Re: revised "generic syntax" and "data:" internet drafts

Jonathan Rosenne (Jonathan_Rosenne@CompuServe.com)
Fri, 4 Apr 1997 08:00:29 -0500


Date: Fri, 4 Apr 1997 08:00:29 -0500
From: Jonathan Rosenne <Jonathan_Rosenne@CompuServe.com>
Subject: Re: revised "generic syntax" and "data:" internet drafts
To: IETF URI list <uri@bunyip.com>, URL List <ietf-url@imc.org>
Message-Id: <199704040800_MC2-13C3-2D43@compuserve.com>

>>  > I think the ":<password>" should be removed from the default Internet
> > > component.  Otherwise you encourage plaintext passwords (people will
use
> > > them anyway if really necessary).
> > 
> > This isn't the "default" Internet component, it is the "generic"
Internet
> > component. And the security considerations section says:
> > 
> >    It is clearly unwise to use a URL that contains a password which is
> >    intended to be secret.
> > 
> > Need it say more?
> 
> No.  It needs to say less.  Don't even bother suggesting a syntax for
> cleartext passwords -- it's not useful in the "generic" case.

Please note that in any case, even when one uses a "password" input field
in a form, in most cases in practice the password is transmitted over the
wire in clear. So I don't see what is so wrong about having it in the URL.

Jonathan Rosenne
JR Consulting
P O Box 33641, Tel Aviv, Israel
Phone: +972 50 246 522   Fax: +972 9 956 7353
http://ourworld.compuserve.com/homepages/Jonathan_Rosenne