Re: URI resolution & safety

On Sun, Nov 25, 2001 at 10:15:18AM -0500, Mark Baker wrote:
> > This is the main reason why I want to have an easy process for registering
> > URI schemes. People use URI schemes anyway, regardless of whether they are
> > registered or not. I want to register all schemes, because it gives an
> > ability to have a security consideration section which talk about the
> > issues with the scheme.
> 
> That's quite reasonable, but it doesn't change the fact that people (and
> software) expect to be able to resolve URI without consequence.
> Pointing them to a RFC saying "see, you really shouldn't have done that"
> is not very helpful after the fact. 8-)

But its also not enforceable by us. There was a joint IETF/W3C group
that looked at many of the issues and problems with URIs and one
of the recommendations we made was that registration of schemes neede
to be made much easier for the simple reason that when someone needs
one they 'just make one'. If you want to see the consequences take a look
at Dan Connolly's list of currently extant but unregistered schemes:

http://www.w3.org/Addressing/schemes.html

None of these schemes have any review process, documentation, or
interoperability requirements. IMHO, the best thing we can do is provide
them a registration process that at least requires them to document their
gross lack of security considerations. Assertions that we shouldn't
register them because their resolution process is 'unsafe' (can you
define that?) are really useless because there is no real, immediate
consequence to _not_ being registered. In other words, if you do or don't
register 'tftp:' won't really matter, everyone will still use it
regardless of whether or not its registered.

-MM

-- 
--------------------------------------------------------------------------------
Michael Mealling	|      Vote Libertarian!       | urn:pin:1
michael@neonym.net      |                              | http://www.neonym.net

Received on Sunday, 25 November 2001 10:37:19 UTC