RFC 2276






Network Working Group                                         K. Sollins
Request for Comments: 2276                                       MIT/LCS
Category: Informational                                     January 1998


      Architectural Principles of Uniform Resource Name Resolution

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

Abstract

   This document addresses the issues of the discovery of URN (Uniform
   Resource Name) resolver services that in turn will directly translate
   URNs into URLs (Uniform Resource Locators) and URCs (Uniform Resource
   Characteristics).  The document falls into three major parts, the
   assumptions underlying the work, the guidelines in order to be a
   viable Resolver Discovery Service or RDS, and a framework for
   designing RDSs.  The guidelines fall into three principle areas:
   evolvability, usability, and security and privacy.  An RDS that is
   compliant with the framework will not necessarily be compliant with
   the guidelines.  Compliance with the guidelines will need to be
   validated separately.

Table of Contents

   1.    Introduction..................................................2
   2.    Assumptions...................................................5
   3.    Guidelines....................................................7
   3.1   Evolution.....................................................7
   3.2   Usability....................................................10
   3.2.1 The Publisher................................................11
   3.2.2 The Client...................................................12
   3.2.3 The Management...............................................13
   3.3   Security and Privacy.........................................14
   4.    The Framework................................................18
   5.    Acknowledgements.............................................23
   6.    References...................................................23
   7.    Author's Address.............................................23
   8.    Full Copyright Statement.....................................24




Sollins                      Informational                      [Page 1]

RFC 2276            Uniform Resource Name Resolution        January 1998


1. Introduction

   The purpose of this document is to lay out the engineering criteria
   for what we will call here a Resolver Discovery Service (RDS), a
   service to help in the learning about URN (Uniform Resource Name)
   resolvers.  The term "resolver" is used in this document to indicate
   a service that translates URNs to URLs (Uniform Resource Locators) or
   URCs (Uniform Resource Characteristics).  Some resolvers may provide
   direct access to resources as well.  An RDS helps in finding a
   resolver to contact for further resolution.  It is worth noting that
   some RDS designs may also incorporate resolver functionality.  This
   function of URN resolution is a component of the realization of an
   information infrastructure.  In the case of this work, that
   infrastructure is to be available, "in the Internet" or globally, and
   hence the solutions to the problems we are addressing must be
   globally scalable.  In this document, we are focussing specifically
   on the design of RDS schemes.

   The Uniform Resource Identifier Working Group defined a naming
   architecture, as demonstrated in a series of three RFCs 1736 [1],
   1737 [2], and 1738 [3].  Although several further documents are
   needed to complete the description of that architecture, it
   incorporates three core functions often associated with "naming":
   identification, location, and mnemonics or semantics.  By location,
   we mean fully-qualified Domain Names or IP addresses, possibly
   extended with TCP ports and/or local identifiers, such as pathnames.
   Names may provide the ability to distinguish one resource from
   another, by distinguishing their "names".  Names may help to provide
   access to a resource by including "location" information.  In
   addition, names may have other semantic or mnemonic information that
   either helps human users remember or figure out the names, or
   includes other semantic information about the resource being named.
   The URI working group concluded that there was need for persistent,
   globally unique identifiers, distinct from location or other semantic
   information; these were called URNs.  These "names" provide identity,
   in that if two of them are "the same" (under some simple rule of
   canonicalization), they identify the same resource.  Furthermore, the
   group decided that these "names" were generally to be for machine,
   rather than human, consumption.  Finally, with these guidelines for
   RDS's, this group has recognized the value of the separation of name
   assignment management from name resolution management.

   In contrast to URNs, one can imagine a variety human-friendly naming
   (HFN) schemes supporting different suites of applications and user
   communities.  These will need to provide mappings to URNs in tighter
   or looser couplings, depending on the namespace.  It is these HFNs
   that will be mnemonic, content-full, and perhaps mutable, to track
   changes in use and semantics.  They may provide nicknaming and other



Sollins                      Informational                      [Page 2]

RFC 2276            Uniform Resource Name Resolution        January 1998


   aliasing, relative or short names, context sensitive names,
   descriptive names, etc.  Their definition is not part of this effort,
   but will clearly play an important role in the long run.

   URNs as described in RFC 1737 are defined globally; they are
   ubiquitous in that a URN anywhere in any context identifies the same
   resource.  Given this requirement on URNs, one must ask about its
   implication for an RDS.  Does ubiquity imply a guarantee of RDS
   resolution everywhere?  Does ubiquity imply resolution to the same
   information about resolution everywhere?  In both cases the answer is
   probably not.  One cannot make global, systemic guarantees, except at
   an expense beyond reason.  In addition there may be policy as well as
   technical reasons for not resolving in the same way everywhere.  It
   is quite possible that the resolution of a URN to an instance of a
   resource may reach different instances or copies under different
   conditions.  Thus, although a URN anywhere refers to the same
   resource, in some environments under some conditions, and at
   different times, due to either the vagaries of network conditions or
   policy controls a URN may sometimes be resolvable and other times or
   places not.  Ubiquitous resolution cannot be assumed simply because
   naming is ubiquitous.  On the other hand wide deployment and usage
   will be an important feature of any RDS design.

   Within the URI community there has been a concept used frequently
   that for lack of a better term we will call a _hint_.  A hint is
   something that helps in the resolution of a URN; in theory we map
   URNs to hints as an interim stage in accessing a resource.  In
   practice, an RDS may map a URN directly into the resource itself if
   it chooses to.  It is very likely that there will be hints that are
   applicable to large sets of URNs, for example, a hint that indicates
   that all URNs with a certain prefix or suffix can be resolved by a
   particular resolver.  A hint may also have meta-information
   associated with it, such as an expiration time or certification of
   authenticity.  We expect that these will stay with a hint rather than
   being managed elsewhere.  We will assume in all further discussion of
   hints that they include any necessary meta-information as well as the
   hint information itself.  Examples of hints are: 1) the URN of a
   resolver service that may further resolve the URN, 2) the address of
   such a service, 3) a location at which the resource was previously
   found.  The defining feature of hints is that they are only hints;
   they may be out of date, temporarily invalid, or only applicable
   within a specific locality.  They do not provide a guarantee of
   access, but they probably will help in the resolution process.  By
   whatever means available, a set of hints may be discovered.  Some
   combination of software and human choice will determine which hints
   will be tried and in what order.





