- From: Dave Kristol <dmk@allegra.att.com>
- Date: Mon, 17 Jul 95 11:29:31 EDT
- To: john@math.nwu.edu
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
John Franks <john@math.nwu.edu> said: [regarding my proposal to embed hostname in the password file line] > This would mean that only one hostname could be used in the URL. I.e. > even though host.com and www.host.com are the same host, one of the URLs > > http://host.com/secret.doc > and > http://www.host.com/secret.doc > > would have to fail even when the user supplied a valid username/password. > This would be a serious flaw. I disagree with the premise. I wouldn't encode the domain name that the user accessed to reach my server. I would encode the name that the server uses for itself, for example the name set by NCSA HTTPD ServerName directive. > > Keep in mind that the realm can be any (reasonable sized) string supplied by > the server maintainer. Thus choosing a realm like > > myrealm@www.myplace.com > > is probably a good idea. This would prevent another server maintainer > accidentally choosing the same realm. If another server maintainer > maliciously chooses the same realm, at least that fact is displayed > to the client each time access is requested. If you connect to > www.myplace.com and see a realm with somewhere.else.com in it you > should be very suspicious. Thank you for motivating my second quibble, namely: I want to be able to specify a (user/password) prompt independent of the realm. I don't think much of a realm named "myrealm@www.myplace.com", but maybe I'm perverse. I prefer Enter username for [prompt that I specify] at www.research.att.com: to Enter username for myrealm@www.myplace.com at www.myplace.com Evidently (sigh) I'm the only person in the world who feels this way. Dave Kristol
Received on Monday, 17 July 1995 09:48:58 UTC