Internet Engineering Task Force                               R. Simpson
Internet-Draft                                            Accilent Corp.
Intended status: Informational                             July 31, 2010
Expires: February 1, 2011
  Clarification of Proper Use of "@" (at sign) in URI-style Components
                       draft-accilent-at-sign-00
Abstract
   Defacto standards have evolved that conflict with existing standards,
   specifically RFC 3986.  This document clarifies the use of the "@"
   (at sign) in URIs and partial URI-like addresses.
Status of this Memo
   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.
   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.
   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."
   This Internet-Draft will expire on February 1, 2011.
Copyright Notice
   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.
   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.
Simpson                 Expires February 1, 2011                [Page 1]
Internet-Draft              Proper Use of "@"                  July 2010
Table of Contents
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . . . 3
   2.  Issues  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   3.  Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   4.  Valid Syntax  . . . . . . . . . . . . . . . . . . . . . . . . . 4
   5.  Invalid Syntax  . . . . . . . . . . . . . . . . . . . . . . . . 5
   6.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
   8.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
   9.  Normative References  . . . . . . . . . . . . . . . . . . . . . 6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 6
Simpson                 Expires February 1, 2011                [Page 2]
Internet-Draft              Proper Use of "@"                  July 2010
1.  Introduction
   The original specification of the URI format is in RFC 3986
   [RFC3986].
1.1.  Requirements Language
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].
2.  Issues
   o  Microblogging systems on social networks have introduced a
      shortcut feature where short replies with tokens containing an "@"
      and userinfo are automatically converted to HTML links.  On
      systems where the host component is assumed to be the same as the
      host that is currently loaded into the user's browser, the defacto
      standard syntax that has evolved for these auto-generated links is
      for the "@" (at sign) to precede the userinfo.
   o  Allowing the "@" to be placed in a non-standard location,
      especially in HTML links, results in confusion about which
      component follows the "@".  For example, in "@its.me", is "its.me"
      the userinfo or the host component?
   o  How would the "@userinfo" syntax currently being used be extended
      to support multiple networks?  For example, in a mobile
      application that allows posting updates to multiple social
      networks, should it conform to the defacto standard and use
      "ExampleOnly.com@userinfo" or go against the current common usage
      and try to conform to the standards for URIs instead?  Either
      option introduces potentially harmful confusion for users and
      automated systems.
3.  Conclusions
   o  It should be allowable to omit the host component of the authority
      syntax when the host component is known, such as when referencing
      another user on the same host or relative to a base URI.
   o  Placing the "@" prior to the userinfo instead of following it
      should be explicitly prohibited due to the confusion it introduces
      and the security concerns due to possibly misinterpreting the
      userinfo and as a result of allowing users to become comfortable
      with misplacing the "@".
Simpson                 Expires February 1, 2011                [Page 3]
Internet-Draft              Proper Use of "@"                  July 2010
4.  Valid Syntax
   In RFC 3986 [RFC3986], the syntax of the authority component in a URI
   is defined as:
               authority   = [ userinfo "@" ] host [ ":" port ]
   In addition, when the user is on a known host, on the same social
   network for example, the host and port components MAY be omitted:
               authority   = [ userinfo "@" ] [ host [ ":" port ] ]
   When the host component is omitted, the userinfo component will be
   interpreted to be relative to the base URI of the current resource.
   For example:
   +--------------------------------------------------+
   | http://ExampleOnly.com/JaneSmith                 |
   |--------------------------------------------------|
   | JohnDoe@ I will meet you there in a short while. |
   |__________________________________________________|
   will be interpreted as:
   +-----------------------------------------------------------------+
   | http://ExampleOnly.com/JaneSmith                                |
   |-----------------------------------------------------------------|
   | JohnDoe@ExampleOnly.com I will meet you there in a short while. |
   |_________________________________________________________________|
   and (in HTML code):
   +----------------------------------+
   | http://ExampleOnly.com/JaneSmith |
   |----------------------------------|
   | JohnDoe@  |
   |__________________________________|
   will be interpreted as:
   +------------------------------------------------------------------+
   | http://ExampleOnly.com/JaneSmith                                 |
   |------------------------------------------------------------------|
   | JohnDoe@ExampleOnly |
   |__________________________________________________________________|
Simpson                 Expires February 1, 2011                [Page 4]
Internet-Draft              Proper Use of "@"                  July 2010
5.  Invalid Syntax
   In a component that may at some time be interpreted to be a URI by
   some system the "@" MUST NOT be placed prior to the userinfo
   component:
                         WRONG! [ "@" userinfo ]
   The "@" SHOULD not be placed prior to the userinfo component even in
   areas of plain text due to the potential for altering users'
   perception of the correct placement of the "@" separator.
   The "@" SHOULD NOT appear in an improper location in an HTML link:
                                  WRONG!
           @JohnDoe
    ExampleOnly.com@JohnDoe
6.  Examples
      Improper usage when user being replied to is on the same social
                                  network
   +--------------------------------------------------+
   | @JohnDoe I will meet you there in a short while. |
   |__________________________________________________|
   WRONG!  How would the host component be appended if the user was on a
                            different network?
                                 Figure 1
    Standalone userinfo component when user being replied to is on the
                            same social network
   +--------------------------------------------------+
   | JohnDoe@ I will meet you there in a short while. |
   |__________________________________________________|
       This follows the current standard use of "@" in the authority
                                component.
                                 Figure 2
Simpson                 Expires February 1, 2011                [Page 5]
Internet-Draft              Proper Use of "@"                  July 2010
    Fully-qualified authority component when the user being replied to
                        can be on a different host
   +-----------------------------------------------------------------+
   | JohnDoe@ExampleOnly.com I will meet you there in a short while. |
   |_________________________________________________________________|
     Appending the host component after the "@" results in syntax that
                         conforms to the RFC 3986.
                                 Figure 3
7.  IANA Considerations
   This memo includes no request to IANA.
8.  Security Considerations
   A URI does not in itself pose a security threat.  However, as URIs
   are often used to provide a compact set of instructions for access to
   network resources, care must be taken to properly interpret the data
   within a URI, to prevent that data from causing unintended access,
   and to avoid including data that should not be revealed in plain
   text.
   However, placing an "@" in the wrong position, such as prior to the
   userinfo rather than following it, can introduce security risks,
   since the userinfo may be incorrectly interpreted or supplied to
   unauthorized systems.  A defacto standard that places the "@" in the
   wrong location introduces additional security risks due to the
   increased likelihood that users will misplace the "@" as a result of
   the confusion.
9.  Normative References
   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.
   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, January 2005.
Simpson                 Expires February 1, 2011                [Page 6]
Internet-Draft              Proper Use of "@"                  July 2010
Author's Address
   Robert Simpson
   Accilent Corp.
   P.O. Box 601
   Lawrence, PA  15055
   US
   Phone: +1-412 337-3113
   Email: RobS.rfc5@MailScreen.com
Simpson                 Expires February 1, 2011                [Page 7]