Last Call Review of draft-saintandre-urn-example-04

Request Review of draft-saintandre-urn-example
Requested rev. no specific revision (document currently at 05)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2013-04-09
Requested 2013-03-21
Authors Peter Saint-Andre
Draft last updated 2013-03-29
Completed reviews Genart Last Call review of -04 by Christer Holmberg (diff)
Secdir Last Call review of -04 by Radia Perlman (diff)
Assignment Reviewer Radia Perlman
State Completed
Review review-saintandre-urn-example-04-secdir-lc-perlman-2013-03-29
Reviewed rev. 04 (document currently at 05)
Review result Ready
Review completed: 2013-03-29


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document proposes to standardize the use of "example" as a namespace identifier in URNs (like "

" is for DNS names), and is harmless.

I could (and perhaps should, or is it SHOULD) stop there.  However, I'll editorialize a bit.  I more or less understand what a URL is.  You type it into a browser, though mercifully, actual humans seldom have to type


But then I started hearing about URNs and URIs.  I pretty much ignored them because my life seemed to be complete without needing to understand them.  But then since I was assigned this draft to review, I decided to investigate what URNs and URIs are and how they are different.

The definition given in RFC 2141 is "

Uniform Resource Names (URNs) are intended to serve as persistent, 

location-independent, resource identifiers and are designed to make 

it easy to map other namespaces (which share the properties of URNs) 

into URN-space."

I could memorize that definition and it still wouldn't help me understand why my life was incomplete without URNs. Then I read RFC 1630 to find out about URIs, and that was equally non-illuminating to me, who was simply groping for "why do I need one of these things, and when would I use it".

Then I read yet another incomprehensible RFC, #3986, which has this sentence:


Future specifications and related documentation should 

use the general term "URI" rather than the more restrictive terms 

"URL" and "URN" [RFC3305]."  So, why are we, today, in 2013, tweaking URNs if we are supposedly trying to mercifully put the term "URN" to bed?

And why is the NSS (Namespace Specific String, which is part of the URN) ASCII?  Given that I'm never planning on using a URN, I don't really care, but if people wanted these things for whatever reason, mightn't they want to use International characters?

So my conclusion is that invention of UR* terminology is a low level denial of service attack on people, but is otherwise harmless.