W3C home > Mailing lists > Public > ietf-discuss@w3.org > November 2001

Re: URI resolution & safety

From: Keith Moore <moore@cs.utk.edu>
Date: Sun, 25 Nov 2001 11:21:57 -0500
Message-Id: <200111251621.fAPGLvT28745@astro.cs.utk.edu>
To: Mark Baker <distobj@acm.org>
cc: paf@cisco.com (Patrik Fältström), discuss@apps.ietf.org
> That's quite reasonable, but it doesn't change the fact that people (and
>software) expect to be able to resolve URI without consequence.

this water passed under the bridge long ago.  even HTTP isn't resolvable 
without consequence.   HTTP URLs are routinely used to leak private 
information about users to third parties - either using cookies,
or using information embedded in the URL.

that and since *most* URI prefixes are unregistered, using the 
registration process to discourage inappropriate URI use clearly won't work.

I agree with Patrik - the most effective strategy we know is to insist
that the definition of a URI prefix also describe its security considerations.

Keith
Received on Sunday, 25 November 2001 11:22:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 23 March 2006 20:11:29 GMT