- From: Larry Masinter <masinter@parc.xerox.com>
- Date: Thu, 3 Apr 1997 13:53:25 PST
- To: Chris Newman <Chris.Newman@innosoft.com>
- Cc: IETF URI list <uri@bunyip.com>, ietf-url@imc.org
Chris, I use cleartext passwords all the time, for things that aren't actually 'secret'. I can't see dropping something from the generic syntax which is deployed and widely used, when it WAS in the proposed standard. I do believe that the security considerations should be explicit about when it is and isn't appropriate to rely on that feature. > > I think the ":<password>" should be removed from the default Internet > > > component. Otherwise you encourage plaintext passwords (people will use > > > them anyway if really necessary). > > > > This isn't the "default" Internet component, it is the "generic" Internet > > component. And the security considerations section says: > > > > It is clearly unwise to use a URL that contains a password which is > > intended to be secret. > > > > Need it say more? > > No. It needs to say less. Don't even bother suggesting a syntax for > cleartext passwords -- it's not useful in the "generic" case. There is no "generic" case. There is a generic syntax, and then there are instances of the generic syntax. cleartext passwords are useful in some instances and dangerous (but presumably also useful) in others. I think it is important to separate syntax and semantics from rules about applicability and advice about use. -- http://www.parc.xerox.com/masinter
Received on Thursday, 3 April 1997 19:51:46 UTC