- From: Graham Klyne <GK@ninebynine.org>
- Date: Mon, 02 Feb 2004 10:31:36 +0000
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: uri@w3.org
At 23:16 01/02/04 -0800, Roy T. Fielding wrote: >>http://www.iana.org/assignments/uri-schemes says 2616 is relevant for http >>URIs and not 1738 anymore >>2616 refers to 2396 for http URIs > >Only for the syntax constructs. The syntax for the http scheme >is defined in 2616 and does not allow userinfo. > >>Well, is it a valid http URI or not? Why is there so much confusion in the >>documents? Could you please add a definitive statement on userinfo in >>2396bis and either add it explicitely to the BNF syntax or clearly state >>it's invalid? > >2396 defines the generic syntax for all schemes, some of which include >userinfo as a valid option. It is not appropriate for it to say anything >more than it already does, which is basically that it is not recommended >for any scheme. > >Getting implementers to understand that passive user security is more >important than backwards compatibility has proven to be difficult. >The spec has to draw a fine line between describing how existing >systems work and how they should work, particularly when the software >is revised faster than the specifications. This prompted me to review the security considerations in: http://cvs.apache.org/viewcvs.cgi/*checkout*/ietf-uri/rev-2002/rfc2396bis.html I think they cover this pretty well, but wonder if it's worth considering: (a) changing the section names for 7.4 and/or 7.5 to make it more obvious that they make reference to 'userinfo' parts of a URI. (b) adding some commentary to the effect that individual URI schemes may prohibit (are encouraged to prohibit?) the use of userinfo to ameliorate such security concerns. For example, update section 7.4 thus: [[ 7.4 Sensitive Information in 'userinfo' component It is clearly unwise to use a URI that contains a password which is intended to be secret. In particular, the use of a password within the userinfo component of a URI is strongly discouraged except in those rare cases where the 'password' parameter is intended to be public. Because of the potential security concerns with the userinfo component (see also section 7.5 below), its use may be prohibited within some URI schemes that otherwise conform to this generic syntax. Such restriction is permitted and, where security concerns arise, encouraged. Consult the corresponding URI scheme specification for specific information about the fields allowed by various applications. ]] #g ------------ Graham Klyne For email: http://www.ninebynine.org/#Contact
Received on Monday, 2 February 2004 05:46:22 UTC