Re: [websec] Digest URI scheme

Mon, 03 Oct 2011 00:29:47 -0700

On 2011/09/30 23:40, stephen.farr...@cs.tcd.ie answered Phillip Hallam-Baker: 


Only real issue for me is that it has to fit in URI type slots. The
scheme I was thinking of would be a pure URN scheme, your proposal
includes URL like things.



If you use what RFC 2396 calles the 'opaque' syntax (e.g. no slashes at 
all; in RFC 3986, I think slashes would even be allowed if they don't 
appear directly after the first ':'), then you can define an URI scheme 
without including host-like stuff and you don't have to use "urn:" as a 
prefix.



Yep. We have use-cases for that. Note though that the authority
part is optional, so a fairly bare digest is quite possible and
would look like ni:///sha256:NDVmZTMzOGVkY2Jj...



The triple slash at the beginning is a bad idea. There should only be 
slashes if the scheme conforms to the generic syntax (i.e. a double 
slash, something like a host name, and then slashes for something 
pathlike). Just ni:sha256:NDVmZTMzOGVkY2Jj... is way better.



Clearly, your scheme is a better way to reference external content in
a resolvable format. I have to go look at the URN and URI specs again
in detail.


I also thought about URNs but was told (by PSA I think) that those
are intended for managed name spaces and not things like this.


This recently came up on the urn mailing list. Please e.g. see
http://www.ietf.org/mail-archive/web/urn/current/msg01616.html.



I note that you have a content type, which I have but someone here was
objecting to. I consider the content type to be essential meta-data
for obvious security reasons.



I don't think Paul Hoffman, who brought this up, was objecting. He just 
wanted to know what it's good for. Some security reasons may be obvious 
for you, but not for everybody :-).



Our use-case for that is for cases where the named object actually
arrives in some wrapped form (e.g. encrypted) and you need to know
the "inner" content type. However, I could see it being used otherwise
or being dropped as things progress.



Just curious: Why would you need to know the inner content type? 
Wouldn't the wrapper contain that information?


Regards,   Martin.
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec























					Reply via email to