- From: Michael Mealling <michael@neonym.net>
- Date: Sun, 25 Nov 2001 10:33:11 -0500
- To: Mark Baker <distobj@acm.org>
- Cc: Patrik Fältström <paf@cisco.com>, discuss@apps.ietf.org
On Sun, Nov 25, 2001 at 10:15:18AM -0500, Mark Baker wrote: > > This is the main reason why I want to have an easy process for registering > > URI schemes. People use URI schemes anyway, regardless of whether they are > > registered or not. I want to register all schemes, because it gives an > > ability to have a security consideration section which talk about the > > issues with the scheme. > > That's quite reasonable, but it doesn't change the fact that people (and > software) expect to be able to resolve URI without consequence. > Pointing them to a RFC saying "see, you really shouldn't have done that" > is not very helpful after the fact. 8-) But its also not enforceable by us. There was a joint IETF/W3C group that looked at many of the issues and problems with URIs and one of the recommendations we made was that registration of schemes neede to be made much easier for the simple reason that when someone needs one they 'just make one'. If you want to see the consequences take a look at Dan Connolly's list of currently extant but unregistered schemes: http://www.w3.org/Addressing/schemes.html None of these schemes have any review process, documentation, or interoperability requirements. IMHO, the best thing we can do is provide them a registration process that at least requires them to document their gross lack of security considerations. Assertions that we shouldn't register them because their resolution process is 'unsafe' (can you define that?) are really useless because there is no real, immediate consequence to _not_ being registered. In other words, if you do or don't register 'tftp:' won't really matter, everyone will still use it regardless of whether or not its registered. -MM -- -------------------------------------------------------------------------------- Michael Mealling | Vote Libertarian! | urn:pin:1 michael@neonym.net | | http://www.neonym.net
Received on Sunday, 25 November 2001 10:37:19 UTC