One document matched: draft-nottingham-site-meta-04.xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629/rfc2629.dtd" [
<!ENTITY rfc2026 SYSTEM 'bibxml/reference.RFC.2026.xml'>
<!ENTITY rfc2119 SYSTEM 'bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc2616 SYSTEM 'bibxml/reference.RFC.2616.xml'>
<!ENTITY rfc3864 SYSTEM 'bibxml/reference.RFC.3864.xml'>
<!ENTITY rfc3986 SYSTEM 'bibxml/reference.RFC.3986.xml'>
<!ENTITY rfc4918 SYSTEM 'bibxml/reference.RFC.4918.xml'>
<!ENTITY bcp26 SYSTEM 'bibxml/reference.RFC.5226.xml'>
<!ENTITY rfc5234 SYSTEM 'bibxml/reference.RFC.5234.xml'>
<!ENTITY P3P SYSTEM 'bibxml/reference.W3C.REC-P3P-20020416.xml'>
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc tocdepth="3" ?>
<?rfc tocindent="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<?rfc compact="yes" ?>
<?rfc comments="yes" ?>
<?rfc inline="yes" ?>
<rfc ipr="trust200902" docName="draft-nottingham-site-meta-04" category="std"
updates="2616 2818">
<front>
<title>Defining Well-Known URIs</title>
<author initials="M." surname="Nottingham" fullname="Mark Nottingham">
<organization></organization>
<address>
<email>mnot@mnot.net</email>
<uri>http://www.mnot.net/</uri>
</address>
</author>
<author initials="E." surname="Hammer-Lahav" fullname="Eran Hammer-Lahav">
<organization></organization>
<address>
<email>eran@hueniverse.com</email>
<uri>http://hueniverse.com/</uri>
</address>
</author>
<date year="2009"/>
<abstract>
<t>This memo defines a path prefix for "well-known locations", "/.well-known/" in selected URI schemes.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>It is increasingly common for Web-based protocols to require the discovery of policy or metadata before making a request. For example, the Robots Exclusion Protocol specifies a way for automated processes to obtain permission to access resources; likewise, the Platform for Privacy Preferences <xref target="W3C.REC-P3P-20020416"/> tells user-agents how to discover privacy policy beforehand.</t>
<t>While there are several ways to access per-resource metadata (e.g., HTTP headers, WebDAV's PROPFIND <xref target="RFC4918"/>), the perceived overhead associated with them often precludes their use in these scenarios.</t>
<t>When this happens, it is common to designate a "well-known location" for such metadata, so that it can be easily located. However, this approach has the drawback of risking collisions, both with other such designated "well-known locations" and with pre-existing resources.</t>
<t>To address this, this memo defines a path prefix in HTTP(S) URIs for these "well-known locations", "/.well-known/". Future specifications that need to define a resource for such site-wide metadata can register their use to avoid collisions and
minimise impingement upon sites' URI space.</t>
<t>[[ Please discuss this draft on the <eref target="https://www.ietf.org/mailman/listinfo/apps-discuss">apps-discuss@ietf.org</eref> mailing list. ]]</t>
</section>
<section title="Notational Conventions">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD
NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as
described in RFC 2119 <xref target="RFC2119"/>.</t>
</section>
<section title="Well-Known URIs">
<t>A well-known URI is a URI <xref target="RFC3986"/> whose path component begins with the characters "/.well-known/",
and whose scheme is "HTTP", "HTTPS", or another scheme which has explicitly been specified to use well-known URIs.</t>
<t>Applications that wish to mint new well-known URIs MUST register them, following the procedures in <xref target="registry"/>.</t>
<t>For example, if an application registers the value 'example', the corresponding well-known URI on 'http://www.example.com/' would be 'http://www.example.com/.well-known/example'.</t>
<t>Note that this specification defines neither how to determine the authority to use for a particular context, nor the scope of the metadata discovered by dereferencing the well-known URI; both should be defined by the application itself.</t>
<t>Typically, a registration will reference a specification that defines the format and associated media type
to be obtained by dereferencing the well-known URI.</t>
<t>It MAY also contain additional information, such as the syntax of additional path
components, query strings and/or fragment identifiers to be appended to the well-known URI, or protocol-specific details (e.g., HTTP <xref target="RFC2616"/> method handling).</t>
<t>Note that this specification also does not define a format or media-type for the resource at located at "/.well-known/" and clients should not expect a resource to exist at that location.</t>
</section>
<section title="Security Considerations">
<t>This memo does not specify the scope of applicability of metadata or policy obtained from a well-known URI, and does not
specify how to discover a well-known URI for a particular application. Individual applications using this mechanism must define both aspects.</t>
<t>An attacker with certain types of limited access to a server may be able to affect how well-known URIs are served; for example, they may be able to upload a file at that location, or they may be able to cause a server to redirect a well-known URI to a URI that they control.</t>
<t>Because most URI schemes rely on DNS to resolve names, they are vulnerable to "DNS rebinding" attacks, whereby
a request can be directed to a server under the control of an attacker.</t>
</section>
<section title="IANA Considerations">
<section title="The Well-Known URI Registry" anchor="registry">
<t>This document establishes the well-known URI registry.</t>
<t>Well-known URIs are registered on the advice of one or more Designated Experts (appointed by the
IESG or their delegate), with a Specification Required (using terminology from <xref target="RFC5226"/>).</t>
<t>Registration requests consist of the completed registration template
(see <xref target="template"/>), typically published in an RFC or Open Standard (in the sense described
by <xref target="RFC2026"/>, section 7). However, to allow for the
allocation of values prior to publication, the Designated Expert(s) may approve
registration once they are satisfied that an RFC (or other Open Standard) will be published.</t>
<t>Registration requests should be sent to the [TBD]@ietf.org mailing list for review and comment,
with an appropriate subject (e.g., "Request for well-known URI: example").</t>
<t>[[NOTE TO RFC-EDITOR: The name of the mailing list should be determined in consultation with the IESG
and IANA. Suggested name: wellknown-uri-review. ]]</t>
<t>Before a period of 14 days has passed, the Designated Expert(s) will either approve or
deny the registration request, communicating this decision both to the review list and to IANA.
