- From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
- Date: Wed, 28 Jul 2010 19:57:26 +0900
- To: Mark Baker <mark@zepheira.com>
- CC: "Roy T. Fielding" <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 2010/07/28 13:02, Mark Baker wrote: > FWIW, we use this construct in the Akara HTTP server project, but > those http URIs are only ever found in configuration files, never on > the wire. > > The use of userinfo on the wire is obviously a security nightmare, and > I welcome bold warnings about its use, but I wonder if requiring they > be treated as erroneous is necessary, especially when there's so many > existing agents which silently ignore it (just tested Firefox 3.6.8, > latest Chrome beta, wget), or support it by initiating basic auth > (curl). I have only very limited experience with userinfo. However, the one I have doesn't suggest it gets disallowed. There is not much difference between sending passwords in clear in email as: go to page http://foo.org/bar user: us_only password: secret and: go to page http://us_only:secret@foo.org/bar when people are aware of the fact that this page isn't for everybody's eyes. However, the later is way more practical. Regards, Martin. -- #-# Martin J. Dürst, Professor, Aoyama Gakuin University #-# http://www.sw.it.aoyama.ac.jp mailto:duerst@it.aoyama.ac.jp
Received on Wednesday, 28 July 2010 10:58:19 UTC