W3C home > Mailing lists > Public > ietf-discuss@w3.org > November 2001

Re: URI resolution & safety

From: Mark Baker <distobj@acm.org>
Date: Sun, 25 Nov 2001 10:58:48 -0500 (EST)
Message-Id: <200111251558.KAA29920@markbaker.ca>
To: michael@neonym.net
Cc: paf@cisco.com (Patrik Fältström), discuss@apps.ietf.org
> But its also not enforceable by us. There was a joint IETF/W3C group
> that looked at many of the issues and problems with URIs and one
> of the recommendations we made was that registration of schemes neede
> to be made much easier for the simple reason that when someone needs
> one they 'just make one'. If you want to see the consequences take a look
> at Dan Connolly's list of currently extant but unregistered schemes:

I agree with that recommendation, but only when the scheme is already in
common use.  Is that the case for TFTP?

> http://www.w3.org/Addressing/schemes.html
> 
> None of these schemes have any review process, documentation, or
> interoperability requirements. IMHO, the best thing we can do is provide
> them a registration process that at least requires them to document their
> gross lack of security considerations. Assertions that we shouldn't
> register them because their resolution process is 'unsafe' (can you
> define that?)

Sure.  Resolution must be free from side effects.

> are really useless because there is no real, immediate
> consequence to _not_ being registered. In other words, if you do or don't
> register 'tftp:' won't really matter, everyone will still use it
> regardless of whether or not its registered.

With that, I think we've come full circle back to John's concern (which
I share) about doing it just because we can.

MB
-- 
Mark Baker, Chief Science Officer, Planetfred, Inc.
Ottawa, Ontario, CANADA.      mbaker@planetfred.com
http://www.markbaker.ca   http://www.planetfred.com
Received on Sunday, 25 November 2001 11:01:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 23 March 2006 20:11:29 GMT