On 13-Sep-22 12:00, Mark Nottingham wrote:
Hello,
I appreciate the effort that the authors and WG have put into this document, and I don't have any substantial technical issues with the document as written (although I have not reviewed it deeply).
That said, the IESG needs to consider this publication carefully. The targeted implementers (web browsers) have very clearly said they will not be implementing. From their issue of record:
Mark, that was then. People are now beginning to wake up to the fact that this is actually wanted by quite a lot of ops and support staff. It will change (the status as a Firefox "defect" has recently changed to "enhancement", for example) and the reason we need this on record as an RFC is so that, as the need becomes compelling, there will be an unambiguous basis for all implementers.
Overall, our internal consensus is that <zone_id>'s are bonkers on many grounds - the technical ambiguity (and RFC 6874 doesn't really resolve the ambiguity as much as it fully owns it and just says #YOLOSWAG) - and supporting them would add a lot of complexity for what is explicitly and admittedly a limited value use case.
That's OBE. And there isn't any technical ambiguity that I'm aware of. (What may be confusing is that the "zone identifiers" are utterly non-standardised beyond being an ASCII string, so there is no way for a parser to validate them; only the o/s can do that.)
-- <https://www.w3.org/Bugs/Public/show_bug.cgi?id=27234#c2>
And, in their URL specification:
Support for <zone_id> is intentionally omitted.
-- <https://url.spec.whatwg.org/#host-representation>
This is not just a question of getting them interested, nor one of resourcing. As their discussion points out, there are likely a number of additional security and user interface issues which would need to be addressed.
It's unclear that any of those issues remain in the bis. There were certainly issues of that kind in RFC6874 itself.
The Shepherd Writeup says that has been circulated with the W3C TAG, the HTTP WG, and the ART area.
The TAG review was requested less than an hour ago:
https://github.com/w3ctag/design-reviews/issues/774
At a minimum, the IESG should allow that process to complete. Given the size of their queue, this may take some time.
In the HTTP WG, I only see two relevant messages:
https://www.w3.org/mid/CAPxZtjHf29s-b8M68uAcphpznbqBhjgfw0EYZHi__0DitE-i6Q@xxxxxxxxxxxxxx
I wouldn't characterise this as a review.
I couldn't find any relevant messages on the ART list in the last two years. If I've missed something in either case, pointers would be appreciated.
It's been raised in DISPATCH more than once, most recently during the 6MAN adoption call in February 2022. I don't recall that anyone in DISPATCH suggested raising it on ART or HTTP. I thought that's what IETF Last Call was for, anyway.
The questions that I think the IESG needs to address in evaluating this document are:
1. Should we be publishing a document where there is zero demonstrated implementation interest, and furthermore significant implementer concerns (as outlined above)?
Those concerns are what prompted this bis document to be written. The whole point of specifying it now is to avoid divergent implementations when the need is recognised.
If it had been as easy a fix for Firefox as it turned out to be for wget, I'd have implemented it myself. But in any case, it's now on for Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=700999#c94
(It's a two-line fix in wget. Sadly, the Firefox parsers (plural) are too complex for ordinary mortals to patch in a reasonably short time.)
2. Should lower-layer WGs be documenting how higher-layer protocols actually use the lower layer constructs, without buy-in or substantial review from those higher layer communities?
Yes, because if we don't nobody else will. And we've exposed this work to review both via DISPATCH and over at WHATWG (https://github.com/whatwg/url/issues/392#issuecomment-873744002), not to mention on the issue trackers for both Firefox and Waterfox.
3. If so, what precedent does that set for the network determining how applications use it? Here, I'm particularly concerned about the struggles regarding security and privacy between the layers.
I don't see any kind of precedent here. The tail sometimes wags the dog, but I am at loss to see which is the tail and which is the dog in this case.
As far as we're aware of any *new* security or privacy issues, they're discussed in the draft. Substantive comments are of course welcome.
4. Given the above, will publishing this document impact the IETF's credibility/legitimacy in the eyes of browser implementers and other communities?
Yes. It will show that we admit and fix our mistakes.
Brian
Cheers,
--
Mark Nottingham https://www.mnot.net/
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
