W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

Re: Adding user@ to HTTP[S] URIs

From: Rick van Rein <rick@openfortress.nl>
Date: Mon, 27 Jan 2020 16:02:39 +0100
Message-ID: <5E2EFB8F.5090602@openfortress.nl>
To: Daniel Stenberg <daniel@haxx.se>
CC: James Fuller <jim@webcomposite.com>, Austin Wright <aaa@bzfx.net>, "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>
Hey,

> I'm not suggesting that curl's way of treating this information is the
> golden standard or anything neither for URI parsing nor HTTP headers.

It is a bit specific to Curl, I suppose; as a cmdline tool it tries very hard to not need interaction, and so a choice has been made to silently add the colon after a user name and construct Basic authentication.

Still, I'm happy that the presense of a colon seems to make all the difference in what I expect to be the practical use-case -- supplying a password for resource access.

> I'm just providing datapoints showing this is a tough change. (curl
> has supported this URI style since 2003)

Yes, this is tough; I've been pounding at an identity architecture for 4-5 years, and surprisingly.  HTTP is the most difficult protocol to deal with, its semantics being relatively light (compared to LDAP, say) and having collected so much history of assumed extensions to those semantics.  In comparison, SASL, TLS and even Kerberos are much easier to work on!

I thank you for the data points, they are pleasantly concrete.  To be honest, due to the rare use of user names in HTTP I am not expecting any more tough points.  Still, open to hear about any concrete technical issues that this list brings up.

Thanks,
 -Rick
Received on Monday, 27 January 2020 15:03:56 UTC

This archive was generated by hypermail 2.4.0 : Monday, 27 January 2020 15:03:57 UTC