I have a different perspective on this question Mark. Firstly, I find use of .magic as the extreme RHS of a name, to force special behaviour architecturally disqueting.
I really do worry about what we think we're building when we encode this behaviour into name strings. It leads to all kinds of bad places. Some of them, like the homoglyph problems John Klensin has raised, simply don't have good answers (the assumption the string .onion is the literal ASCII 'o' 'n' 'i' 'o' 'n' is not well founded) We were here a long time ago, when we had pre-Internet mail and used things like .UUCP as magic break-out signals in email. This rapidly becomes the problem: its bound to applications-level decisions about when to honour magic, and when not, and it certainly doesn't avoid lower level gethostbyname() calls everywhere. So the .magic label winds up being half-true, depending. Secondly, While I think I now understand some of the problems you have in web/apps layer (from talking to Wendy Seltzer) and I have sympathies about the syntactic constructs welded into code around URL forms, I think these problems are different to the architectural/layer violation explicit in forcing .magic names into the namespace. What really got me floored, was the qualities of cryptographic protection which a project like TOR needs, and the implication a public/commercial CA service embedded in the browser TA set is the right path. I'm frankly horrified, even under certificate pinning, that we've gone to a space where any TA can claim to sign over .onion, and excluding the pinned applications, lead people into paths where their assumptions of TLS backed security are simply not true. As I understand things, TOR *wanted* .onion to get X509 PKI over the label in a browser, and the CA community refused unless its TLD status was confirmed. Is this the kind of rigour in technical process we expect, to make technical calls to pre-empt the namespace? (which btw, we passed otherwise to another body, reserving an RFC backed process to get names, but I think that was a hugely unwise decision) To protect .onion certs, the TOR developers are going to have to code in cert pinning behaviour, all kinds of things, which frankly sound to me a lot like the cost of not having the name, or having a name buried under a 2LD instead. So I come to a different place. I come to a place where requests for magic names look like violations of any spirit of an architectural view of the network, and where retaining some technical basis to reserve them looks like violations of the separation of functional roles between ICANN and IETF, absent very very clear, strong reasons to have the name held back. I don't entirely see these reasons emerging. I see the opposite. I see expediency from apps communities, seeking to use .magic tricks to avoid cost explicitly in their layer, but at a cost of polluting the public commons. I am pretty firmly in the camp which says the revision of the RFC should be complete: we stop doing this, and people who want names go into ICANN process to establish them. -G On Thu, Nov 26, 2015 at 9:59 PM, hellekin <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 11/26/2015 06:38 AM, Mark Nottingham wrote: > > > > Given this context, I was disturbed to hear the design team presentati > on > > in Yokohama > > > > So you mean there's an already working team on the revision of RFC6761, > and that team had the time to prepare a presentation, while the DNSOP > chairs didn't have the time to respond to volunteers nor to announce > this team. This is simply unacceptable. I concur that the revision of > RFC6761 should go to another group where "Internet community" makes some > sense and corporate dissent is not silenced by ignoring legitimate > requests. Please don't expect any apologies from me for telling the > truth. This is a carnival of an inclusive process. > > Thank you Mark for the heads up. > > == > hk > > -----BEGIN PGP SIGNATURE----- > > iQJ8BAEBCgBmBQJWVvQ8XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w > ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQ0IyNkIyRTNDNzEyMTc2OUEzNEM4ODU0 > ODA2QzM2M0ZDMTg5ODNEAAoJEEgGw2P8GJg9ewoQALD1dF/Wqyh2Lo5qZ35PUANA > bvq2k5BZd1UsN488+V4v7PnAHxO7XgR8IQSYYnp1oYNaZl5WbFEPjT6HOSR3O4lr > 7iSVeSxPux8hssSxorkWtBVk8oAnImGEPyIlYunBLcTyasXLY5+2fzmR1+P4/9Kk > ahjHvuQa6dOAXhqTMBizwb3kZ2PC2hFlM5LKMIBcf9GfTVmH//fbEalHYPYEwMCY > AvX9mkMvvWcWhn15OXRi50r3kQl65d0KQA2euQ8mUIe5qafDHASBtZLc81t0rAXv > fjaWT4REu+KUHexWKgI7NFF3uZ0M0Cm7imYN6+YG+AWFtPrr4SPh1BA0L4td93q8 > bGxGEJrDTWRVaW2c98UO5bFxm3kqcM4oTdBD1Rg4yC1OatvuKzZp6nPrFG09G5rn > PjorrqoNx0MHxwejrTHkkhnmvmgTfPUTvkT/7zUYLTwRITDrjzOyj932COrZV+A3 > dak5M5hRLhR8jswx/lh+SmY1RFAtCuNDcoFuXTOJygwSpj7WvigIORiT6ATLFlfW > mxYxkVP/Tc76anRTk5O/AIu87c5K9fr6TPiFRIL/0eKnFBEMn2qbaW7TLvAl6o89 > kgYYp4u59ve0vCL6gE2sn1w1EYnctFVxpzcg9HkFl/MFuQyWdc4yb5OdFWW8sema > 8hpTT/KiW1/KDHGj0kcB > =IZoh > -----END PGP SIGNATURE----- > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
