]> The "dereferenceable identifier" pattern Universität Bremen TZI
Postfach 330440 Bremen D-28359 Germany +49-421-218-63921 cabo@tzi.org
Austria christian@amsuess.com
Thing-to-Thing Research Group Internet-Draft In a protocol or an application environment, it is often important to be able to create unambiguous identifiers for some meaning (concept or some entity). Due to the simplicity of creating URIs, these have become popular for this purpose. Beyond the purpose of identifiers to be uniquely associated with a meaning, some of these URIs are in principle dereferenceable, so something can be placed that can be retrieved when encountering such a URI. The present -00 version is a stub to draw some attention to the opportunity that this pattern would benefit from a common description, documenting its benefits and pitfalls, and some mitigations for the latter. About This Document Status information for this document may be found at . Discussion of this document takes place on the t2trg Research Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction (Please see abstract.)
Terminology Identifier Dereferenceable Dereference
Information:
The information that is retrieved by dereferencing a dereferenceable identifier.
Operator:
Dereferencing requires some server infrastructure to actually provide the information. Simplifying the potential complexity of this infrastructure, the entity (entities) controlling the operation of this server infrastructure, including the name spaces in use (e.g., DNS names, URI paths on a server) are called the operator(s) of the dereferenceable identifier.
Directed:
A directed identifier is an identifier that has been specifically minted to not just identify the intended entity, but also context information such as the intended use, or intended consumer of the identifier.
Directed information is information that is tailored to the implicit context of a specific dereferencing access, such as the accessing IP address or other ancillary parameters. (Content negotiation alone is not "directed information", as it is explicitly triggered by the dereferencing entity.)
Unique:
A unique identifier is an identifier that is unique for the entity; i.e., no other identifiers are in use (or intended to be in use).
Examples for "dereferenceable identifiers" This section is intended to present a number of examples where dereferenceable identifiers are in use in a protocol, including existing discussion about constraints on their usage, the benefits claimed for this constrained usage, and remaining issues.
Protocol and Protocol Version identifiers Many protocols based on XML or JSON include a protocol or protocol version identifier in the heading to a data item. E.g., defines a language for data models that contain an identifier to the language version in use, here https://json-schema.org/draft/2020-12/schema. The model that can be retrieved from this URI in turn contains further dereferenceable identifiers that point to further details. has this:
If this URI identifies a retrievable resource, that resource SHOULD be of media type "application/schema+json".
So it acknowledges that the dereferenceability is optional, but does place further restrictions on what can be the result of a successful dereference: another one of these data models, which in turn contain further dereferenceable identifiers.
Concept identifiers The problem details format uses a dereferenceable identifier for its "type" field. The value is a URI that "identifies the specific "problem type" (e.g., "out of credit")" (). has this:
If the type URI is a locator (e.g., those with a "http" or "https" scheme), dereferencing it SHOULD provide human-readable documentation for the problem type (e.g., using HTML ).
but then warns:
However, consumers SHOULD NOT automatically dereference the type URI, unless they do so when providing information to developers (e.g., when a debugging tool is in use).
further details:
A problem's type URI SHOULD resolve to HTML documentation that explains how to resolve the problem.
This becomes even more interesting as then gives this advice:
Registrations MAY use the prefix "https://iana.org/assignments/http-problem-types#" for the type URI.
A reference to the place where registrations for these items are managed is certainly desirable, however, the implications on the management of fragment identifiers in the HTML documents that IANA generates from registration information are an example for the increased complexity dereferenceable identifiers may place on the owners of the URI space employed.
MORE EXAMPLES There are a lot more examples in published RFCs; add them to this document.
Pitfalls
Server overload If a data item containing dereferenceable identifier(s) becomes widely distributed, naive implementations that handle such a data item might dereference these identifiers as part of a routine operation. Many definitions of dereferenceable identifiers contain admonitions that such a behavior can cause an implosion of requests on the server(s) for the URI.
Longevity of identifiers Dereferenceable URIs usually contain domain names, whose ownership can change. As a result, and for other reasons as well, parts of the name space of an origin may come under new administration, which can change the policies that apply to resources made available there. These are problems of such URIs in general (and can be mitigated by going to a non-dereferenceable kind of URIs such as one based on the 'tag' uri scheme ). However, the problems are exacerbated by their use as a dereferenceable identifier. The new owner/administrator might more easily accept that a certain chunk of their URI space should not be used (which suffices for a non-dereferenceable identifier based on this kind of URI namespace) than that certain content needs to be offered there (potentially presenting non-trivial loads, some mechanisms needed to update that information, and legal liabilities that are hard to assess).
Redirect ambiguities Dereferencing an identifier may involve following some redirections; whether that following is actually implied, or desired (or even desirable) is rarely being discussed.
IANA Considerations This document makes no concrete requests on IANA, but does point out that IANA resources might be a good target for a certain class of dereferenceable identifiers.
Security considerations The ability to create a denial of service attack by pointing a dereferenceable identifier into a popular data item that is widely distributed is implied by the discussion in , alongside with some recommendations for implementers that would mitigate such attacks. A problem with such recommendations is that they need to be followed by implementations that are using dereferenceable identifiers, which might not care much.
Privacy considerations Dereferencing an identifier leaves a wide-spread data trail, ranging from host name lookups visible on the network to the absolute URI (i.e., the URI without its fragment identifier) visible to the operator of the identifier. Moreover, the operator might gain additional data about the requester, e.g. from a User-Agent header. By minting directed (e.g., single-use) dereferencable identifiers and assigning short cache lifetimes to the dereferenced resource, the originator of a document can track dereferencing clients whenever they process the document the identifier has been created for.
Informative References The 'tag' URI Scheme This document describes the "tag" Uniform Resource Identifier (URI) scheme. Tag URIs (also known as "tags") are designed to be unique across space and time while being tractable to humans. They are distinct from most other URIs in that they have no authoritative resolution mechanism. A tag may be used purely as an entity identifier. Furthermore, using tags has some advantages over the common practice of using "http" URIs as identifiers for non-HTTP-accessible resources. This memo provides information for the Internet community. JSON Schema: A Media Type for Describing JSON Documents Postman JSON Schema defines the media type "application/schema+json", a JSON- based format for describing the structure of JSON data. JSON Schema asserts what a JSON document must look like, ways to extract information from it, and how to interact with it. The "application/ schema-instance+json" media type provides additional feature-rich integration with "application/schema+json" beyond what can be offered for "application/json" documents. Problem Details for HTTP APIs This document defines a "problem detail" to carry machine-readable details of errors in HTTP response content to avoid the need to define new error response formats for HTTP APIs. This document obsoletes RFC 7807. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/ietf-wg-httpapi/rfc7807bis. HTML — Living Standard WHATWG n.d.
Acknowledgements pointed out that this document would be good to have.