Sollins                      Informational                      [Page 3]

RFC 2276            Uniform Resource Name Resolution        January 1998


   We must assume that most resolutions of URNs will be provided by the
   use of locally stored hints, because maintaining a database of
   globally available, completely up-to-date location information is
   infeasible for performance reasons.  There are a number of
   circumstances in which one can imagine that hints become invalid,
   either because a resource has moved or because a different URN
   resolver service has taken over the responsibility for resolution of
   the URN.  Hints may be found in a variety of places.  It is generally
   assumed that a well engineered system will maintain or cache a set of
   hints for each URN at each location where that URN is found.  These
   may have been acquired from the owner of the resources, a
   recommendation of the resource, or one of many other sources.  In
   addition, for those situations in which those hints found locally
   fail, a well engineered system will provide a fall-back mechanism for
   discovering further hints.  It is this fall-back mechanism, an RDS,
   that is being addressed in this document.  As with all hints, there
   can never be a guarantee that access to a resource will be available
   to all clients, even if the resource is accessible to some.  However,
   an RDS is expected to work with reasonably high reliability, and,
   hence, may result in increased response time.

   The remainder of this document falls into three sections.  The first
   identifies several sets of assumptions underlying this work.  There
   are three general assumptions:

      * URNs are persistent;
      * URN assignment can be delegated;
      * Decisions can be made independently, enabling isolation from
        decisions of one's peers.

   The next section lays out three central principles Resolver Discovery
   Service design.  For each of these, we have identified a number of
   more specific guidelines that further define and refine the general
   principle.  This section is probably the most critical of the
   document, because one must hold any proposed RDS scheme up against
   these principles and corollary guidelines to learn whether or not it
   is adequate.  The three central principles can be summarized as:

      1) An RDS must allow for evolution and evolvability;
      2) Usability of an RDS with regard to each of the sets of
         constituents involved in the identification and location or
         resources is paramount;
      3) It is centrally important that the security and privacy needs
         of all constituents be feasibly supported, to the degree
         possible.

   Each of the three major subsections of the guidelines section begins
   with a summary list of the more detailed guidelines identified in



Sollins                      Informational                      [Page 4]

RFC 2276            Uniform Resource Name Resolution        January 1998


   that section.

   The final section of the document lays out a framework for such RDSs.
   The purpose of this last section is to bound the search space for RDS
   schemes.  The RDS designer should be aware that meeting the
   guidelines is of primary importance; it is possible to meet them
   without conforming to the framework.  As will be discussed further in
   this last section, designing within the framework does not guarantee
   compliance, so compliance evaluation must also be part of the process
   of evaluation of a scheme.

2. Assumptions

   Based on previous internet drafts and discussion in both the URN BOFs
   and on the URN WG mailing list, three major areas of assumptions are
   apparent: longevity, delegation, and independence.  Each will be
   discussed separately.

   The URN requirements [2] state that a URN is to be a "persistent
   identifier".  It is probably the case that nothing will last forever,
   but in the time frame of resources, users of those resources, and the
   systems to support the resources, the identifier should be considered
   to be persistent or have a longer lifetime than those other entities.
   There are two assumptions that are implied by longevity of URNs:
   mobility and evolution.  Mobility will occur because resources may
   move from one machine to another, owners of resources may move among
   organizations, or the organizations themselves may merge, partition,
   or otherwise transforms themselves.  The Internet is continually
   evolving; protocols are being revised, new ones created, while
   security policies and mechanisms evolve as well.  These are only
   examples.  In general, we must assume that almost any piece of the
   supporting infrastructure of URN resolution will evolve.  In order to
   deal with both the mobility and evolution assumptions that derive
   from the assumption of longevity, we must assume that users and their
   applications can remain independent of these mutating details of the
   supporting infrastructure.

   The second assumption is that naming and resolution authorities may
   delegate some of their authority or responsibility; in both cases,
   the delegation of such authority is the only known method of allowing
   for the kind of scaling expected.  It is important to note that a
   significant feature of this work is the potential to separate name
   assignment, the job of labelling a resource with a URN, from name
   resolution, the job of discovering the resource given the URN.  In
   both cases, we expect multi-tiered delegation.  There may be RDS
   schemes that merge these two sets of responsibilities and delegation
   relationships; by doing so, they bind together or overload two
   distinctly different activities, thus probably impeding growth.



Sollins                      Informational                      [Page 5]

RFC 2276            Uniform Resource Name Resolution        January 1998


   The third assumption is independence or isolation of one authority
   from another and, at least to some extent, from its parent.  When one
   authority delegates some of its rights and responsibilities to
   another authority, the delegatee can operate in that domain
   independently of its peers and within bounds specified by the
   delegation, independently of the delegator.  This isolation is
   critically important in order to allow for independence of policy and
   mechanism.

