- From: Daniel Stenberg <daniel@haxx.se>
- Date: Sat, 25 Jan 2020 16:18:46 +0100 (CET)
- To: Rick van Rein <rick@openfortress.nl>
- cc: Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
On Sat, 25 Jan 2020, Rick van Rein wrote: > I disagree that this is reasonable to prescribe in the HTTP standard. > > There are certainly use cases, namely when I want to address my own records, > and the ACL on the server can happily configured that way. > > But doing this always, so force-binding client authentication to the > userinfo in the HTTP URI, I could not allow others into my part of the site, > which is a pretty dramatic reduction of HTTP expressiveness. I believe > separating client identity and server users makes a lot of sense. You can't fix this simply by saying that setting the name part of the userinfo in a HTTP URI is OK. HTTP has no established way to send a user name outside of authentication. I think I understand what you want, but I can't see how you can retrofit that into current HTTP. I'm believe you've missed that train. You can't just send the user name in a HTTP request. User names are only used in HTTP for authentication. -- / daniel.haxx.se
Received on Saturday, 25 January 2020 15:19:10 UTC