|Network Working Group||P. Saint-Andre|
|Intended status: Best Current Practice||D. Crocker|
|Expires: January 27, 2012||Brandenburg InternetWorking|
|July 26, 2011|
Deprecating Use of the "X-" Prefix in Application Protocols
Historically, there has often been a perceived distinction between "standard" and "non-standard" parameters (such as media types and header fields), by prefixing the latter with the string "X-" or similar constructions (e.g., "x.").
In practice, this convention causes more problems than it solves. Therefore, this document deprecates the "X-" convention for most application protocol parameters.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 27, 2012.
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
- 1. Introduction
- 2. Terminology
- 3. Recommendations for New Parameters
- 4. Recommendations for Application Protocols
- 5. Security Considerations
- 6. IANA Considerations
- 7. Acknowledgements
- 8. References
- 8.1. Normative References
- 8.2. Informative References
- Appendix A. Background
- Appendix B. Analysis
- Authors' Addresses
Many application protocols use named parameters to identify data (media types, header fields in Internet mail messages and HTTP requests, etc.). Historically, protocol designers and implementers have often distinguished between "standard" and "non-standard" parameters by prefixing the latter with the string "X-" or similar constructions (e.g., "x."), where the "X" is commonly understood to stand for "eXperimental" or "eXtension".
Although in theory the "X-" convention was a good way to avoid collisions (and attendant interoperability problems) between standard parameters and non-standard parameters, in practice the costs associated with the advancement of non-standard parameters into the standards space outweigh the benefits. Therefore this document deprecates the "X-" convention for most application protocols by making specific recommendations.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Creators of new parameters in existing protocols (e.g., HTTP headers, Internet media types) -- regardless of who creates them:
- SHOULD by default assume that all parameters they create have the potential to advance to a standard.
- SHOULD utilise meaningful but currently unused names WITHOUT the "X-" prefix, when there is a potential for it to becomes widely used and/or standardized (e.g., because an extension is public or awaiting wider validation) .
- SHOULD follow conventions specific to the parameter when creating parameters for use in implementation-specific applications or on private networks. Depending on the parameter, this could be a URI (e.g., "http://example.com/foo"), a name that incorporates the relevant organization's name (e.g., "ExampleInc-foo" or "VND.ExampleInc.foo") or primary domain name (e.g., "com.example.foo").
- SHOULD generate meaningless names for parameters that will not become standardized (e.g., because the extension is completely private or purely speculative). For example, the output of a hash function (e.g., "esuDj6Ssil8kDn4yfvvdwMTRhlU"), a UUID (e.g., "1AB9C36F-1618-4C1F-855D-96B5BAFC7FB3"), or even a nonsense word (e.g., "foobarbazqux") .
Authors of application protocols that allow extension using parameters:
- SHOULD provide unlimited registries with well-defined registration procedures and SHOULD mandate registration of all non-private parameters, independent of the form of the parameter names.
- MUST NOT assume that any parameter with the "X-" prefix is non-standard and that any parameter without the "X-" prefix is standard.
- SHOULD identify a convention (and reserve delimiters as necessary) to allow local or implementation-specific extensions; e.g. the "vnd." scheme in [RFC4288].
- SHOULD NOT bar parameters with the "X-" prefix from being registered with IANA, as all existing parameters with the "X-" prefix need to be registered with IANA.
Interoperability and migration issues with security-critical parameters can result in unnecessary vulnerabilities.
[TODO: describe changes to existing procedures to IANA; update RFCs?]
Thanks to Claudio Allocchio, Adam Barth, Nathaniel Borenstein, Eric Burger, Al Constanzo, Dave Cridland, Martin Duerst, Frank Ellermann, J.D. Falk, Tony Finch, Tony Hansen, Ted Hardie, Joe Hildebrand, Alfred Hoenes, Paul Hoffman, Eric Johnson, John Klensin, Graham Klyne, Murray Kucherawy, Eliot Lear, John Levine, Bill McQuillan, Alexey Melnikov, Subramanian Moonesamy, Keith Moore, Ben Niven-Jenkins, Dirk Pranke, Randy Presuhn, Julian Reschke, Doug Royer, Andrew Sullivan, Martin Thomson, Nicolas Williams, Tim Williams, and Kurt Zeilenga for their feedback.
8.1. Normative References
|[RFC2119]||Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.|
8.2. Informative References
The beginnings of the "X-" convention can be found in a suggestion made by Brian Harvey in 1975 with regard to FTP parameters [RFC691]:
- Thus, FTP servers which care about the distinction between Telnet print and non-print could implement SRVR N and SRVR T. Ideally the SRVR parameters should be registered with Jon Postel to avoid conflicts, although it is not a disaster if two sites use the same parameter for different things. I suggest that parameters be allowed to be more than one letter, and that an initial letter X be used for really local idiosyncracies.
- FTP allows "experimental" commands, whose names begin with "X". If these commands are subsequently adopted as standards, there may still be existing implementations using the "X" form.... All FTP implementations SHOULD recognize both forms of these commands, by simply equating them with extra entries in the command lookup table.
The "X-" convention has been used for email header fields since at least the publication of [RFC822] in 1982, which distinguished between "Extension-fields" and "user-defined-fields" as follows:
- The prefatory string "X-" will never be used in the names of Extension-fields. This provides user-defined fields with a protected set of names.
That rule was restated by [RFC1154] as follows:
- Keywords beginning with "X-" are permanently reserved to implementation-specific use. No standard registered encoding keyword will ever begin with "X-".
This convention continued with various specifications for media types ([RFC2045], [RFC2046], [RFC2047]), HTTP headers ([RFC2068], [RFC2616]), vCard parameters and properties ([RFC2426]), Uniform Resource Names ([RFC3406]), LDAP field names ([RFC4512]), and other technologies.