   This third assumption has several corollaries.  First, we assume that
   the publisher of a resource can choose resolver services,
   independently of choices made by others.  At any given time, the
   owner of a namespace may choose a particular URN resolver service for
   that delegated namespace.  Such a URN resolver service may be outside
   the RDS service model, and only identified or located by the RDS
   service.  Second, it must be possible to make a choice among RDS
   services.  The existence of multiple RDS services may arise from the
   evolution of an RDS service, or development of new ones.  Although at
   any given time there is likely to be only one or a small set of such
   services, the number is likely to increase during a transition period
   from one architecture to another.  Thus, it must be assumed that
   clients can make a choice among a probably very small set of RDSs.
   Third, there must be independence in the choice about levels and
   models of security and authenticity required.  This choice may be
   made by the owner of a naming subspace, in controlling who can modify
   hints in that subspace.  A naming authority may delegate this choice
   to the owners of the resources named by the names it has assigned.
   There may be limitations on this freedom of choice in order to allow
   other participants to have the level of security and authenticity
   they require, for example, in order to maintain the integrity of the
   RDS infrastructure as a whole.  Fourth, there is an assumption of
   independence of choice of the rule of canonicalization of URNs within
   a namespace, limited by any restrictions or constraints that may have
   been set by its parent namespace.  This is a choice held by naming
   authorities over their own subnamespaces.  Rules for canonicalization
   will be discussed further in the framework section below.  Thus,
   there are assumptions of independence and isolation to allow for
   delegated, independent authority in a variety of domains.













Sollins                      Informational                      [Page 6]

RFC 2276            Uniform Resource Name Resolution        January 1998


   The modularity assumptions of delegation and isolation imply
   independence of decision and implementation, leading to a
   decentralization that provides a certain degree of safety from denial
   of service.  Based on these these assumptions in conjunction with
   that of longevity and those for URLs and URNs as detailed in RFCs
   1736 and 1737, we can now turn to the guidelines for an RDS.

3. Guidelines

   The guidelines applying to an RDS center around three important
   design principles in the areas of evolvability, usability, and
   security and privacy.  At its core the function of an RDS is to
   provide hints for accessing a resource given a URN for it.  These
   hints may range in applicability from local to global, and from
   short-lived to long-lived.  They also may vary in their degree of
   verifiable authenticity.  While it may be neither feasible nor
   necessary that initial implementations support every guideline, every
   implementation must support evolution to systems that do support the
   guidelines more fully.

   It is important to note that there are requirements, not applicable
   specifically to an RDS that must also be met.  A whole URN system
   will consist of names in namespaces, the resolution information for
   them, and the mapping from names in the namespaces to resolution
   information (or hints).  URNs themselves must meet the requirements
   of RFC 1737.  In addition, namespaces themselves must meet certain
   requirements as described by the URN Working Group [4].  Although all
   these requirements and guidelines are not described here, they must
   be supported to provide an acceptable system.

   Each section below begins with a summary of the points made in that
   section.  There is some degree of overlap among the areas, such as in
   allowing for the evolution of security mechanisms, etc., and hence
   issues may be addressed in more than one section.  It is also
   important to recognize that conformance with the guidelines will
   often be subjective.  As with many IETF guidelines and requirements,
   many of these are not quantifiable and hence conformance is a
   judgment call and a matter of degree.  Lastly, the reader may find
   that some of them are those of general applicability to distributed
   systems and some are specific to URN resolution.  Those of general
   applicability are included for completeness and are not distinguished
   as such.

3.1 Evolution

   The issues in the area of the first principle, that of evolvability,
   are:




Sollins                      Informational                      [Page 7]

RFC 2276            Uniform Resource Name Resolution        January 1998


       1.1) An RDS must be able to support scaling in at least three
            dimensions: the number of resources for which URNs will be
            required, the number of publishers and users of those
            resources, and the complexity of the delegation, as
            authority for resolution grows and possibly reflects
            delegation in naming authority;
       1.2) A hint resolution environment must support evolution of
            mechanisms, specifically for:
            * a growing set of URN schemes;
            * new kinds local URN resolver services;
            * new authentication schemes;
            * alternative RDS schemes active simultaneously;
       1.3) An RDS must allow the development and deployment of
            administrative control mechanisms to manage human behavior
            with respect to limited resources.

   One of the lessons of the Internet that we must incorporate into the
   development of mechanisms for resolving URNs is that we must be
   prepared for change.  Such changes may happen slowly enough to be
   considered evolutionary modifications of existing services, or
   dramatically enough to be considered revolutionary.  They may
   permeate the Internet universe bit by bit, living side by side with
   earlier services or they may take the Internet by storm, causing an
   apparent complete transformation over a short period of time.  There
   are several directions in which we can predict the need for
   evolution.  At the very least, the community and the mechanisms
   proposed should be prepared for these.

   First, scaling is a primary issue in conjunction with evolution.  The
   number of users, both human and electronic, as well as the number of
   resources will continue to grow exponentially for the near term, at
   least.  Hence the number of URNs will also increase similarly.  In
   addition, with growth in sheer numbers is likely to come growth in
   the delegation of both naming authority and resolution authority.
   These facts mean that an RDS design must be prepared to handle
   increasing numbers of requests for inclusion, update and resolution,
   in a set of RDS servers perhaps inter-related in more complex ways.
   This is not to say that there will necessarily be more updates or
   resolutions per URN; we cannot predict that at this time.  But, even
   so, the infrastructure may become more complex due to delegation,
   which may (as can be seen in Section 4 on the framework) lead to more
   complex rules for rewriting or extracting terms for staged
   resolution.  Any design is likely to perform less well above some set
   of limits, so it is worth considering the growth limitations of each
   design alternative.






Sollins                      Informational                      [Page 8]

RFC 2276            Uniform Resource Name Resolution        January 1998


   Second, we expect there to be additions and changes to the
   mechanisms.  The community already understands that there must be a
   capacity for new URN schemes, as described in [4].  A URN scheme will
   define a set of URNs that meet the URN requirements [2], but may have
   further constraints on the internal structure of the URN. The
   intention is that URN schemes can be free to specify parts of the URN
   that are left opaque in the larger picture.  In fact, a URN scheme
   may choose to make public or keep private the algorithms for any such
   "opaque" part of the URN.  In any case, we must be prepared for a
   growing number of URN schemes.

