Skip to main content

URI Design and Ownership

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 7320.
Author Mark Nottingham
Last updated 2014-05-15 (Latest revision 2014-04-22)
Replaces draft-nottingham-uri-get-off-my-lawn
RFC stream Internet Engineering Task Force (IETF)
Additional resources Mailing list discussion
Stream WG state Submitted to IESG for Publication
Document shepherd Martin Thomson
Shepherd write-up Show Last changed 2014-04-07
IESG IESG state Became RFC 7320 (Best Current Practice)
Consensus boilerplate Yes
Telechat date (None)
Needs a YES. Needs 10 more YES or NO OBJECTION positions to pass.
Responsible AD Barry Leiba
Send notices to,,
IANA IANA review state IANA OK - No Actions Needed
appsawg                                                    M. Nottingham
Updates: 3986 (if approved)                               April 23, 2014
Intended status: Best Current Practice
Expires: October 25, 2014

                        URI Design and Ownership


   RFC3986 Section 1.1.1 defines URI syntax as "a federated and
   extensible naming system wherein each scheme's specification may
   further restrict the syntax and semantics of identifiers using that
   scheme."  In other words, the structure of a URI is defined by its
   scheme.  While it is common for schemes to further delegate their
   substructure to the URI's owner, publishing independent standards
   that mandate particular forms of URI substructure is inappropriate,
   because that essentially usurps ownership.  This document further
   describes this problematic practice and provides some acceptable
   alternatives for use in standards.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 25, 2014.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of

Nottingham              Expires October 25, 2014                [Page 1]
Internet-Draft            URI Design Ownership                April 2014

   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Who This Document Is For  . . . . . . . . . . . . . . . .   3
     1.2.  Notational Conventions  . . . . . . . . . . . . . . . . .   4
   2.  Best Current Practices for Standardizing Structured URIs  . .   4
     2.1.  URI Schemes . . . . . . . . . . . . . . . . . . . . . . .   4
     2.2.  URI Authorities . . . . . . . . . . . . . . . . . . . . .   4
     2.3.  URI Paths . . . . . . . . . . . . . . . . . . . . . . . .   5
     2.4.  URI Queries . . . . . . . . . . . . . . . . . . . . . . .   5
     2.5.  URI Fragment Identifiers  . . . . . . . . . . . . . . . .   5
   3.  Alternatives to Specifying Structure in URIs  . . . . . . . .   6
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Appendix A.  Acknowledgments  . . . . . . . . . . . . . . . . . .   7
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   URIs [RFC3986] very often include structured application data.  This
   might include artifacts from filesystems (often occurring in the path
   component), and user information (often in the query component).  In
   some cases, there can even be application-specific data in the
   authority component (e.g., some applications are spread across
   several hostnames to enable a form of partitioning or dispatch).

   Furthermore, constraints upon the structure of URIs can be imposed by
   an implementation; for example, many Web servers use the filename
   extension of the last path segment to determine the media type of the
   response.  Likewise, pre-packaged applications often have highly
   structured URIs that can only be changed in limited ways (often, just
   the hostname and port they are deployed upon).

   Because the owner of the URI (as defined in [webarch]
   Section is choosing to use the server or the software, this
   can be seen as reasonable delegation of authority.  When such
   conventions are mandated by a party other than the owner, however, it
   can have several potentially detrimental effects:

Nottingham              Expires October 25, 2014                [Page 2]
Internet-Draft            URI Design Ownership                April 2014

   o  Collisions - As more ad hoc conventions for URI structure become
      standardized, it becomes more likely that there will be collisions
      between them (especially considering that servers, applications
      and individual deployments will have their own conventions).

   o  Dilution - When the information added to a URI is ephemeral, this
      dilutes its utility by reducing its stability (see [webarch]
      Section 3.5.1), and can cause several alternate forms of the URI
      to exist (see [webarch] Section 2.3.1).

   o  Rigidity - Fixed URI syntax often interferes with desired
      deployment patterns.  For example, if an authority wishes to offer
      several applications on a single hostname, it becomes difficult to
      impossible to do if their URIs do not allow the required

   o  Operational Difficulty - Supporting some URI conventions can be
      difficult in some implementations.  For example, specifying that a
      particular query parameter be used precludes the use of Web
      servers that serve the response from a filesystem.  Likewise, an
      application that fixes a base path for its operation (e.g., "/v1")
      makes it impossible to deploy other applications with the same
      prefix on the same host.

   o  Client Assumptions - When conventions are standardized, some
      clients will inevitably assume that the standards are in use when
      those conventions are seen.  This can lead to interoperability
      problems; for example, if a specification documents that the "sig"
      URI query parameter indicates that its payload is a cryptographic
      signature for the URI, it can lead to undesirable behavior.

