Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Register .well-known URI for TEA #30

Open
oej opened this issue Aug 20, 2024 · 9 comments
Open

Register .well-known URI for TEA #30

oej opened this issue Aug 20, 2024 · 9 comments
Labels

Comments

@oej
Copy link
Collaborator

oej commented Aug 20, 2024

The IANA maintains a registry of .well-known URI's

@oej oej added the Backlog label Aug 28, 2024
@ppkarwasz
Copy link

As an alternative, we could register a security.txt field.

The list of security.txt fields is also a registry maintained by IANA.

@madpah
Copy link
Collaborator

madpah commented Nov 11, 2024

This seems like a sane thing to do - inline with https://github.com/CycloneDX/transparency-exchange-api/tree/main/discovery#tei-resolution-using-dns.

@oej
Copy link
Collaborator Author

oej commented Nov 13, 2024

I think we need a separate issue on Security.txt, because it's such a different approach. The other discovery starts with "I have a product identifier.

The security.txt case is very different as it a way to say "by the way, we have a TEA service". For that to work, there needs to be a way to get product identifiers. It requires further thinking.

@oej
Copy link
Collaborator Author

oej commented Nov 13, 2024

Created #67 for security.txt so this issue is focused on .well-known

@oej
Copy link
Collaborator Author

oej commented Nov 13, 2024

So, I don't want to have an API running on the .well-known URI. Should we define a syntax, inspired by security.txt for redirection to another URL?

TEA-baseurl: https://product.example.com/tea/v1/

I don't think simply running a 302 is a good architecture for this. It requires less parsing though.

@madpah
Copy link
Collaborator

madpah commented Nov 13, 2024

For security.txt agree we need to define the complete URL to the TEA API Service.

For /.well-known/tei I'd have thought an appropriate HTTP 30x redirect to the TEA API Service would be good enough?

Also @oej - should this actually be /.well-known/tea and not /.well-known/tei??

@oej
Copy link
Collaborator Author

oej commented Nov 13, 2024

I think the API is "tea" so let's go for tea. I don't know if there's a best current practice for applying a 302, need to check that. Feels raw, but it will work.

@oej
Copy link
Collaborator Author

oej commented Nov 13, 2024

https://www.rfc-editor.org/rfc/rfc8615

I don't find any text against 302 redirects. Good.

@ppkarwasz
Copy link

https://www.rfc-editor.org/rfc/rfc8615

I don't find any text against 302 redirects. Good.

Some well known URIs even require a 302 redirect. E.g. RFC 6764 (calDAV/cardDAV) states:

Two ".well-known" URIs are registered by this specification for CalDAV and CardDAV services, "caldav" and "carddav" respectively …
These URIs point to a resource that the client can use as the initial "context path" for the service they are trying to connect to.
The server MUST redirect HTTP requests for that resource to the actual "context path" using one of the available mechanisms provided by HTTP (e.g., using a 301, 303, or 307 response).

The TEA well known URI should probably behave in the same way and require a 301/303/307 redirect to the initial request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants