Re: userinfo allowed in http URI or not?

> http://www.iana.org/assignments/uri-schemes says 2616 is relevant for 
> http
> URIs and not 1738 anymore
> 2616 refers to 2396 for http URIs

Only for the syntax constructs.  The syntax for the http scheme
is defined in 2616 and does not allow userinfo.

> Well, is it a valid http URI or not? Why is there so much confusion in 
> the
> documents? Could you please add a definitive statement on userinfo in
> 2396bis and either add it explicitely to the BNF syntax or clearly 
> state
> it's invalid?

2396 defines the generic syntax for all schemes, some of which include
userinfo as a valid option.  It is not appropriate for it to say 
anything
more than it already does, which is basically that it is not recommended
for any scheme.

Getting implementers to understand that passive user security is more
important than backwards compatibility has proven to be difficult.
The spec has to draw a fine line between describing how existing
systems work and how they should work, particularly when the software
is revised faster than the specifications.

....Roy

Received on Monday, 2 February 2004 02:15:56 UTC