idnits 2.17.1 draft-nottingham-rfc7320bis-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([2], [3], [4], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. -- The draft header indicates that this document obsoletes RFC7320, but the abstract doesn't seem to directly say this. It does mention RFC7320 though, so this could be OK. -- The draft header indicates that this document updates RFC3986, but the abstract doesn't seem to directly say this. It does mention RFC3986 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC3986, updated by this document, for RFC5378 checks: 2002-11-01) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 6, 2020) is 1571 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 413 -- Looks like a reference, but probably isn't: '2' on line 415 -- Looks like a reference, but probably isn't: '3' on line 417 -- Looks like a reference, but probably isn't: '4' on line 419 Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Nottingham 3 Internet-Draft January 6, 2020 4 Obsoletes: 7320 (if approved) 5 Updates: 3986 (if approved) 6 Intended status: Best Current Practice 7 Expires: July 9, 2020 9 URI Design and Ownership 10 draft-nottingham-rfc7320bis-03 12 Abstract 14 Section 1.1.1 of RFC 3986 defines URI syntax as "a federated and 15 extensible naming system wherein each scheme's specification may 16 further restrict the syntax and semantics of identifiers using that 17 scheme." In other words, the structure of a URI is defined by its 18 scheme. While it is common for schemes to further delegate their 19 substructure to the URI's owner, publishing independent standards 20 that mandate particular forms of substructure in URIs is often 21 problematic. 23 This document provides guidance on the specification of URI 24 substructure in standards. 26 Note to Readers 28 _RFC EDITOR: please remove this section and the "URIs" section before 29 the Appendices before publication_ 31 This is a proposed revision of RFC7320, aka BCP190. The -00 draft is 32 a copy of the published RFC; subsequent revisions will update it. 34 The issues list for this draft can be found at 35 https://github.com/mnot/I-D/labels/rfc7320bis [1]. 37 The most recent (often, unpublished) draft is at 38 https://mnot.github.io/I-D/rfc7320bis/ [2]. 40 Recent changes are listed at https://github.com/mnot/I-D/commits/gh- 41 pages/rfc7320bis [3]. 43 See also the draft's current status in the IETF datatracker, at 44 https://datatracker.ietf.org/doc/draft-nottingham-rfc7320bis/ [4]. 46 Status of This Memo 48 This Internet-Draft is submitted in full conformance with the 49 provisions of BCP 78 and BCP 79. 51 Internet-Drafts are working documents of the Internet Engineering 52 Task Force (IETF). Note that other groups may also distribute 53 working documents as Internet-Drafts. The list of current Internet- 54 Drafts is at https://datatracker.ietf.org/drafts/current/. 56 Internet-Drafts are draft documents valid for a maximum of six months 57 and may be updated, replaced, or obsoleted by other documents at any 58 time. It is inappropriate to use Internet-Drafts as reference 59 material or to cite them other than as "work in progress." 61 This Internet-Draft will expire on July 9, 2020. 63 Copyright Notice 65 Copyright (c) 2020 IETF Trust and the persons identified as the 66 document authors. All rights reserved. 68 This document is subject to BCP 78 and the IETF Trust's Legal 69 Provisions Relating to IETF Documents 70 (https://trustee.ietf.org/license-info) in effect on the date of 71 publication of this document. Please review these documents 72 carefully, as they describe your rights and restrictions with respect 73 to this document. Code Components extracted from this document must 74 include Simplified BSD License text as described in Section 4.e of 75 the Trust Legal Provisions and are provided without warranty as 76 described in the Simplified BSD License. 78 Table of Contents 80 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 81 1.1. Intended Audience . . . . . . . . . . . . . . . . . . . . 4 82 1.2. Notational Conventions . . . . . . . . . . . . . . . . . 5 83 2. Best Current Practices for Standardizing Structured URIs . . 5 84 2.1. URI Schemes . . . . . . . . . . . . . . . . . . . . . . . 5 85 2.2. URI Authorities . . . . . . . . . . . . . . . . . . . . . 5 86 2.3. URI Paths . . . . . . . . . . . . . . . . . . . . . . . . 6 87 2.4. URI Queries . . . . . . . . . . . . . . . . . . . . . . . 6 88 2.5. URI Fragment Identifiers . . . . . . . . . . . . . . . . 7 89 3. Alternatives to Specifying Structure in URIs . . . . . . . . 7 90 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 91 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 92 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 93 6.1. Normative References . . . . . . . . . . . . . . . . . . 8 94 6.2. Informative References . . . . . . . . . . . . . . . . . 8 95 6.