   Publishing an independent standard that constrains an existing URI
   structure in ways which aren't explicitly allowed by [RFC3986] (e.g.,
   by defining it in the URI scheme) is usually inappropriate, because
   the structure of a URI needs to be firmly under the control of its
   owner, and the IETF (as well as other organizations) should not usurp

   This document explains best current practices for establishing URI
   structures, conventions and formats in standards.  It also offers
   strategies for specifications to avoid violating these guidelines in
   Section 3.

1.1.  Who This Document Is For

   This document's requirements primarily target a few different types
   of specifications:

Nottingham              Expires October 25, 2014                [Page 3]
Internet-Draft            URI Design Ownership                April 2014

   o  Protocol Extensions ("extensions") - specifications that offer new
      capabilities to potentially any identifier, or a large subset;
      e.g., a new signature mechanism for 'http' URIs, or metadata for
      any URI.

   o  Applications Using URIs ("applications") - specifications that use
      URIs to meet specific needs; e.g., a HTTP interface to particular
      information on a host.

   Requirements that target the generic class "Specifications" apply to
   all specifications, including both those enumerated above and others.

   Note that this specification ought not be interpreted as preventing
   the allocation of control of URIs by parties that legitimately own
   them, or have delegated that ownership; for example, a specification
   might legitimately define the semantics of a URI on the IANA.ORG Web
   site as part of the establishment of a registry.

1.2.  Notational Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

2.  Best Current Practices for Standardizing Structured URIs

   This section updates [RFC3986] by setting limitations on how other
   specifications may define structure and semantics within URIs.  Best
   practices differ depending on the URI component, as described below.

2.1.  URI Schemes

   Applications and extensions MAY require use of specific URI
   scheme(s); for example, it is perfectly acceptable to require that an
   application support 'http' and 'https' URIs.  However, applications
   SHOULD NOT preclude the use of other URI schemes in the future,
   unless they are clearly specific to the nominated schemes.

   A specification that defines substructure within a URI scheme MUST do
   so in the defining document for that URI scheme, or by modifying

2.2.  URI Authorities

   Scheme definitions define the presence, format and semantics of an
   authority component in URIs; all other specifications MUST NOT
   constrain, or define the structure or the semantics for URI
   authorities, unless they update the scheme registration itself.

Nottingham              Expires October 25, 2014                [Page 4]
Internet-Draft            URI Design Ownership                April 2014

   For example, an extension or application cannot say that the "foo"
   prefix in "" is meaningful or triggers special
   handling in URIs.

2.3.  URI Paths

   Scheme definitions define the presence, format, and semantics of a
   path component in URIs; all other specifications MUST NOT constrain,
   or define the structure or the semantics for any path component.

   The only exception to this requirement is registered "well-known"
   URIs, as specified by [RFC5785].  See that document for a description
   of the applicability of that mechanism.

   For example, an application cannot specify a fixed URI path "/myapp",
   since this usurps the host's control of that space.  Specifying a
   fixed path relative to another (e.g., {whatever}/myapp) is also bad
   practice (even if "whatever" is discovered as suggested in
   Section 3); while doing so might prevent collisions, it does not
   avoid the potential for operational difficulties discussed in
   Section 1.

2.4.  URI Queries

   The presence, format and semantics of the query component of URIs is
   dependent upon many factors, and MAY be constrained by a scheme
   definition.  Often, they are determined by the implementation of a
   resource itself.

   Applications SHOULD NOT directly specify the syntax of queries, as
   this can cause operational difficulties for deployments that do not
   support a particular form of a query.

