Re: Browsers and .onion names from Willy Tarreau on 2015-11-27 (ietf-http-wg@w3.org from October to December 2015)

From: Willy Tarreau <w@1wt.eu>
Date: Fri, 27 Nov 2015 08:41:04 +0100
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20151127074104.GA4037@1wt.eu>

On Fri, Nov 27, 2015 at 11:24:57AM +1100, Mark Nottingham wrote:
> I'm wondering specifically about browsers that don't implement the Tor protocol; so far it looks like they don't conform. A few bugs:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1228457
> https://code.google.com/p/chromium/issues/detail?id=562265
> https://github.com/bagder/curl/issues/543
> Apple bug 23672882
> 
> I don't have a Windows box on hand, would love it if someone could test there and file a bug if appropriate.

So are we going to scan each and every DNS client that was written in the last
30 years and suddenly declare them non-compliant with a new standard that was
written *after* them and not specifically for them ?

I mean, I think it's really the first time I'm seeing bugs filed at products
for not complying with a spec they do not implement!

Similarly we could write an RFC describing how HTTP over SCTP works and then
file bugs at every HTTP client because they don't implement SCTP! That really
doesn't make sense Mark, I'm sorry. When you don't support a protocol, you
don't have any reason for having to implement its specification!

That's why I think this standard was written the reverse way : instead of
scratching one's head trying to adapt to existing infrastructure, let's
redefine how existing infrastructure should have been working and declare
all offenders bogus. I'm seeing a failure here. And the simple fact that
you started to file bugs at existing products is a proof, you will never
find all "offenders" because they work the natural way, by implementing
what they are interested in and not an exception for some obscure protocol
mentionned in an RFC they don't even know exist.

What could possibly have worked would have been to declare an addition on
top of DNS to make it possible for clients and forwarders to declare
exceptions to TLDs and make them configurable. Then this spec for Tor would
simply have relied on this and recommended to add ".onion" to the list of
exceptions. And it would have planned the fallback situation for when parts
of the infrastructure do not implement it.

Last point, given that many companies register their own names as TLDs, I
don't see why it wouldn't have been easier to register .onion as a TLD and
adjust the specification to handle this correctly.

Regards,
Willy

Received on Friday, 27 November 2015 07:41:33 UTC