However, use of the "X-" prefix in email headers was effectively deprecated between the publication of [RFC822] in 1982 and the publication of [RFC2822] in 2001 by removing the distinction between the "extension-field" construct and the "user-defined-field" construct (a similar change happened with regard to Session Initiation Protocol "P-" headers when [RFC3427] was obsoleted by [RFC5727]).
Despite the fact that parameters containing the "X-" string have been effectively deprecated in email headers, they continue to be used in a wide variety of application protocols. The two primary situations motivating such use are:
- Experiments that are intended to possibly be standardized in the future, if they are successful.
- Extensions that are intended to never be standardized because they are intended only for use in implementation-specific applications or on private networks.
Use of this naming convention is not mandated by the Internet Standards Process [BCP9] or IANA registration rules [BCP26]. Rather it is an individual choice by each specification that references the convention or each administrative process that chooses to use it. In particular, some standards track RFCs have interpreted the convention in a normative way (e.g., [RFC822] and [RFC5451]).
The primary problem with the "X-" convention is that non-standard parameters have a tendency to advance into the protected space of standard parameters (whether de jure or de facto), thus introducing the need for migration from the "X-" name to the standard name. Migration, in turn, introduces interoperability issues because older implementations will support only the "X-" name and newer implementations might support only the standard name. To preserve interoperability, newer implementations simply support the "X-" name forever, which means that the non-standard name has become a de facto standard (thus obviating the need for segregation of the name space into "standard" and "non-standard" in the first place).
We have already seen this phenomenon at work with regard to FTP in the quote from [RFC1123] in the previous section. The HTTP community had the same experience with the "x-gzip" and "x-compressed" media types, as noted in [RFC2068]:
- For compatibility with previous implementations of HTTP, applications should consider "x-gzip" and "x-compress" to be equivalent to "gzip" and "compress" respectively.
A similar example can be found in [RFC5064], which defined the "Archived-At" message header field but also found it necessary to define and register the "X-Archived-At" field:
- For backwards compatibility, this document also describes the X-Archived-At header field, a precursor of the Archived-At header field. The X-Archived-At header field MAY also be parsed, but SHOULD NOT be generated.
One of the original reasons for segregation of name spaces into standard and non-standard areas was the perceived difficulty of registering names. However, the solution to that problem has been simpler registration rules, such as those provided by [RFC3864] and [RFC4288], as well as separate registries for permanent and provisional names, as explained in [RFC4288]:
- [W]ith the simplified registration procedures described above for vendor and personal trees, it should rarely, if ever, be necessary to use unregistered experimental types. Therefore, use of both "x-" and "x." forms is discouraged.
Furthermore, often standardization of a non-standard parameter or protocol element leads to subtly different behavior (e.g., the standard version might have different security properties as a result of security review provided during the standardization process). If implementers treat the old, non-standard parameter and the new, standard parameter as equivalent, interoperability and security problems can ensue.
For similar considerations with regard to the "P-" convention in the Session Initiation Protocol, see [RFC5727].
In some situations, segregating the name space of parameters used in a given application protocol can be justified:
- When it is extremely unlikely that some parameters will ever be standardized. However, in this case implementation-specific and private-use parameters can be Uniform Resource Identifiers [RFC3986] (e.g., "http://example.com/foo") or can be prepended with a string that is derived from the name or primary domain name of the organization that has defined the parameter (e.g., "ExampleInc-foo", "VND.ExampleInc.foo", or "com.example.foo"). Similarly, truly experimental parameters can be given meaningless names such as nonsense words, the output of a hash function, or UUIDs [RFC4122].
- When parameter names might have significant meaning. However, this case is rare, since implementers can almost always find a synonym for an existing term (e.g., "urgency" instead of "priority") or simply invent a more creative name (e.g., "get-it-there-fast").
- When parameter names need to be very short (e.g., as in [RFC5646] for language tags). However, in this case it can be more efficient to assign numbers instead of human-readable names (e.g., as in [RFC2939] for DCHP options) and to leave a certain numeric range for implementation-specific extensions or private use (e.g., as with the codec numbers used with the Session Description Protocol [RFC4566]).
There are three primary objections to deprecating the "X-" convention as a best practice for application protocols:
- Implementers are easily confused and can't be expected to know that a parameter is non-standard unless it contains the "X-" prefix. However, implementers already are quite flexible about using both prefixed and non-prefixed names based on what works in the field, so the distinction between de facto names (e.g., "X-foo") and de jure names (e.g., "foo") is effectively meaningless.
- Collisions are undesirable and it would be bad to for both a standard parameter "foo" and a non-standard parameter "foo" to exist simultaneously. However, names are almost always cheap, so an experimental, implementation-specific, or private-use name of "foo" does not prevent a standards development organization from issuing a similarly creative name such as "bar".
- [BCP82] is entitled "Assigning Experimental and Testing Numbers Considered Useful" and therefore implies that the "X-" prefix is also useful for experimental parameters. However, BCP 82 addresses the need for protocol numbers when the pool of such numbers is strictly limited (e.g., DHCP options) or when a number is absolutely required even for purely experimental purposes (e.g., the Protocol field of the IP header). In almost all application protocols that make use of protocol parameters (including email headers, media types, HTTP headers, vCard parameters and properties, URNs, and LDAP field names), the name space is not limited or constrained in any way, so there is no need to assign a block of names for private use or experimental purposes (see also [BCP26]).
Therefore it appears that segregating the parameter space into a standard area and a non-standard area has few if any benefits, and has at least one significant cost in terms of interoperability.