One document matched: draft-nottingham-site-meta-05.xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629/rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM 'bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc2616 SYSTEM 'bibxml/reference.RFC.2616.xml'>
<!ENTITY rfc3864 SYSTEM 'bibxml/reference.RFC.3864.xml'>
<!ENTITY rfc3986 SYSTEM 'bibxml/reference.RFC.3986.xml'>
<!ENTITY rfc4918 SYSTEM 'bibxml/reference.RFC.4918.xml'>
<!ENTITY bcp26 SYSTEM 'bibxml/reference.RFC.5226.xml'>
<!ENTITY rfc5234 SYSTEM 'bibxml/reference.RFC.5234.xml'>
<!ENTITY P3P SYSTEM 'bibxml/reference.W3C.REC-P3P-20020416.xml'>
<!ENTITY webarch SYSTEM 'bibxml/reference.W3C.REC-webarch-20041215.xml'>
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc tocdepth="3" ?>
<?rfc tocindent="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<?rfc compact="yes" ?>
<?rfc comments="yes" ?>
<?rfc inline="yes" ?>
<rfc ipr="trust200902" docName="draft-nottingham-site-meta-05" category="std"
updates="2616 2818">
<front>
<title>Defining Well-Known URIs</title>
<author initials="M." surname="Nottingham" fullname="Mark Nottingham">
<organization></organization>
<address>
<email>mnot@mnot.net</email>
<uri>http://www.mnot.net/</uri>
</address>
</author>
<author initials="E." surname="Hammer-Lahav" fullname="Eran Hammer-Lahav">
<organization></organization>
<address>
<email>eran@hueniverse.com</email>
<uri>http://hueniverse.com/</uri>
</address>
</author>
<date year="2009"/>
<abstract>
<t>This memo defines a path prefix for "well-known locations", "/.well-known/" in selected URI schemes.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>It is increasingly common for Web-based protocols to require the discovery of policy or metadata before making a request.
For example, the Robots Exclusion Protocol <eref target="http://www.robotstxt.org/"/> specifies a way for automated
processes to obtain permission to access resources; likewise, the Platform for Privacy Preferences <xref
target="W3C.REC-P3P-20020416"/> tells user-agents how to discover privacy policy beforehand.</t>
<t>While there are several ways to access per-resource metadata (e.g., HTTP headers, WebDAV's PROPFIND <xref
target="RFC4918"/>), the perceived overhead (either in terms of client-perceived latency, and/or deployment difficulties)
associated with them often precludes their use in these scenarios.</t>
<t>When this happens, it is common to designate a "well-known location" for such metadata, so that it can be easily located.
However, this approach has the drawback of risking collisions, both with other such designated "well-known locations" and
with pre-existing resources.</t>
<t>To address this, this memo defines a path prefix in HTTP(S) URIs for these "well-known locations", "/.well-known/". Future
specifications that need to define a resource for such site-wide metadata can register their use to avoid collisions and
minimise impingement upon sites' URI space.</t>
<section title="Appropriate Use of Well-Known URIs">
<t>There are a number of possible ways that applications could use Well-known URIs. However, in keeping with the
Architecture of the World-Wide Web <xref target="W3C.REC-webarch-20041215"/>, well-known URIs are not intended for
general information retrieval, or establishment of large URI name-spaces on the Web. Rather, they are designed to
facilitate discovery of information on a site when it isn't practical to use other mechanisms; for example, when
discovering policy that needs to be evaluated before a resource is accessed, or when using multiple round-trips is
judged detrimental to performance.</t>
<t>As such, the well-known URI space was created with the expectation that it will be used to make site-wide policy
information and other metadata available directly (if sufficiently concise), or provide references to other URIs
that provide such metadata.</t>
</section>
</section>
<section title="Notational Conventions">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD
NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as
described in RFC 2119 <xref target="RFC2119"/>.</t>
</section>
<section title="Well-Known URIs">
<t>A well-known URI is a URI <xref target="RFC3986"/> whose path component begins with the characters "/.well-known/",
and whose scheme is "HTTP", "HTTPS", or another scheme which has explicitly been specified to use well-known URIs.</t>
<t>Applications that wish to mint new well-known URIs MUST register them, following the procedures in <xref
target="registry"/>.</t>
<t>For example, if an application registers the name 'example', the corresponding well-known URI on 'http://www.example.com/'
would be 'http://www.example.com/.well-known/example'.</t>
<t>Registered names MUST conform to the segment-nz production in <xref target="RFC3986"/>.</t>
<t>Note that this specification defines neither how to determine the authority to use for a particular context, nor the scope
of the metadata discovered by dereferencing the well-known URI; both should be defined by the application itself.</t>
<t>Typically, a registration will reference a specification that defines the format and associated media type
to be obtained by dereferencing the well-known URI.</t>
<t>It MAY also contain additional information, such as the syntax of additional path
components, query strings and/or fragment identifiers to be appended to the well-known URI, or protocol-specific details
(e.g., HTTP <xref target="RFC2616"/> method handling).</t>
<t>Note that this specification also does not define a format or media-type for the resource located at "/.well-known/" and
clients should not expect a resource to exist at that location.</t>
</section>
<section title="Security Considerations">
<t>This memo does not specify the scope of applicability of metadata or policy obtained from a well-known URI, and does not
specify how to discover a well-known URI for a particular application. Individual applications using this mechanism must
define both aspects.</t>
<t>Applications minting new well-known URIs, as well as administrators deploying them, will need to consider several
security-related issues, including (but not limited to) exposure of sensitive data, denial of service attacks
(in addition to normal load issues), server and client authentication, vulnerability to DNS rebinding attacks,
and attacks where limited access to a server grants the ability to affect how well-known URIs are served.</t>
</section>
<section title="IANA Considerations">
<section title="The Well-Known URI Registry" anchor="registry">
<t>This document establishes the well-known URI registry.</t>
<t>Well-known URIs are registered on the advice of one or more Designated Experts (appointed by the
IESG or their delegate), with a Specification Required (using terminology from <xref target="RFC5226"/>).
