W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

Re: Adding user@ to HTTP[S] URIs

From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 25 Jan 2020 16:18:46 +0100 (CET)
To: Rick van Rein <rick@openfortress.nl>
cc: Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
Message-ID: <alpine.DEB.2.20.2001251614520.15685@tvnag.unkk.fr>
On Sat, 25 Jan 2020, Rick van Rein wrote:

> I disagree that this is reasonable to prescribe in the HTTP standard.
>
> There are certainly use cases, namely when I want to address my own records, 
> and the ACL on the server can happily configured that way.
>
> But doing this always, so force-binding client authentication to the 
> userinfo in the HTTP URI, I could not allow others into my part of the site, 
> which is a pretty dramatic reduction of HTTP expressiveness.  I believe 
> separating client identity and server users makes a lot of sense.

You can't fix this simply by saying that setting the name part of the userinfo 
in a HTTP URI is OK. HTTP has no established way to send a user name outside 
of authentication. I think I understand what you want, but I can't see how you 
can retrofit that into current HTTP. I'm believe you've missed that train. You 
can't just send the user name in a HTTP request.

User names are only used in HTTP for authentication.

-- 

  / daniel.haxx.se
Received on Saturday, 25 January 2020 15:19:10 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 25 January 2020 15:19:11 UTC