Re: revised "generic syntax" and "data:" internet drafts

Larry Masinter (masinter@parc.xerox.com)
Thu, 3 Apr 1997 13:53:25 PST


Message-Id: <334426D5.600F@parc.xerox.com>
Date: Thu, 3 Apr 1997 13:53:25 PST
From: Larry Masinter <masinter@parc.xerox.com>
To: Chris Newman <Chris.Newman@innosoft.com>
Cc: IETF URI list <uri@bunyip.com>, ietf-url@imc.org
Subject: Re: revised "generic syntax" and "data:" internet drafts

Chris,

I use cleartext passwords all the time, for things that aren't
actually 'secret'. I can't see dropping something from the generic
syntax which is deployed and widely used, when it WAS in the
proposed standard. I do believe that the security considerations
should be explicit about when it is and isn't appropriate to
rely on that feature.

>  > I think the ":<password>" should be removed from the default Internet
> > > component.  Otherwise you encourage plaintext passwords (people will use
> > > them anyway if really necessary).
> > 
> > This isn't the "default" Internet component, it is the "generic" Internet
> > component. And the security considerations section says:
> > 
> >    It is clearly unwise to use a URL that contains a password which is
> >    intended to be secret.
> > 
> > Need it say more?
> 
> No.  It needs to say less.  Don't even bother suggesting a syntax for
> cleartext passwords -- it's not useful in the "generic" case.

There is no "generic" case. There is a generic syntax, and then
there are instances of the generic syntax. cleartext passwords
are useful in some instances and dangerous (but presumably also
useful) in others.

I think it is important to separate syntax and semantics from
rules about applicability and advice about use. 
--
http://www.parc.xerox.com/masinter