W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: disallowing userinfo in http and https URIs

From: Reto Bachmann-Gmür <reto@gmuer.ch>
Date: Wed, 28 Jul 2010 11:16:14 +0200
Message-ID: <AANLkTime4zMqyHa1ewbG7ZVF+DJAPg+XKfCyqMi7K7b_@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Alexey Melnikov <alexey.melnikov@isode.com>, Mark Baker <mark@zepheira.com>, "Roy T. Fielding" <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Jul 28, 2010 at 10:30 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 28.07.2010 10:21, Alexey Melnikov wrote:
>>
>> ...
>> Either this, or clarify that the userinfo part is not allowed in HTTP
>> (but maybe used in other contexts).
>> It would probably be safer to prohibit userinfo use on the wire.
>> ...
>
> On the wire it would be in a different place anyway, right?
>
> As far as I understand, this is really about the URI syntax only...

It might be transferred over the wire in hypertext links, where it is
clearly problematic.

I am however wondering if for https the userinfo section could be used
to encode/hash the public key of the linked party allowing additional
security or trust in "self-signed" certificates (by a p2p chain of
trust). This would integrate Tyler Close's httpsy[1] idea into https.

Cheers,
reto

1. http://www.waterken.com/dev/YURL/httpsy/
Received on Wednesday, 28 July 2010 09:16:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:24 GMT