Skip to main content

URI Template
RFC 6570


(Peter Saint-Andre)

No Objection

(Dan Romascanu)
(Jari Arkko)
(Ralph Droms)
(Robert Sparks)
(Russ Housley)
(Sean Turner)
(Stewart Bryant)

Note: This ballot was opened for revision 08 and is now closed.

Pete Resnick Former IESG member
Yes (2012-01-04) Unknown
2.2: I'm not clear from what is said in section 3 or Appendix A what happens when an op-reserve appears in a template that is being processed where the processor doesn't recognize these operators, in particular '$', '(', and ')'. Are they all treated as error conditions? If so, where in the algorithm.

2.3: Do you really want varnames to be able to end with "." or "_" or begin with "_" or pct-encoded? If you want only internal ".", then you want:

varname = varchar *(["."] varchar)

If you only want internal "_" and pct-encoded as well, then:

varname = ALPHA / DIGIT *(["_" / "." / pct-encoded] / ALPHA / DIGIT)

I don't care, but the current construct (can't begin with ".", but otherwise anything goes) seemed like an odd choice.

2.4.1: An upper limit on max-length might be a useful addition.

3.2.1: The current text says:

   ...If the value
   contains multibyte UTF-8, care must be taken to avoid splitting the
   value in mid-character: count each Unicode codepoint as one

The admonition in 1.6 seems equally useful for the values variables: Though they might exist as encoded, all contents of variables are assumed by the spec to be Unicodes, and must be appeneded by UTF-8ing them and pct-encoding as necessary. I think it's worth adding text on this.
Peter Saint-Andre Former IESG member
Yes () Unknown

Wesley Eddy Former IESG member
Yes (2012-01-02) Unknown
This seems to be a very useful and well-written document.
Adrian Farrel Former IESG member
No Objection
No Objection (2011-12-31) Unknown
I have no objection to the publication of this document as a Standards
Track RFC. I have a few very minor comments you might look at.


You may note that you use RFC 2119 language in Section 1.1 but do not
include the explanation until Section 1.5.


Should you provide references for WSDL, WADL, and OpenSearch in section


In section 1.5 there is a minor notational discrepency.

You have:

     ALPHA          =  %x41-5A / %x61-7A   ; A-Z / a-z
     DIGIT          =  %x30-39             ; 0-9
     HEXDIG         =  DIGIT / "A" / "B" / "C" / "D" / "E" / "F"

That means that HEXDIG has a mixed mode of hex notation and quoted
letters. It might have made more sense to write...

     HEXDIG         =  DIGIT / %x41-46     ; 0-F

But I struggle to see this as in any way an important comment! Maybe
more interesting is to check that you really intended to exclude lower
case alpha from the representation of hex numbers used in pct encoding.


While Appendix A begins with a helpful note that the body of the
document is normative text, it doesn't actually comment on whether the
appendix is normative or not. It would be nice to make this explicit.
Dan Romascanu Former IESG member
No Objection
No Objection () Unknown

Jari Arkko Former IESG member
No Objection
No Objection () Unknown

Ralph Droms Former IESG member
No Objection
No Objection () Unknown

Robert Sparks Former IESG member
No Objection
No Objection () Unknown

Ron Bonica Former IESG member
No Objection
No Objection (2012-01-02) Unknown
Please run the nit-checker over this document. It appears to have a couple of unused references.
Russ Housley Former IESG member
(was Discuss) No Objection
No Objection () Unknown

Sean Turner Former IESG member
No Objection
No Objection () Unknown

Stephen Farrell Former IESG member
No Objection
No Objection (2011-12-30) Unknown
- End of p12 says "If a value provided by a user" which implies that
all the usual injection attacks need to be countered in at least some
deployments. Why doesn't that need to be mentioned in the security
considerations? I don't think 3986 envisages that kind of issue. (Esp.
if templates were combined with OAuth v1 or something else that
authenticates the URL after expansion, meaning that the user at the
browser could not have produced the URL herself.)

- Can expressions be nested?, e.g. "{foo{bar}baz}" 1st sentence of 3.2
implies not, but in any case it might be worth adding a sentence
saying that nesting like that is not supported.

- Expressions can be obfuscated. That could provide a new attack
vector: expression author convinces webmaster that template is safe
when its not. Not sure if that's worth a mention or not.

- Seven operators; lists of variable with optional modifiers (esp
"explode") - that all seems to me like too much to be universally
useful and safe. Just an opinion, not a discuss.
Stewart Bryant Former IESG member
No Objection
No Objection () Unknown