W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

Re: Adding user@ to HTTP[S] URIs

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 26 Jan 2020 12:01:33 +0100
To: Rick van Rein <rick@openfortress.nl>, "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>
Message-ID: <ee6987a1-e6a3-cc67-bb17-97cf9bf824d1@gmx.de>
On 26.01.2020 11:07, Rick van Rein wrote:
> Hey,
>
> The lively response to my proposal to interpret the user name in the
> HTTP/S URI as intended in RFC3986 (namely for resource name scoping and
> recognising its orthogonality to authentication/authorisation) may be
> indications that I need to be clarify the idea.
>
> I published version 03 of the draft, adding an example HTTP session.  It
> demonstrates how a shared group account can be accessed by a member
> under an ACL that is local to the server,
>
> https://tools.ietf.org/html/draft-vanrein-http-unauth-user-03#section-4
>
>
> I hope this helps!
> ...

The example indeed helps.

I also understand that you like and prefer putting a username into the
authority part. What I don't get is how this enables things that weren't
possible before. It would be good to understand how this could be
deployed in practice in an environment where you don't control
implementations.

For instance, in your first step where Mary opens
"https://sales@example.com/docs" - what happens if the UA does not
implement it? Or in a subsequent step, what happens if the server
ignores the new header field?

Best regards, Julian
Received on Sunday, 26 January 2020 11:01:40 UTC

This archive was generated by hypermail 2.4.0 : Sunday, 26 January 2020 11:01:41 UTC