Re: Browsers and .onion names from Mark Nottingham on 2015-11-26 (ietf-http-wg@w3.org from October to December 2015)

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 27 Nov 2015 07:59:39 +1100
To: Mark Baker <distobj@acm.org>
Cc: Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <64FF0B3A-F151-492C-A4E0-B293F68059CE@mnot.net>

> On 27 Nov 2015, at 4:08 am, Mark Baker <distobj@acm.org> wrote:
> 
> On Thu, Nov 26, 2015 at 1:54 AM, Willy Tarreau <w@1wt.eu> wrote:
>> I'm surprized that an RFC on standards track managed to redefine how
>> non-interested implementations must behave :
> 
> Wow, +1. DNS is what it is, but there are ways around it. For example,
> by defining a new URI scheme (or set thereof) which defers name
> lookups to Tor instead of (or ahead of) DNS.
> 
> It's more work up front, but seems far more likely to be successful.

This was discussed at length. .onion is much more than that, because it's possible to run not only HTTP, but also XMPP and many other protocols over it. Do we really want an explosion of http-onion, xmpp-onion, etc.? Also, leveraging that into existing software is difficult (mostly because they haven't made protocol schemes a reliable extension point).

Also, the Web already has the concept of a separation between naming and address resolution baked in. RFC7230 Section 2.7.1 says this about hostnames in HTTP URLs:

"""
If host is a registered name, the registered name is an indirect identifier for use with a name resolution service, such as DNS, to find an address for that origin server. 
"""

... which builds on how RFC3986 Section 3.2.2 talks about hostnames in URLs and URIs:

"""
The presence of a host subcomponent within a URI does not imply that the scheme requires access to the given host on the Internet.  In many cases, the host syntax is used only for the sake of reusing the existing registration process created and deployed for DNS, thus obtaining a globally unique name without the cost of deploying another registry. However, such use comes with its own costs: domain name ownership may change over time for reasons not anticipated by the URI producer.  In other cases, the data within the host component identifies a registered name that has nothing to do with an Internet host.  We use the name "host" for the ABNF rule because that is its most common purpose, not its only purpose.
"""

So .onion is just one example of this. Personally, I'd *really* prefer the Web not to be locked into one address resolution protocol (especially when you look at how problematic our current solution can be).

Cheers,

--
Mark Nottingham   https://www.mnot.net/

Received on Thursday, 26 November 2015 21:00:09 UTC