However, to allow for the allocation of values prior to publication, the Designated Expert(s) may approve
registration once they are satisfied that such a specification will be published.</t>
<t>Registration requests should be sent to the [TBD]@ietf.org mailing list for review and comment,
with an appropriate subject (e.g., "Request for well-known URI: example").</t>
<t>[[NOTE TO RFC-EDITOR: The name of the mailing list should be determined in consultation with the IESG
and IANA. Suggested name: wellknown-uri-review. ]]</t>
<t>Before a period of 14 days has passed, the Designated Expert(s) will either approve or
deny the registration request, communicating this decision both to the review list and to IANA.
Denials should include an explanation and, if applicable, suggestions as to how to make the
request successful. Registration requests that are undetermined for a period longer than 21 days
can be brought to the IESG's attention (using the iesg@iesg.org mailing list)
for resolution.</t>
<section title="Registration Template" anchor="template">
<t><list style="hanging">
<t hangText="URI suffix:">
The name requested for the well-known URI, relative to "/.well-known/";
e.g., "example".</t>
<t hangText="Change controller:">
For standards-track RFCs, state "IETF". For others, give the name of the
responsible party. Other details (e.g., postal address, e-mail address,
home page URI) may also be included.</t>
<t hangText="Specification document(s):">
Reference to document that specifies the field, preferably
including a URI that can be used to
retrieve a copy of the document. An indication of the relevant
sections may also be included, but is not required.</t>
<t hangText="Related information:">
Optionally, citations to additional documents containing further
relevant information.</t>
</list></t>
</section>
</section>
</section>
</middle>
<back>
<references title="Normative References">&bcp26; &rfc2119; &rfc3986;</references>
<references title="Informative References">&P3P; &webarch; &rfc2616; &rfc4918;</references>
<section title="Acknowledgements">
<t>We would like to acknowledge the contributions of everyone who provided feedback and use cases for this draft; in particular,
Phil Archer,
Dirk Balfanz,
Adam Barth,
Tim Bray,
Brian Eaton,
Brad Fitzpatrick,
Joe Gregorio,
Paul Hoffman,
Barry Leiba,
Ashok Malhotra,
Breno de Medeiros,
John Panzer,
and Drummond Reed.
However, they are not responsible for errors and omissions.</t>
</section>
<section title="Frequently Asked Questions">
<section title="Aren't well-known locations bad for the Web?">
<t>They are, but for various reasons -- both technical and social -- they are commonly used, and their
use is increasing. This memo defines a "sandbox" for them, to reduce the risks of collision and to
minimise the impact upon pre-existing URIs on sites.</t>
</section>
<section title="Why /.well-known?">
<t>It's short, descriptive and according to search indices, not widely used.</t>
</section>
<section title="What impact does this have on existing mechanisms, such as P3P and robots.txt?">
<t>None, until they choose to use this mechanism.</t>
</section>
<section title="Why aren't per-directory well-known locations defined?">
<t>Allowing every URI path segment to have a well-known location (e.g., "/images/.well-known/")
would increase the risks of colliding with a pre-existing URI on a site, and generally these
solutions are found not to scale well, because they're too "chatty".</t>
</section>
</section>
<section title="Document History">
<t>[[RFC Editor: please remove this section before publication.]]</t>
<t><list style="symbols">
<t>-05<list style="symbols">
<t>Note that lack of a decision by the expert can be appealed to the IESG.</t>
<t>Clarify status of specifications suitable for registration.</t>
<t>Add reference for Robots Exclusion Protocol.</t>
<t>Clarify appropriate use cases.</t>
</list></t>
<t>-04<list style="symbols">
<t>Restrict to HTTP(S) by default.</t>
<t>Shorten review SLA to 14 days.</t>
<t>Allow for multiple designated experts.</t>
<t>Identify mailing list for request submission and discussion.</t>
</list></t>
<t>-03<list style="symbols">
<t>Add fragment identifiers to list of things an application might define.</t>
<t>Note that the /.well-known/ URI doesn't have anything there.</t>
</list></t>
<t>-02<list style="symbols">
<t>Rewrote to just define a namespace for well-known URIs.</t>
<t>Changed discussion forum to apps-discuss.</t>
</list></t>
<t>-01<list style="symbols">
<t>Changed "site-meta" to "host-meta" after feedback.</t>
<t>Changed from XML to text-based header-like format.</t>
<t>Remove capability for generic inline content.</t>
<t>Added registry for host-meta fields.</t>
<t>Clarified scope of metadata application.</t>
<t>Added security consideration about HTTP vs. HTTPS, expanding scope.</t>
</list></t>
</list></t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 15:53:12 |