W3C home > Mailing lists > Public > uri@w3.org > November 2002

HTML reference in RFC 2396bis

From: Dan Kohn <dan@dankohn.com>
Date: Sat, 9 Nov 2002 10:30:42 -0800
Message-ID: <A23DE7A325D23B49A76B54080E0BCB9E29253B@kabul.skymv.com>
To: <uri@w3.org>

RFC 2396bis
<http://www.ietf.org/internet-drafts/draft-fielding-uri-rfc2396bis-00.tx
t> contains an obsolete reference to RFC 1866, which was obsoleted by
RFC 2854.  This reference should be replaced with one to
<http://www.w3.org/TR/html401>.

Also, I question whether a normative reference to RFC 952, status
unknown <http://www.normos.org/en/summaries/ietf/rfc/rfc952.html>, is
appropriate for dotted-decimal notation, versus a normative reference to
RFC 791, or to section 2.1 of RFC 1123, which is already referenced.

Finally, I would suggest adding a paragraph to the Security
Considerations about how "malicious URLs" can be crafted combining
misleading usernames/passwords with decimal IP addresses, such as
<http://www.microsoft.com@3492563303/> as described
<http://www.counterpane.com/crypto-gram-0102.html#7> and
<http://rr.sans.org/threats/semantic.php>.  This is, of course, an
attack on users and not on the URI specification, but it is possible
because regular users don't understand the URI spec (and never will).

          - dan
--
Dan Kohn <mailto:dan@dankohn.com>
<http://www.dankohn.com/>  <tel:+1-650-327-2600>  

  Randomly generated quote:
If you're a winner, you don't go to the government. You're too busy. You
have too many customers. It's the people with no customers who end up
besieging the government.... The dog technologies run to Washington,
decked out like poodles. The politician is always the dog's best friend.
- George Gilder
Received on Saturday, 9 November 2002 13:31:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:05 UTC