirement is registered "well-known" 239 URIs, as specified by [RFC5785]. See that document for a description 240 of the applicability of that mechanism. 242 For example, an application ought not specify a fixed URI path 243 "/myapp", since this usurps the host's control of that space. 245 Specifying a fixed path relative to another (e.g., {whatever}/myapp) 246 is also bad practice (even if "whatever" is discovered as suggested 247 in Section 3); while doing so might prevent collisions, it does not 248 avoid the potential for operational difficulties (for example, an 249 implementation that prefers to use query processing instead, because 250 of implementation constraints). 252 2.4. URI Queries 254 The presence, format and semantics of the query component of URIs is 255 dependent upon many factors, and MAY be constrained by a scheme 256 definition. Often, they are determined by the implementation of a 257 resource itself. 259 Applications MUST NOT directly specify the syntax of queries, as this 260 can cause operational difficulties for deployments that do not 261 support a particular form of a query. For example, a site may wish 262 to support an application using "static" files that do not support 263 query parameters. 265 Extensions MUST NOT constrain the format or semantics of queries. 267 For example, an extension that indicates that all query parameters 268 with the name "sig" indicate a cryptographic signature would collide 269 with potentially preexisting query parameters on sites and lead 270 clients to assume that any matching query parameter is a signature. 272 HTML [W3C.REC-html401-19991224] constrains the syntax of query 273 strings used in form submission. New form languages SHOULD NOT 274 emulate it, but instead allow creation of a broader variety of URIs 275 (e.g., by allowing the form to create new path components, and so 276 forth). 278 Note that "well-known" URIs (see [RFC5785]) MAY constrain their own 279 query syntax, since these name spaces are effectively delegated to 280 the registering party. 282 2.5. URI Fragment Identifiers 284 Media type definitions (as per [RFC6838]) SHOULD specify the fragment 285 identifier syntax(es) to be used with them; other specifications MUST 286 NOT define structure within the fragment identifier, unless they are 287 explicitly defining one for reuse by media type definitions. 289 For example, an application that defines common fragment identifiers 290 across media types not controlled by it would engender 291 interoperability problems with handlers for those media types 292 (because the new, non-standard syntax is not expected). 294 3. Alternatives to Specifying Structure in URIs 296 Given the issues described in Section 1, the most successful strategy 297 for applications and extensions that wish to use URIs is to use them 298 in the fashion they were designed: as links that are exchanged as 299 part of the protocol, rather than statically specified syntax. 300 Several existing specifications can aid in this. 302 [RFC5988] specifies relation types for Web links. By providing a 303 framework for linking on the Web, where every link has a relation 304 type, context and target, it allows applications to define a link's 305 semantics and connectivity. 307 [RFC6570] provides a standard syntax for URI Templates that can be 308 used to dynamically insert application-specific variables into a URI 309 to enable such applications while avoiding impinging upon URI owners' 310 control of them. 312 [RFC5785] allows specific paths to be 'reserved' for standard use on 313 URI schemes that opt into that mechanism ('http' and 'https' by 314 default). Note, however, that this is not a general "escape valve" 315 for applications that need structured URIs; see that specification 316 for more information. 318 Specifying more elaborate structures in an attempt to avoid 319 collisions is not an acceptable solution, and does not address the 320 issues in Section 1. For example, prefixing query parameters with 321 "myapp_" does not help, because the prefix itself is subject to the 322 risk of collision (since it is not "reserved"). 324 4. Security Considerations 326 This document does not introduce new protocol artifacts with security 327 considerations. It prohibits some practices that might lead to 328 vulnerabilities; for example, if a security-sensitive mechanism is 329 introduced by assuming that a URI path component or query string has 330 a particular meaning, false positives might be encountered (due to 331 sites that already use the chosen string). See also [RFC6943]. 333 5. IANA Considerations 335 There are no direct IANA actions specified in this document. 337 6. References 339 6.1. Normative References 341 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 342 Requirement Levels", BCP 14, RFC 2119, 343 DOI 10.17487/RFC2119, March 1997, 344 . 346 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 347 Resource Identifier (URI): Generic Syntax", STD 66, 348 RFC 3986, DOI 10.17487/RFC3986, January 2005, 349 . 351 [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type 352 Specifications and Registration Procedures", BCP 13, 353 RFC 6838, DOI 10.17487/RFC6838, January 2013, 354 . 356 [webarch] Jacobs, I. and N. Walsh, "Architecture of the World Wide 357 Web, Volume One", December 2004, 358 . 360 6.2. Informative References 362 [BCP115] Hansen, T., Hardie, T., and L. Masinter, "Guidelines and 363 Registration Procedures for New URI Schemes", RFC 4395, 364 BCP 115, February 2006, 365 . 367 [RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known 368 Uniform Resource Identifiers (URIs)", RFC 5785, 369 DOI 10.17487/RFC5785, April 2010, 370 . 372 [RFC5988] Nottingham, M., "Web Linking", RFC 5988, 373 DOI 10.17487/RFC5988, October 2010, 374 . 376 [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., 377 and D. Orchard, "URI Template", RFC 6570, 378 DOI 10.17487/RFC6570, March 2012, 379 . 381 [RFC6943] Thaler, D., Ed., "Issues in Identifier Comparison for 382 Security Purposes", RFC 6943, DOI 10.17487/RFC6943, May 383 2013, . 385 [W3C.REC-html401-19991224] 386 Raggett, D., Hors, A., and I. Jacobs, "HTML 4.01 387 Specification", World Wide Web Consortium Recommendation 388 REC-html401-19991224, December 1999, 389 . 391 6.3. URIs 393 [1] https://github.com/mnot/I-D/labels/rfc7320 395 [2] https://mnot.github.io/I-D/rfc7320/ 397 [3] https://github.com/mnot/I-D/commits/gh-pages/rfc7320 399 [4] https://datatracker.ietf.org/doc/draft-nottingham-rfc7320/ 401 Appendix A. Acknowledgments 403 Thanks to David Booth, Dave Crocker, Tim Bray, Anne van Kesteren, 404 Martin Thomson, Erik Wilde, Dave Thaler and Barry Leiba for their 405 suggestions and feedback. 407 Author's Address 409 Mark Nottingham 411 Email: mnot@mnot.net 412 URI: https://www.mnot.net/