W3C home > Mailing lists > Public > uri@w3.org > February 2004

Re: userinfo allowed in http URI or not?

From: Graham Klyne <GK@ninebynine.org>
Date: Mon, 02 Feb 2004 10:31:36 +0000
Message-Id: <5.1.0.14.2.20040202102145.00bcaf90@127.0.0.1>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: uri@w3.org

At 23:16 01/02/04 -0800, Roy T. Fielding wrote:

>>http://www.iana.org/assignments/uri-schemes says 2616 is relevant for http
>>URIs and not 1738 anymore
>>2616 refers to 2396 for http URIs
>
>Only for the syntax constructs.  The syntax for the http scheme
>is defined in 2616 and does not allow userinfo.
>
>>Well, is it a valid http URI or not? Why is there so much confusion in the
>>documents? Could you please add a definitive statement on userinfo in
>>2396bis and either add it explicitely to the BNF syntax or clearly state
>>it's invalid?
>
>2396 defines the generic syntax for all schemes, some of which include
>userinfo as a valid option.  It is not appropriate for it to say anything
>more than it already does, which is basically that it is not recommended
>for any scheme.
>
>Getting implementers to understand that passive user security is more
>important than backwards compatibility has proven to be difficult.
>The spec has to draw a fine line between describing how existing
>systems work and how they should work, particularly when the software
>is revised faster than the specifications.

This prompted me to review the security considerations in:
   http://cvs.apache.org/viewcvs.cgi/*checkout*/ietf-uri/rev-2002/rfc2396bis.html

I think they cover this pretty well, but wonder if it's worth considering:
(a) changing the section names for 7.4 and/or 7.5 to make it more obvious 
that they make reference to 'userinfo' parts of a URI.
(b) adding some commentary to the effect that individual URI schemes may 
prohibit (are encouraged to prohibit?) the use of userinfo to ameliorate 
such security concerns.

For example, update section 7.4 thus:
[[
7.4  Sensitive Information in 'userinfo' component

It is clearly unwise to use a URI that contains a password which is 
intended to be secret. In particular, the use of a password within the 
userinfo component of a URI is strongly discouraged except in those rare 
cases where the 'password' parameter is intended to be public.

Because of the potential security concerns with the userinfo component (see 
also section 7.5 below), its use may be prohibited within some URI schemes 
that otherwise conform to this generic syntax.  Such restriction is 
permitted and, where security concerns arise, encouraged.  Consult the 
corresponding URI scheme specification for specific information about the 
fields allowed by various applications.
]]

#g


------------
Graham Klyne
For email:
http://www.ninebynine.org/#Contact
Received on Monday, 2 February 2004 05:46:22 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:07 UTC