   Often in conjunction with a new URN scheme, but possibly
   independently of any particular URN scheme, new kinds of resolver
   services may evolve.  For example, one can imagine a specialized
   resolver service based on the particular structure of ISBNs that
   improves the efficiency of finding documents given their ISBNs.
   Alternatively, one can also imagine a general purpose resolver
   service that trades performance for generality; although it exhibits
   only average performance resolving ISBNs, it makes up for this
   weakness by understanding all existing URN schemes, so that its
   clients can use the same service to resolve URNs regardless of naming
   scheme.  In this context, there will always be room for improvement
   of services, through improved performance, better adaptability to new
   URN schemes, or lower cost, for example.  New models for URN
   resolution will evolve and we must be prepared to allow for their
   participation in the overall resolution of URNs.

   If we begin with one overall plan for URN resolution, into which the
   enhancements described above may fit, we must also be prepared for an
   evolution in the authentication schemes that will be considered
   either useful or necessary in the future.  There is no single
   globally accepted authentication scheme, and there may never be one.
   Even if one does exist at some point in time, we must always be
   prepared to move on to newer and better schemes, as the old ones
   become too easily spoofed or guessed.

   In terms of mechanism, although we may develop and deploy a single
   RDS scheme initially, we must be prepared for that top level model to
   evolve.  Thus, if the RDS model supports an apparently centralized
   (from a policy standpoint) scheme for inserting and modifying
   authoritative information, over time we must be prepared to evolve to
   a different model, perhaps one that has a more distributed model of
   authority and authenticity.  If the model has no core but rather a
   cascaded partial discovery of information, we may find that this
   becomes unmanageable with an increase in scaling.  Whatever the
   model, we must be prepared for it to evolve with changes in scaling,
   performance, and policy constraints such as security and cost.




Sollins                      Informational                      [Page 9]

RFC 2276            Uniform Resource Name Resolution        January 1998


   The third evolutionary issue is even more mechanical than the others.
   At any point in time, the community is likely to be supporting a
   compromise position with respect to resolution.  We will probably be
   operating in a situation balanced between feasibility and the ideal,
   perhaps with policy controls used to help stabilize use of the
   service.  Ideally, the service would be providing exactly what the
   customers wanted and they in turn would not request more support than
   they need, but it seems extremely unlikely.  Since we will almost
   always be in a situation in which some service provision resources
   will be in short supply, some form of policy controls will generally
   be necessary.  Some policy controls may be realized as mechanisms
   within the servers or in the details of protocols, while others may
   only be realized externally to the system.  For example, suppose hint
   entries are being submitted in such volume that the hint servers are
   using up their excess capacity and need more disk space.  Two
   suggestions for policy control are pricing and administrative.  As
   technology changes and the balance of which resources are in short
   supply changes, the mechanisms and policies for controlling their use
   must evolve as well.

3.2 Usability

   To summarize, the usability guidelines fall into three areas based on
   participation in hint management and discovery:

       2.1) The publisher
          2.1.1) URN to hint resolution must be correct and efficient
                 with very high probability;
          2.1.2) Publishers must be able to select and move among URN
                 resolver services to locate their resources;
          2.1.3) Publishers must be able to arrange for multiple access
                 points for their location information;
          2.1.4) Publishers should be able to provide hints with
                 varying lifetimes;
          2.1.5) It must be relatively easy for publishers to specify
                 to the management and observe their hint information as
                 well as any security constraints they need for their
                 hints.
       2.2) The client
          2.2.1) The interface to the RDS must be simple, effective,
                 and efficient;
          2.2.2) The client and client applications must be able to
                 understand the information stored in and provided by
                 the RDS easily, in order to be able to make informed
                 choices.
       2.3) The management
          2.3.1) The management of hints must be as unobtrusive as
                 possible, avoiding using too many network resources;



Sollins                      Informational                     [Page 10]

RFC 2276            Uniform Resource Name Resolution        January 1998


          2.3.2) The management of hints must allow for administrative
                 controls that encourage certain sorts of behavior
                 deemed necessary to meet other requirements;
          2.3.3) The configuration and verification of configuration of
                 individual RDS servers must be simple enough not to
                 discourage configuration and verification.

   Usability can be evaluated from three distinct perspectives: those of
   a publisher wishing to make a piece of information public, those of a
   client requesting URN resolution, and those of the provider or
   manager of resolution information.  We will separately address the
   usability issues from each of these three perspectives.  It is
   important to recognize that these may be sitautions in which
   interests of some of the participants (for exampel a use and a
   publisher) may be in conflict; some resolution will be needed.

   It is worth noting that there are two additional sorts of
   participants in the whole naming process, as discussed in the URN WG.
   They are the naming authorities which choose and assign names, and
   the authors who include URNs in their resources.  These two are not
   relevant to the design of an RDS and hence are not discussed further
   here.

3.2.1 The Publisher

   The publisher must be able to make URNs known to potential customers.
   From the perspective of a publisher, it is of primary importance that
   URNs be correctly and efficiently resolvable by potential clients
   with very high probability.  Publishers stand to gain from long-lived
   URNs, since they increase the chance that references continue to
   point to their published resources.

   The publisher must also be able to choose easily among a variety of
   potential services that might translate URNs to location information.
   In order to allow for this mobility among resolvers, the RDS
   architecture must support such transitions, within policy control
   bounds.  It is worth noting that although multiple listing services
   are available in telephone books, they are generally accompanied by a
   fee.  There is nothing preventing there being fees collected for
   similar sorts of services with respect to URNs.

