Re: Request for review from Frank Ellermann on 2011-08-23 (uri@w3.org from August 2011)

From: Frank Ellermann <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@gmail.com>
Date: Tue, 23 Aug 2011 23:08:54 +0200
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: uri-review@ietf.org, uri@w3.org
Message-ID: <CAHhFybrtB1kVv1hofQSLxeFv5fMGDcaRYn-_PhtHCp-TEPRKgg@mail.gmail.com>

On 23 August 2011 17:57, Bjoern Hoehrmann wrote:

>>Security considerations:
>>   The generic and overall URI syntax is specified in STD 66, anything
>>   else (not limited to pack:) is no URI and could cause havoc, compare
>>   <http://www.kb.cert.org/vuls/id/358017>.

> This would need to elaborate on how VU#358017 is relevant here.

A registration template isn't a good place to discuss problems caused by
non-URIs interpreted as URIs.  VU#358018 had nothing to do with "pack:",
it is an example that problems with broken URIs are not only theoretical.
I suggest to remove that example instead of elaborating it, see below.

-Frank

--------------------------------------------------------------------------
URI scheme name:
  pack
Status:
  historical
URI scheme syntax:
  There was no pack: syntax compatible with STD 66, cf.
  <http://www.ietf.org/mail-archive/web/uri-review/current/msg00678.html>,
  <http://www.ietf.org/mail-archive/web/uri-review/current/msg00548.html>.
URI scheme semantics:
  n/a due to a lack of STD 66 syntax.
Encoding considerations:
  The pack: encoding assumed US-ASCII after un-escaping percent-encoded
  characters in an encapsulated <authority> (4.c in the expired drafts)
  and case-insensitive US-ASCII in the <path> (5.c in the expired drafts).
Applications/protocols that use this URI scheme name:
  The pack: scheme could not be used as an URI scheme in applications
  or protocols.  Other uses of pack: are noted in the expired drafts.
Interoperability considerations:
  All URI schemes have to follow the generic STD 66 syntax, as that was
  not the case for pack: any "interoperability" would be by the chance
  of similarly broken implementations.
Security considerations:
  The generic and overall URI syntax is specified in STD 66, anything
  else (not limited to pack:) is no URI and could cause havoc.
Contact:
  <uri-review@ietf.org> and <uri@w3.org> mailing lists.
Author/Change controller:
  IESG (the transition from a "provisional" to "historical" status is
  not covered by BCP 35 section 5.3; maybe the pack: scheme could be
  simply identified as "non-URI" and removed from the scheme registry).
References:
  STD 66 (RFC 3986), I-D.shur-pack-uri-scheme-05 (same as -03 and -04).

Received on Tuesday, 23 August 2011 21:09:44 UTC