Re: uri handling of hosts is too restrictive from Roy T. Fielding on 2004-02-16 (uri@w3.org from February 2004)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Sun, 15 Feb 2004 17:13:49 -0800
To: uri@w3.org
Message-Id: <60237892-601D-11D8-8468-000393753936@gbiv.com>

I no longer believe the claim that the authority portion of a URI
is restricted to the DNS hostname syntax.  In fact, every single
implementation I have available to me for testing proves that is
not the case.  Therefore, no such URI implementations exist from a
standards point of view, and the syntax standard should reflect
how it is actually implemented interoperably in practice: namely,
it delegates the issue of hostname syntax conformance to the
operating system, and that operating system decides what it will
allow for the purposes of host resolution.

Failure to specify that will lead to security concerns due to
ignorance of how the standard is actually implemented.

If you don't agree, then the way to correct the mistake is to
fix the operating systems.  We cannot rightly require that every
identification system on the planet go through DNS.  The only
thing we can do is what I did: explain why the DNS syntax should
be used for globally-scoped addresses.

Meanwhile, IRI has a problem: if we require that the authority be
encoded in punycode, then WINS-based Unicode service names will
cease to work.  Likewise for OS X's use of NetInfo names, and I
imagine the same will be true for the hundred other operating
systems that allow URIs to point to services not on the Internet.

I was the one arguing for the punycode syntax, mostly on the basis
that folks should not need to update bind.  That was a mistake
because it focused on only one particular use of URIs and not
on the larger scope in which they are used in practice.

I am tired of the arguments used to justify the DNS hostname syntax.
DNS itself is not restricted to that syntax, so relying on
unimplemented standards as the basis for artificially restricting
a fundamental technology like URIs just doesn't seem reasonable.
The DNS syntax only specifies the minimum for global interoperability,
and so should we.

So, the answer is that the syntax is no longer restricted to that
of DNS (as is true in practice), that percent-encoding within
the name syntax must represent UTF-8 if it is ever used (for future
compatibility), and the specification prose says that implementers
should use the syntax of DNS for globally-scoped names.

....Roy

Received on Sunday, 15 February 2004 20:12:54 UTC