   The publisher must be able to arrange for multiple access points to a
   published resource.  For this to be useful, resolver services should
   be prepared to provide different resolution or hint information to
   different clients, based on a variety of information including
   location and the various access privileges the client might have.  It
   is important to note that this may have serious implications for
   caching this information.  For example, companies might arrange for



Sollins                      Informational                     [Page 11]

RFC 2276            Uniform Resource Name Resolution        January 1998


   locally replicated copies of popular resources, and would like to
   provide access to the local copies only for their own employees.
   This is distinct from access control on the resource as a whole, and
   may be applied differently to different copies.

   The publisher should be able to provide both long and short term
   location information about accessing the resource.  Long term
   information is likely to be such information as the long term address
   of a resource itself or the location or identity of a resolver
   service with which the publisher has a long term relationship.  One
   can imagine that the arrangement with such a long term
   "authoritative" resolver service might be a guarantee of reliability,
   resiliency to failure, and atomic updates.  Shorter term information
   is useful for short term changes in services or to avoid short lived
   congestion or failure problems.  For example, if the actual
   repository of the resource is temporarily inaccessible, the resource
   might be made available from another repository.  This short term
   information can be viewed as temporary refinements of the longer term
   information, and as such should be more easily and quickly made
   available, but may be less reliable.  Some RDS designs may not
   distinguish between these two extremes.

   Lastly, the publishers will be the source of much hint information
   that will be stored and served by the manager of the infrastructure.
   Despite the fact that many publishers will not understand the details
   of the RDS mechanism, it must be easy and straightforward for them to
   install hint information.  This means that in general any one who
   wishes to publish and to whom the privilege of resolution has been
   extended through delegation, can do so.  The publisher must be able
   not only to express hints, but also to verify that what is being
   served by the manager is correct.  Furthermore, to the extent that
   there are security constraints on hint information, the publisher
   must be able to both express them and verify compliance with them
   easily.

3.2.2 The Client

   From the perspective of the client, simplicity and usability are
   paramount.  Of critical importance to serving clients effectively is
   that there be an efficient protocol through which the client can
   acquire hint information.  Since resolving the name is only the first
   step on the way to getting access to a resource, the amount of time
   spent on it must be minimized.

   Furthermore, it will be important to be able to build simple,
   standard interfaces to the RDS so that both the client and
   applications on the client's behalf can interpret hints and
   subsequently make informed choices.  The client, perhaps with the



Sollins                      Informational                     [Page 12]

RFC 2276            Uniform Resource Name Resolution        January 1998


   assistance of the application, must be able to specify preferences
   and priorities and then apply them.  If the ordering of hints is only
   partial, the client may become directly

   involved in the choice and interpretation of them and hence they must
   be understandable to that client.  On the other hand, in general it
   should be possible to configure default preferences, with individual
   preferences viewed as overriding any defaults.

   From the client's perspective, although URNs will provide important
   functionality, the client is most likely to interact directly only
   with human friendly names (HFNs).  As in direct human interaction
   (not computer mediated), the sharing of names will be on a small,
   private, or domain specific scale.  HFNs will be the sorts of
   references and names that are easy to remember, type, choose among,
   assign, etc.  There will also need to be a number of mechanisms for
   mapping HFNs to URNs.  Such services as "yellow pages" or "search
   tools" fall into this category.  Although we are mentioning HFNs
   here, it is important to recognize that HFNs and the mappings from
   HFNs to URNs is and must remain a separate functionality from an RDS.
   Hence, although HFNs will be critical to clients, they do not fall
   into the domain of this document.

3.2.3 The Management

   Finally, we must address the usability concerns with respect to the
   management of the hint infrastructure itself.  What we are terming
   "management" is a service that is distinct from publishing; it is the
   core of an RDS.  It involves the storage and provision of hints to
   the clients, so that they can find published resources.  It also
   provides security with respect to name resolution to the extent that
   there is a commitment for provision of such security; this is
   addressed in Section 3.3 below.

   The management of hints must be as unobtrusive as possible. First,
   its infrastructure (hint storage servers and distribution protocols)
   must have as little impact as possible on other network activities.
   It must be remembered that this is an auxiliary activity and must
   remain in the background.

   Second, in order to make hint management feasible, there may need to
   be a system for administrative incentives and disincentives such as
   pricing or legal restrictions.  Recovering the cost of running the
   system is only one reason for levying charges.  The introduction of
   payments often has an impact on social behavior.  It may be necessary
   to discourage certain forms of behavior that when out of control have
   serious negative impact on the whole community.  At the same time,
   any administrative policies should encourage behavior that benefits



Sollins                      Informational                     [Page 13]

RFC 2276            Uniform Resource Name Resolution        January 1998


   the community as a whole.  Thus, for example, a small one-time charge
   for authoritatively storing a hint might encourage conservative use
   of hints.  If we assume that there is a fixed cost for managing a
   hint, then the broader its applicability across the URN space, the
   more cost effective it is.  That is, when one hint can serve for a
   whole collection of URNs, there will be an incentive to submit one
   general hint over a large number of more specific hints.  Similar
   policies can be instituted to discourage the frequent changing of
   hints.  In these ways and others, behavior benefitting the community
   as a whole can be encouraged.

   Lastly, symmetric to issues of usability for publishers, it must also
   be simple for the management to configure the mapping of URNs to
   hints.  It must be easy both to understand the configuration and to
   verify that configuration is correct.  With respect to management,
   this issue may have an impact not only on the information itself but
   also on how it is partitioned among network servers that
   collaboratively provide the management service or RDS.  For example,
   it should be straightforward to bring up a server and verify that the
   data it is managing is correct.  Although this is not a guideline, it
   is worth nothing that since we are discussing a global and probably
   growing service, encouraging volunteer participants suggests that, as
   with the DNS, such volunteers can feel confident about the service
   they are providing and its benefit to both themselves and the rest of
   the community.

