- From: Dan Kohn <dan@dankohn.com>
- Date: Sat, 9 Nov 2002 10:30:42 -0800
- To: <uri@w3.org>
RFC 2396bis
<http://www.ietf.org/internet-drafts/draft-fielding-uri-rfc2396bis-00.tx
t> contains an obsolete reference to RFC 1866, which was obsoleted by
RFC 2854. This reference should be replaced with one to
<http://www.w3.org/TR/html401>.
Also, I question whether a normative reference to RFC 952, status
unknown <http://www.normos.org/en/summaries/ietf/rfc/rfc952.html>, is
appropriate for dotted-decimal notation, versus a normative reference to
RFC 791, or to section 2.1 of RFC 1123, which is already referenced.
Finally, I would suggest adding a paragraph to the Security
Considerations about how "malicious URLs" can be crafted combining
misleading usernames/passwords with decimal IP addresses, such as
<http://www.microsoft.com@3492563303/> as described
<http://www.counterpane.com/crypto-gram-0102.html#7> and
<http://rr.sans.org/threats/semantic.php>. This is, of course, an
attack on users and not on the URI specification, but it is possible
because regular users don't understand the URI spec (and never will).
- dan
--
Dan Kohn <mailto:dan@dankohn.com>
<http://www.dankohn.com/> <tel:+1-650-327-2600>
Randomly generated quote:
If you're a winner, you don't go to the government. You're too busy. You
have too many customers. It's the people with no customers who end up
besieging the government.... The dog technologies run to Washington,
decked out like poodles. The politician is always the dog's best friend.
- George Gilder
Received on Saturday, 9 November 2002 13:31:13 UTC