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 96 Appendix A. Changes from RFC7320 . . . . . . . . . . . . . . . . 9 97 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 10 98 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 100 1. Introduction 102 URIs [RFC3986] very often include structured application data. This 103 might include artifacts from filesystems (often occurring in the path 104 component) and user information (often in the query component). In 105 some cases, there can even be application-specific data in the 106 authority component (e.g., some applications are spread across 107 several hostnames to enable a form of partitioning or dispatch). 109 Implementations can impose further constraints upon the structure of 110 URIs; for example, many Web servers use the filename extension of the 111 last path segment to determine the media type of the response. 112 Likewise, prepackaged applications often have highly structured URIs 113 that can only be changed in limited ways (often, just the hostname 114 and port on which they are deployed). 116 Because the owner of the URI (as defined in [webarch] 117 Section 2.2.2.1) is choosing to use the server or the application, 118 this can be seen as reasonable delegation of authority. However, 119 when such conventions are mandated by a party other than the owner, 120 it can have several potentially detrimental effects: 122 o Collisions - As more ad hoc conventions for URI structure become 123 standardized, it becomes more likely that there will be collisions 124 between them (especially considering that servers, applications, 125 and individual deployments will have their own conventions). 127 o Dilution - When the information added to a URI is ephemeral, this 128 dilutes its utility by reducing its stability (see [webarch] 129 Section 3.5.1), and can cause several alternate forms of the URI 130 to exist (see [webarch] Section 2.3.1). 132 o Rigidity - Fixed URI syntax often interferes with desired 133 deployment patterns. For example, if an authority wishes to offer 134 several applications on a single hostname, it becomes difficult to 135 impossible to do if their URIs do not allow the required 136 flexibility. 138 o Operational Difficulty - Supporting some URI conventions can be 139 difficult in some implementations. For example, specifying that a 140 particular query parameter be used with "HTTP" URIs can preclude 141 the use of Web servers that serve the response from a filesystem. 143 Likewise, an application that fixes a base path for its operation 144 (e.g., "/v1") makes it impossible to deploy other applications 145 with the same prefix on the same host. 147 o Client Assumptions - When conventions are standardized, some 148 clients will inevitably assume that the standards are in use when 149 those conventions are seen. This can lead to interoperability 150 problems; for example, if a specification documents that the "sig" 151 URI query parameter indicates that its payload is a cryptographic 152 signature for the URI, it can lead to undesirable behavior. 154 Publishing a standard that constrains an existing URI structure in 155 ways that aren't explicitly allowed by [RFC3986] (usually, by 156 updating the URI scheme definition) is therefore sometimes 157 problematic, both for these reasons, and because the structure of a 158 URI needs to be firmly under the control of its owner. 160 This document explains some best current practices for establishing 161 URI structures, conventions, and formats in standards. It also 162 offers strategies for specifications in Section 3. 164 1.1. Intended Audience 166 This document's guidelines and requirements target the authors of 167 specifications that constrain the syntax or structure of URIs or 168 parts of them. Two classes of such specifications are called out 169 specifically: 171 o Protocol Extensions ("Extensions") - specifications that offer new 172 capabilities that could apply to any identifier, or to a large 173 subset of possible identifiers; e.g., a new signature mechanism 174 for 'http' URIs, metadata for any URI, or a new format. 176 o Applications Using URIs ("Applications") - specifications that use 177 URIs to meet specific needs; e.g., an HTTP interface to particular 178 information on a host. 180 Requirements that target the generic class "Specifications" apply to 181 all specifications, including both those enumerated above and others. 183 Note that this specification ought not be interpreted as preventing 184 the allocation of control of URIs by parties that legitimately own 185 them, or have delegated that ownership; for example, a specification 186 might legitimately define the semantics of a URI on IANA's Web site 187 as part of the establishment of a registry. 189 There may be existing IETF specifications that already deviate from 190 the guidance in this document. In these cases, it is up to the 191 relevant communities (i.e., those of the URI scheme as well as that 192 which produced the specification in question) to determine an 193 appropriate outcome; e.g., updating the scheme definition, or 194 changing the specification. 