   Extensions MUST NOT specify the format or semantics of queries.

   For example, an extension that indicates that all query parameters
   with the name "sig" indicate a cryptographic signature is not
   conforming; doing so would collide with potentially pre-existing
   query parameters on sites, and lead clients to assume that any
   matching query parameter is a signature.

2.5.  URI Fragment Identifiers

   Media type definitions (as per [RFC6838]) SHOULD specify the fragment
   identifier syntax(es) to be used with them; other specifications MUST
   NOT define structure within the fragment identifier, unless they are
   explicitly defining one for reuse by media type definitions.

Nottingham              Expires October 25, 2014                [Page 5]
Internet-Draft            URI Design Ownership                April 2014

   For example, an application that defines common fragment identifiers
   across media types not controlled by it is not conforming, and would
   engender interoperability problems with handlers for those media
   types (because the new, non-standard syntax is not expected).

3.  Alternatives to Specifying Structure in URIs

   Given the issues described in Section 1, the most successful strategy
   for applications and extensions that wish to use URIs is to use them
   in the fashion they were designed: as links that are exchanged as
   part of the protocol, rather than statically specified syntax.
   Several existing specifications can aid in this.

   [RFC5988] specifies relation types for Web links.  By providing a
   framework for linking on the Web, where every link has a relation
   type, context and target, it allows applications to define a link's
   semantics and connectivity.

   [RFC6570] provides a standard syntax for URI Templates that can be
   used to dynamically insert application-specific variables into a URI
   to enable such applications while avoiding impinging upon URI owners'
   control of them.

   [RFC5785] allows specific paths to be 'reserved' for standard use on
   URI schemes that opt into that mechanism ('http' and 'https' by
   default).  Note, however, that this is not a general "escape valve"
   for applications that need structured URIs; see that specification
   for more information.

   Specifying more elaborate structures in an attempt to avoid
   collisions is not an acceptable solution, and does not address the
   issues in Section 1.  For example, prefixing query parameters with
   "myapp_" does not help, because the prefix itself is subject to the
   risk of collision (since it is not "reserved").

4.  Security Considerations

   This document does not introduce new protocol artifacts with security
   considerations.  It prohibits some practices that might lead to
   vulnerabilities; for example, if a security-sensitive mechanism is
   introduced by assuming that a URI path component or query string has
   a particular meaning, false positives might be encountered (due to
   sites that already use the chosen string).  See also [RFC6943].

Nottingham              Expires October 25, 2014                [Page 6]
Internet-Draft            URI Design Ownership                April 2014

5.  IANA Considerations

   There are no direct IANA actions specified in this document.

6.  References

6.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66, RFC
              3986, January 2005.

   [RFC6838]  Freed, N., Klensin, J., and T. Hansen, "Media Type
              Specifications and Registration Procedures", BCP 13, RFC
              6838, January 2013.

   [webarch]  Jacobs, I. and N. Walsh, "Architecture of the World Wide
              Web, Volume One", December 2004,

6.2.  Informative References

   [RFC4395]  Hansen, T., Hardie, T., and L. Masinter, "Guidelines and
              Registration Procedures for New URI Schemes", BCP 35, RFC
              4395, February 2006.

   [RFC5785]  Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known
              Uniform Resource Identifiers (URIs)", RFC 5785, April

   [RFC5988]  Nottingham, M., "Web Linking", RFC 5988, October 2010.

   [RFC6570]  Gregorio, J., Fielding, R., Hadley, M., Nottingham, M.,
              and D. Orchard, "URI Template", RFC 6570, March 2012.

   [RFC6943]  Thaler, D., "Issues in Identifier Comparison for Security
              Purposes", RFC 6943, May 2013.

Appendix A.  Acknowledgments

   Thanks to David Booth, Dave Crocker, Tim Bray, Anne van Kesteren,
   Martin Thomson, Erik Wilde, Dave Thaler and Barry Leiba for their
   suggestions and feedback.

Nottingham              Expires October 25, 2014                [Page 7]
Internet-Draft            URI Design Ownership                April 2014

Author's Address

   Mark Nottingham


Nottingham              Expires October 25, 2014                [Page 8]