- From: Keith Moore <moore@cs.utk.edu>
- Date: Sun, 25 Nov 2001 11:21:57 -0500
- To: Mark Baker <distobj@acm.org>
- cc: paf@cisco.com (Patrik Fältström), discuss@apps.ietf.org
> That's quite reasonable, but it doesn't change the fact that people (and >software) expect to be able to resolve URI without consequence. this water passed under the bridge long ago. even HTTP isn't resolvable without consequence. HTTP URLs are routinely used to leak private information about users to third parties - either using cookies, or using information embedded in the URL. that and since *most* URI prefixes are unregistered, using the registration process to discourage inappropriate URI use clearly won't work. I agree with Patrik - the most effective strategy we know is to insist that the definition of a URI prefix also describe its security considerations. Keith
Received on Sunday, 25 November 2001 11:22:26 UTC