196 1.2. Notational Conventions 198 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 199 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 200 "OPTIONAL" in this document are to be interpreted as described in BCP 201 14 [RFC2119] [RFC8174] when, and only when, they appear in all 202 capitals, as shown here. 204 2. Best Current Practices for Standardizing Structured URIs 206 This section updates [RFC3986] by advising Specifications how they 207 should define structure and semantics within URIs. Best practices 208 differ depending on the URI component in question, as described 209 below. 211 2.1. URI Schemes 213 Applications and Extensions can require use of specific URI 214 scheme(s); for example, it is perfectly acceptable to require that an 215 Application support 'http' and 'https' URIs. However, Applications 216 ought not preclude the use of other URI schemes in the future, unless 217 they are clearly only usable with the nominated schemes. 219 A Specification that defines substructure for URI schemes overall 220 (e.g., a prefix or suffix for URI scheme names) MUST do so by 221 modifying [BCP35] (an exceptional circumstance). 223 2.2. URI Authorities 225 Scheme definitions define the presence, format and semantics of an 226 authority component in URIs; all other Specifications MUST NOT 227 constrain, or define the structure or the semantics for URI 228 authorities, unless they update the scheme registration itself, or 229 the structures it relies upon (e.g., DNS name syntax, defined in 230 Section 3.5 of [RFC1034]). 232 For example, an Extension or Application cannot say that the "foo" 233 prefix in "http://foo_app.example.com" is meaningful or triggers 234 special handling in URIs, unless they update either the HTTP URI 235 scheme, or the DNS hostname syntax. 237 Applications can nominate or constrain the port they use, when 238 applicable. For example, BarApp could run over port nnnn (provided 239 that it is properly registered). 241 2.3. URI Paths 243 Scheme definitions define the presence, format, and semantics of a 244 path component in URIs, although these are often delegated to the 245 application(s) in a given deployment. 247 To avoid collisions, rigidity, and erroneous client assumptions, 248 Specifications MUST NOT define a fixed prefix for their URI paths; 249 for example, "/myapp", unless allowed by the scheme definition. 251 One such exception to this requirement is registered "well-known" 252 URIs, as specified by [RFC8615]. See that document for a description 253 of the applicability of that mechanism. 255 Note that this does not apply to Applications defining a structure of 256 URIs paths "under" a resource controlled by the server. Because the 257 prefix is under control of the party deploying the application, 258 collisions and rigidity are avoided, and the risk of erroneous client 259 assumptions is reduced. 261 For example, an Application might define "app_root" as a deployment- 262 controlled URI prefix. Application-defined resources might then be 263 assumed to be present at "{app_root}/foo" and "{app_root}/bar". 265 Extensions MUST NOT define a structure within individual URI 266 components (e.g., a prefix or suffix), again to avoid collisions and 267 erroneous client assumptions. 269 2.4. URI Queries 271 The presence, format and semantics of the query component of URIs is 272 dependent upon many factors, and can be constrained by a scheme 273 definition. Often, they are determined by the implementation of a 274 resource itself. 276 Applications can specify the syntax of queries for the resources 277 under their control. However, doing so can cause operational 278 difficulties for deployments that do not support a particular form of 279 a query. For example, a site may wish to support an Application 280 using "static" files that do not support query parameters. 282 Extensions MUST NOT constrain the format or semantics of queries, to 283 avoid collisions and erroneous client assumptions. For example, an 284 Extension that indicates that all query parameters with the name 285 "sig" indicate a cryptographic signature would collide with 286 potentially preexisting query parameters on sites and lead clients to 287 assume that any matching query parameter is a signature. 289 HTML [W3C.REC-html401-19991224] constrains the syntax of query 290 strings used in form submission. New form languages are encouraged 291 to allow creation of a broader variety of URIs (e.g., by allowing the 292 form to create new path components, and so forth). 294 2.5. URI Fragment Identifiers 296 Section 3.5 of [RFC3986] specifies fragment identifiers' syntax and 297 semantics as being dependent upon the media type of a potentially 298 retrieved resource. As a result, other Specifications MUST NOT 299 define structure within the fragment identifier, unless they are 300 explicitly defining one for reuse by media types in their definitions 301 (for example, as JSON Pointer [RFC6901] does). 303 An Application that defines common fragment identifiers across media 304 types not controlled by it would engender interoperability problems 305 with handlers for those media types (because the new, non-standard 306 syntax is not expected). 308 3. Alternatives to Specifying Structure in URIs 310 Given the issues described in Section 1, the most successful strategy 311 for Applications and Extensions that wish to use URIs is to use them 312 in the fashion they were designed: as links that are exchanged as 313 part of the protocol, rather than statically specified syntax. 314 Several existing specifications can aid in this. 316 [RFC8288] specifies relation types for Web links. By providing a 317 framework for linking on the Web, where every link has a relation 318 type, context and target, it allows Applications to define a link's 319 semantics and connectivity. 321 [RFC6570] provides a standard syntax for URI Templates that can be 322 used to dynamically insert Application-specific variables into a URI 323 to enable such Applications while avoiding impinging upon URI owners' 324 control of them. 326 [RFC8615] allows specific paths to be 'reserved' for standard use on 327 URI schemes that opt into that mechanism ('http' and 'https' by 328 default). Note, however, that this is not a general "escape valve" 329 for applications that need structured URIs; see that specification 330 for more information. 332 Specifying more elaborate structures in an attempt to avoid 333 collisions is not an acceptable solution, and does not address the 334 issues in Section 1. For example, prefixing query parameters with 335 "myapp_" does not help, because the prefix itself is subject to the 336 risk of collision (since it is not "reserved"). 338 4. Security Considerations 340 This document does not introduce new protocol artifacts with security 341 considerations. It prohibits some practices that might lead to 342 vulnerabilities; for example, if a security-sensitive mechanism is 343 introduced by assuming that a URI path component or query string has 344 a particular meaning, false positives might be encountered (due to 345 sites that already use the chosen string). See also [RFC6943]. 347 5. IANA Considerations 349 There are no direct IANA actions specified in this document. 351 6. References 353 6.1. Normative References 355 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 356 Requirement Levels", BCP 14, RFC 2119, 357 DOI 10.17487/RFC2119, March 1997, 358 . 360 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 361 Resource Identifier (URI): Generic Syntax", STD 66, 362 RFC 3986, DOI 10.17487/RFC3986, January 2005, 363 . 365 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 366 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 367 May 2017, . 369 [webarch] Jacobs, I. and N. Walsh, "Architecture of the World Wide 370 Web, Volume One", December 2004, 371 . 373 6.2. Informative References 375 [BCP35] Thaler, D., Hansen, T., and T. Hardie, "Guidelines and 376 Registration Procedures for New URI Schemes", BCP 35, 377 RFC 7595, June 2015, . 379 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 380 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 381 . 383 [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., 384 and D. Orchard, "URI Template", RFC 6570, 385 DOI 10.17487/RFC6570, March 2012, 386 . 388 [RFC6901] Bryan, P., Ed., Zyp, K., and M. Nottingham, Ed., 389 "JavaScript Object Notation (JSON) Pointer", RFC 6901, 390 DOI 10.17487/RFC6901, April 2013, 391 . 393 [RFC6943] Thaler, D., Ed., "Issues in Identifier Comparison for 394 Security Purposes", RFC 6943, DOI 10.17487/RFC6943, May 395 2013, . 397 [RFC8288] Nottingham, M., "Web Linking", RFC 8288, 398 DOI 10.17487/RFC8288, October 2017, 399 . 401 [RFC8615] Nottingham, M., "Well-Known Uniform Resource Identifiers 402 (URIs)", RFC 8615, DOI 10.17487/RFC8615, May 2019, 403 . 405 [W3C.REC-html401-19991224] 406 Raggett, D., Hors, A., and I. Jacobs, "HTML 4.01 407 Specification", World Wide Web Consortium Recommendation 408 REC-html401-19991224, December 1999, 409 . 411 6.3. URIs 413 [1] https://github.com/mnot/I-D/labels/rfc7320bis 415 [2] https://mnot.github.io/I-D/rfc7320bis/ 417 [3] https://github.com/mnot/I-D/commits/gh-pages/rfc7320bis 419 [4] https://datatracker.ietf.org/doc/draft-nottingham-rfc7320bis/ 421 Appendix A. Changes from RFC7320 423 Many of the requirements of RFC7320 were removed, in the spirit of 424 making this BCP guidance, rather than rules. 426 Appendix B. Acknowledgments 428 Thanks to David Booth, Dave Crocker, Tim Bray, Anne van Kesteren, 429 Martin Thomson, Erik Wilde, Dave Thaler and Barry Leiba for their 430 suggestions and feedback. 432 Author's Address 434 Mark Nottingham 436 Email: mnot@mnot.net 437 URI: https://www.mnot.net/