3.3 Security and Privacy

   In summary, security and privacy guidelines can be identified as some
   degree of protection from threats.  The guidelines that fall under
   this third principle, that of security, are all stated in terms of
   possibilities or options for users of the service to require and
   utilize.  Hence they address the availability of functionality, but
   not for the use of it.  We recognize that all security is a matter of
   degree and compromise.  These may not satisfy all potential
   customers, and there is no intention here to prevent the building of
   more secure servers with more secure protocols to suit their needs.
   These are intended to satisfy the needs of the general public.

       3.1) It must be possible to create authoritative versions of a
            hint with access-to-modification privileges controlled;
       3.2) It must be possible to determine the identity of servers or
            avoid contact with unauthenticated servers;
       3.3) It must be possible to reduce the threat of denial of
            service by broad distribution of information across servers;
       3.4) It must be possible within the bounds of organizational
            policy criteria to provide at least some degree of privacy
            for traffic;



Sollins                      Informational                     [Page 14]

RFC 2276            Uniform Resource Name Resolution        January 1998


       3.5) It must be possible for publishers to keep private certain
            information such as an overall picture of the resources they
            are publishing and the identity of their clients;
       3.6) It must be possible for publishers to be able to restrict
            access to the resolution of the URNs for the resources they
            publish, if they wish.

   When one discusses security, one of the primary issues is an
   enumeration of the threats being considered for mitigation.  The
   tradeoffs often include cost in money and computational and
   communications resources, ease of use, likelihood of use, and
   effectiveness of the mechanisms proposed.  With this in mind, let us
   consider a set of threats.

   Voydock and Kent [5] provide a useful catalog of potential threats.
   Of these the passive threats to privacy or confidentiality and the
   active threats to authenticity and integrity are probably the most
   important to consider here.  To the extent that spurious association
   causes threats to the privacy, authenticity, or integrity with
   respect to information within servers managing data, it is also
   important.  Denial of service is probably the most difficult of these
   areas of threats both to detect and to prevent, and we will therefore
   set it aside for the present as well, although it will be seen that
   solutions to other problems will also mitigate some of the problems
   of denial of service.  Furthermore, because this is intended to be
   provide a global service to meet the needs of a variety of
   communities, the engineering tradeoffs will be different for
   different clients.  Hence the guidelines are stated in terms of, "It
   must be possible..."  It is important to note that the information of
   concern here is hint information, which by nature is not guaranteed
   to be correct or up-to-date; therefore, it is unlikely to be worth
   putting too much expense into the correctness of hints, because there
   is no guarantee that they are still correct anyway.  The exact choice
   of degree of privacy, authenticity, and integrity must be determined
   by the needs of the client and the availability of services from the
   server.

   To avoid confusion it is valuable to highlight the meanings of terms
   that have different meanings in other contexts.  In this case, the
   term "authoritative" as it is used here connotes the taking of an
   action or stamp of approval by a principal (again in the security
   sense) that has the right to perform such an act of approval.  It has
   no implication of correctness of information, but only perhaps an
   implication of who claimed it to be correct.  In contrast, the term
   is often also used simply to refer to a primary copy of a piece of
   information for which there may also be secondary or cached copies
   available.  In this discussion of security we use the former meaning,
   although it may also be important to be able to learn about whether a



Sollins                      Informational                     [Page 15]

RFC 2276            Uniform Resource Name Resolution        January 1998


   piece of information is from a primary source or not and request that
   it be primary.  This second meaning arises elsewhere in the document
   and is so noted there.

   It is also important to distinguish various possible meanings for
   "access control".  There are two areas in which distinctions can be
   made.  First, there is the question of the kind of access control
   that is being addressed, for example, in terms of hints whether it is
   read access, read and modify access, or read with verification for
   authenticity.  Second, there is the question of to what access is
   being controlled.  In the context of naming it might be the names
   themselves (not the case for URNs), the mapping of URNs to hints (the
   business of an RDS), the mapping of URNs to addresses (not the
   business of an RDS as will be discussed below in terms of privacy),
   or the resource itself (unrelated to naming or name resolution at
   all).  We attempt to be clear about what is meant when using "access
   control".

   There is one further issue to address at this point, the distinction
   between mechanism and policy.  In general, a policy is realized by
   means of a set of mechanisms.  In the case of an RDS there may be
   policies internal to the RDS that it needs to have supported in order
   to do its business as it sees fit.  Since, in general it is in the
   business of storing and distributing information, most of its
   security policies may have to do with maintaining its own integrity,
   and are rather limited.  Beyond that, to the degree possible, it
   should impose no policy on its customers, the publishers and users.
   It is they that may have policies that they would like supported by
   the RDS.  To that end, an RDS should provide a spectrum of "tools" or
   mechanisms that the customers can cause to be deployed on their
   behalf to realize policies.  An RDS may not provide all that is
   needed by a customer.  A customer may have different requirements
   within his or her administrative bounds than outside.  Thus, "it must
   be possible..."  captures the idea that the RDS must generally
   provide the tools to implement policies as needed by the customers.

   The first approach to URN resolution is to discover local hints.  In
   order for hints to be discovered locally, they will need to be as
   widely distributed as possible to what is considered to be local for
   every locale.  The drawback of such wide distribution is the wide
   distribution of updates, causing network traffic problems or delays
   in delivering updates.  An alternative model would concentrate hint
   information in servers, thus requiring that update information only
   be distributed to these servers.  In such a model the vulnerable
   points are the sources of the information and the distribution
   network among them.  Attackers on the integrity of the information
   stored in a server may come in the form of masquerading as the owner
   or the server of the information.  Wide replication of information



Sollins                      Informational                     [Page 16]

RFC 2276            Uniform Resource Name Resolution        January 1998


   among servers increases the difficult of masquerading at all the
   locations of the information as well as reducing the threat of denial
   service.  These lead us to three identifiable guidelines for our
   security model:

   * ACCESS CONTROL ON HINTS: It must be possible to create an
     authoritative version of each hint with change control limited only
     to those principals with the right to modify it.  The choice of who
     those principals are or whether they are unlimited must be made by
     the publisher of a hint.