Denials should include an explanation and, if applicable, suggestions as to how to make the
request successful.</t>
<section title="Registration Template" anchor="template">
<t><list style="hanging">
<t hangText="URI suffix:">
The name requested for the well-known URI, relative to "/.well-known/";
e.g., "example".
MUST conform to the segment-nz production in <xref target="RFC3986"/>.</t>
<t hangText="Change controller:">
For standards-track RFCs, state "IETF". For other open
standards, give the name of the publishing body (e.g., ANSI, ISO,
ITU, W3C, etc.). A postal address, home page URI, telephone and fax
numbers may also be included.</t>
<t hangText="Specification document(s):">
Reference to document that specifies the field, preferably
including a URI that can be used to
retrieve a copy of the document. An indication of the relevant
sections may also be included, but is not required.</t>
<t hangText="Related information:">
Optionally, citations to additional documents containing further
relevant information.</t>
</list></t>
</section>
</section>
</section>
</middle>
<back>
<references title="Normative References">&bcp26; &rfc2026; &rfc2119; &rfc3986;</references>
<references title="Informative References">&P3P; &rfc2616; &rfc4918;</references>
<section title="Acknowledgements">
<t>We would like to acknowledge the contributions of everyone who provided feedback and use cases for this draft; in particular,
Phil Archer,
Dirk Balfanz,
Adam Barth,
Tim Bray,
Brian Eaton,
Brad Fitzpatrick,
Joe Gregorio,
Paul Hoffman,
Barry Leiba,
Ashok Malhotra,
Breno de Medeiros,
John Panzer,
and Drummond Reed.
However, they are not responsible for errors and omissions.</t>
</section>
<section title="Frequently Asked Questions">
<section title="Aren't well-known locations bad for the Web?">
<t>They are, but for various reasons -- both technical and social -- they are commonly used, and their
use is increasing. This memo defines a "sandbox" for them, to reduce the risks of collision and to
minimise the impact upon pre-existing URIs on sites.</t>
</section>
<section title="Why /.well-known?">
<t>It's short, descriptive and according to search indices, not widely used.</t>
</section>
<section title="What impact does this have on existing mechanisms, such as P3P and robots.txt?">
<t>None, until they choose to use this mechanism.</t>
</section>
<section title="Why aren't per-directory well-known locations defined?">
<t>Allowing every URI path segment to have a well-known location (e.g., "/images/.well-known/")
would increase the risks of colliding with a pre-existing URI on a site, and generally these
solutions are found not to scale well, because they're too "chatty".</t>
</section>
</section>
<section title="Document History">
<t>[[RFC Editor: please remove this section before publication.]]</t>
<t><list style="symbols">
<t>-04<list style="symbols">
<t>Restrict to HTTP(S) by default.</t>
<t>Shorten review SLA to 14 days.</t>
<t>Allow for multiple designated experts.</t>
<t>Identify mailing list for request submission and discussion.</t>
</list></t>
<t>-03<list style="symbols">
<t>Add fragment identifiers to list of things an application might define.</t>
<t>Note that the /.well-known/ URI doesn't have anything there.</t>
</list></t>
<t>-02<list style="symbols">
<t>Rewrote to just define a namespace for well-known URIs.</t>
<t>Changed discussion forum to apps-discuss.</t>
</list></t>
<t>-01<list style="symbols">
<t>Changed "site-meta" to "host-meta" after feedback.</t>
<t>Changed from XML to text-based header-like format.</t>
<t>Remove capability for generic inline content.</t>
<t>Added registry for host-meta fields.</t>
<t>Clarified scope of metadata application.</t>
<t>Added security consideration about HTTP vs. HTTPS, expanding scope.</t>
</list></t>
</list></t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 15:53:11 |