- From: Jonathan Rosenne <Jonathan_Rosenne@CompuServe.com>
- Date: Fri, 4 Apr 1997 08:00:29 -0500
- To: IETF URI list <uri@bunyip.com>, URL List <ietf-url@imc.org>
>> > I think the ":<password>" should be removed from the default Internet > > > component. Otherwise you encourage plaintext passwords (people will use > > > them anyway if really necessary). > > > > This isn't the "default" Internet component, it is the "generic" Internet > > component. And the security considerations section says: > > > > It is clearly unwise to use a URL that contains a password which is > > intended to be secret. > > > > Need it say more? > > No. It needs to say less. Don't even bother suggesting a syntax for > cleartext passwords -- it's not useful in the "generic" case. Please note that in any case, even when one uses a "password" input field in a form, in most cases in practice the password is transmitted over the wire in clear. So I don't see what is so wrong about having it in the URL. Jonathan Rosenne JR Consulting P O Box 33641, Tel Aviv, Israel Phone: +972 50 246 522 Fax: +972 9 956 7353 http://ourworld.compuserve.com/homepages/Jonathan_Rosenne
Received on Friday, 4 April 1997 08:01:30 UTC