- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sun, 26 Jan 2020 12:01:33 +0100
- To: Rick van Rein <rick@openfortress.nl>, "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>
On 26.01.2020 11:07, Rick van Rein wrote: > Hey, > > The lively response to my proposal to interpret the user name in the > HTTP/S URI as intended in RFC3986 (namely for resource name scoping and > recognising its orthogonality to authentication/authorisation) may be > indications that I need to be clarify the idea. > > I published version 03 of the draft, adding an example HTTP session. It > demonstrates how a shared group account can be accessed by a member > under an ACL that is local to the server, > > https://tools.ietf.org/html/draft-vanrein-http-unauth-user-03#section-4 > > > I hope this helps! > ... The example indeed helps. I also understand that you like and prefer putting a username into the authority part. What I don't get is how this enables things that weren't possible before. It would be good to understand how this could be deployed in practice in an environment where you don't control implementations. For instance, in your first step where Mary opens "https://sales@example.com/docs" - what happens if the UA does not implement it? Or in a subsequent step, what happens if the server ignores the new header field? Best regards, Julian
Received on Sunday, 26 January 2020 11:01:40 UTC