   * SERVER AUTHENTICITY: Servers and clients must be able to learn the
     identity of the servers with which they communicate.  This will be
     a matter of degree and it is possible that there will be more
     trustworthy, but less accessible servers, supported by a larger
     cluster of less authenticatable servers that are more widely
     available.  In the worst case, if the client receives what appears
     to be unvalidated information, the client should assume that the
     hint may be inaccurate and confirmation of the data might be sought
     from more reliable but less accessible sources.

   * SERVER DISTRIBUTION: Broad availability will provide resistance to
     denial of service.  It is only to the extent that the services are
     available that they provide any degree of trustworthiness.  In
     addition, the distribution of services will reduce vulnerability of
     the whole community, by reducing the trust put in any single
     server.  This must be mitigated by the fact that to the extent
     trust is based on a linked set of servers, if any one fails, the
     whole chain of trust fails; the more elements there are in such a
     chain, the more vulnerable it may become.

   Privacy can be a double-edged sword.  For example, on one hand, an
   organization may consider it critically important that its
   competitors not be able to read its traffic.  On the other hand, it
   may also consider it important to be able to monitor exactly what its
   employees are transmitting to and from whom, for a variety of reasons
   such as reducing the probability that its employees are giving or
   selling the company's secrets to verifying that employees are not
   using company resources for private endeavor.  Thus, although there
   are likely to be needs for privacy and confidentiality, what they
   are, who controls them and how, and by what mechanisms vary widely
   enough that it is difficult to say anything concrete about them here.

   The privacy of publishers is much easier to address.  Since they are
   trying to publish something, in general privacy is probably not
   desired.  However, publishers do have information that they might
   like to keep private: information about who their clients are, and
   information about what names exist in their namespace.  The



Sollins                      Informational                     [Page 17]

RFC 2276            Uniform Resource Name Resolution        January 1998


   information about who their clients are may be difficult to collect
   depending on the implementation of the resolution system.  For
   example, if the resolution information relating to a given publisher
   is widely replicated, the hits to _each_ replicated copy would need
   to be recorded.  Of course, determining if a specific client is
   requesting a given name can be approached from the other direction,
   by watching the client as we saw above.

   There are likely to be some publishers publishing for a restricted
   audience.  To the extent they want to restrict access to a resource,
   that is the responsibility of the repository providing and
   restricting access to the resource.  If they wish to keep the name
   and hints for a resource private, a public RDS may be inadequate for
   their needs.  In general, it is intended for those who want customers
   to find their resources in an unconstrained fashion.

   The final privacy issue for publishers has to do with access control
   over URN resolution.  This issue is dependent on the implementation
   of the publisher's authoritative (in the sense of "primary) URN
   resolver server.  URN resolver servers can be designed to require
   proof of identity in order to be issued resolution information; if
   the client does not have permission to access the URN requested, the
   service denies that such a URN exists.  An encrypted protocol can
   also be used so that both the request and the response are obscured.
   Encryption is possible in this case because the identity of the final
   recipient is known (i.e.  the URN server).  Thus, access control over
   URN resolution can and should be provided by resolver servers rather
   than an RDS.

4. The Framework

   With these assumptions and guidelines in mind, we conclude with a
   general framework within which RDS designs may fall.  As stated
   earlier, although this framework is put forth as a suggested guide
   for RDS designers, compliance with it will in no way guarantee
   compliance with the guidelines.  Such an evaluation must be performed
   separately.  All such lack of compliance should be clearly
   documented.

   The design of the framework is based on the syntax of a URN as
   documented in RFC-2141 [6].  This is:

                              URN::

   where URN: is a prefix on all URNs, NID is the namespace identifier,
   and NSS is the namespace specific string.  The prefix identifies each
   URN as such.  The NID determines the general syntax for all URNs
   within its namespace.  The NSS is probably partitioned into a set of



Sollins                      Informational                     [Page 18]

RFC 2276            Uniform Resource Name Resolution        January 1998


   delegated and subdelegated namespaces, and this is possibly reflected
   in further syntax specifications.  In more complex environments, each
   delegated namespace will be permitted to choose the syntax of the
   variable part of the namespace that has been delegated to it.  In
   simpler namespaces, the syntax will be restricted completely by the
   parent namespace.  For example, although the DNS does not meet all
   the requirements for URNs, it has a completely restricted syntax,
   such that any further structuring must be done only by adding further
   refinements to the left, maintaining the high order to low order,
   right to left structure.  A delegated syntax might be one in which a
   host is named by the DNS, but to the right of that and separated by
   an "@" is a string whose internal ordering is defined by the file
   system on the host, which may be defined high order to low order,
   left to right.  Of course, much more complex and nested syntaxes
   should be possible, especially given the need to grandfather
   namespaces.  In order to resolve URNs, rules will be needed for two
   reasons.  One is simply to canonicalize those namespaces that do not
   fall into a straightforward (probably right to left or left to right)
   ordering of the components of a URN, as determined by the delegated
   naming authorities involved.  It is also possible that rules will be
   needed in order to derive from URNs the names of RDS servers to be
   used in stages.





























