Re: disallowing userinfo in http and https URIs

On Wed, Jul 28, 2010 at 10:30 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 28.07.2010 10:21, Alexey Melnikov wrote:
>>
>> ...
>> Either this, or clarify that the userinfo part is not allowed in HTTP
>> (but maybe used in other contexts).
>> It would probably be safer to prohibit userinfo use on the wire.
>> ...
>
> On the wire it would be in a different place anyway, right?
>
> As far as I understand, this is really about the URI syntax only...

It might be transferred over the wire in hypertext links, where it is
clearly problematic.

I am however wondering if for https the userinfo section could be used
to encode/hash the public key of the linked party allowing additional
security or trust in "self-signed" certificates (by a p2p chain of
trust). This would integrate Tyler Close's httpsy[1] idea into https.

Cheers,
reto

1. http://www.waterken.com/dev/YURL/httpsy/

Received on Wednesday, 28 July 2010 09:16:48 UTC