Sollins                      Informational                     [Page 19]

RFC 2276            Uniform Resource Name Resolution        January 1998


                            URN:
                                 |
                                 |
                                 |
                                 |
                                 v
                       +-------------------+
                       |Global NID registry|
                       +-------------------+
                                 |
                                 |
                                 |
              (return rule or URN resolver service reference)
                                 |
                                 +----------------------------------+
                                 |                                  |
                       +->(apply rule to determine RDS server)      |
                       |         |                                  |
                       |         |                                  |
                       |         |                                  |
                       |    +----------+                            |
                       |    |RDS server|          +-----------------+
                       |    +----------+          |
                       |      |   |               v
                       |      |   |   (set of choices)
                       |      |   +----+----------(...)--------+
                       |   (rule)      |                       |
                       |      |        |                       |
                       |      |        |                       |
                       +------+        |                       |
                                       v                       v
                                  +----------+            +----------+
                                  |URN       |            |URN       |
                                  |resolver  |            |resolver  |
                                  |service   |            |service   |
                                  +----------+            +----------+

                       Figure 1: An RDS framework

   The NID defines a top level syntax.  This syntax will determine
   whether the NID alone or in conjunction with some extraction from the
   NSS (for the top level naming authority name) is to be used to
   identify the first level server to be contacted.  At each stage of
   the lookup either a new rule for generating the strings used in yet
   another lookup (the strings being the identity of another RDS server
   and possibly a string to be resolved if it is different than the
   original URN) or a reference outside the RDS to a URN resolver
   service, sidestepping any further use of the RDS scheme.  Figure 1



Sollins                      Informational                     [Page 20]

RFC 2276            Uniform Resource Name Resolution        January 1998


   depicts this process.

   There are several points worth noting about the RDS framework.
   First, it leaves open the determination of the protocols, data
   organization, distribution and replication needed to support a
   particular RDS scheme.  Second, it leaves open the location of the
   computations engendered by the rules.  Third, it leaves open the
   possibility that partitioning (distribution) of the RDS database need
   not be on the same boundaries as the name delegation.  This may seem
   radical to some, but if the information is stored in balanced B-trees
   for example, the partitioning may not be along those naming authority
   delegation boundaries (see [7]).  Lastly, it leaves open access to
   the Global NID Registry.  Is this distributed to every client, or
   managed in widely distributed servers?  It is important to note that
   it is the intention here that a single RDS scheme is likely to
   support names from many or all naming schemes, as embodied in their
   NIDs.

   One concept that has not been addressed in Figure 1 is that there may
   be more than one RDS available at any given time, in order to allow
   for evolution to new schemes.  Thus, the picture should probably look
   more like Figure 2.





























Sollins                      Informational                     [Page 21]

RFC 2276            Uniform Resource Name Resolution        January 1998


                         URN::
                               |
                               |
                   +-----------+-------(...)-------+
                   |                               |
                   |                               |
                   |                               |
                   v                               v
         +---------------------+        +---------------------+
         |Global NID registry 1|        |Global NID registry N|
         +---------------------+        +---------------------+
                   .                               .
                   .                               .
                   .                               .


             Figure 2: More than one co-existing RDS scheme

   If we are to support more than one co-existing RDS scheme, there will
   need to be coordination among them with respect to storage and
   propagation of information and modifications.  The issue is that
   generally it should be assumed that all information should be
   available through any operational RDS scheme.  One cannot expect
   potential publishers to submit updates to more than one RDS scheme.
   Hence there will need to be a straightforward mapping of information
   from one to the other of these schemes.  It is possible that that
   transformation will only go in one direction, because a newer RDS
   service is replacing an older one, which is not kept up to date, in
   order to encourage transfer to the newer one.  Thus, at some point,
   updates may be made only to the newer one and not be made available
   to the older one, as is often done with library catalogs.

   This framework is presented in order to suggest to RDS scheme
   designers a direction in which to start designing.  It should be
   obvious to the reader that adherence to this framework will in no way
   guarantee compliance with the guidelines or even the assumptions
   described in Sections 2 and 3.  These must be reviewed independently
   as part of the design process.  There is no single correct design
   that will conform to these guidelines.  Furthermore, it is assumed
   that preliminary proposals may not meet all the guidelines, but
   should be expected to itemized and justify any lack of compliance.










Sollins                      Informational                     [Page 22]

RFC 2276            Uniform Resource Name Resolution        January 1998


5. Acknowledgments

   Foremost acknowledgment for this document goes to Lewis Girod, as my
   co-author on a preliminary URN requirements document and for his
   insightful comments on this version of the document.  Thanks also go
   to Ron Daniel especially for his many comments on my writing.  In
   addition, I recognize the contributors to a previous URN framework
   document, the "Knoxville" group.  There are too many of you to
   acknowledge here individually, but thank you.  Finally, I must thank
   the contributors to the URN working group and mailing list (urn-
   ietf@bunyip.com), for your animated discussions on these and related
   topics.

6. References

   [1] Kunze, J., "Functional Recommendations for Internet Resource
   Locators", RFC 1736, February 1995.

   [2] Sollins, K., and L. Masinter, "Functional Requirements for
   Uniform Resource Names", RFC 1738, December 1994.

   [3] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform Resource
   Locators (URL)", RFC 1738, December 1994.

   [4] URN Working Group, "Namespace Identifier Requirements for URN
   Services," Work in Progress.

   [5] Voydock, V. L., and Kent, S. T., "Security Mechanisms in High-
   Level Protocols", ACM Computing Surveys, v. 15, No. 2, June, 1983,
   pp. 135-171.

   [6] Moats, R., "URN Syntax", RFC 2141, May 1997.

   [7] Slottow, E.G., "Engineering a Global Resolution Service," MIT-
   LCS-TR712, June, 1997.  Currently available as
    or
   .

7. Author's Address

   Karen Sollins
   MIT Laboratory for Computer Science
   545 Technology Sq.
   Cambridge, MA 02139

   Phone: +1 617 253 6006
   EMail: sollins@lcs.mit.edu




Sollins                      Informational                     [Page 23]

RFC 2276            Uniform Resource Name Resolution        January 1998


8.  Full Copyright Statement

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
























Sollins                      Informational                     [Page 24]