Re: draft-hoffman-news-nntp-uri-01.txt from Charles Lindsey on 2004-09-23 (uri@w3.org from September 2004)

From: Charles Lindsey <chl@clerew.man.ac.uk>
Date: Thu, 23 Sep 2004 12:30:09 +0100
To: uri@w3.org
Message-ID: <opser18jxf6hl8nm@clerew.man.ac.uk>

On Wed, 22 Sep 2004 20:35:45 -0700, Paul Hoffman / IMC <phoffman@imc.org>  
wrote:


>>  Presumably also to RFC 2396bis for <server>, and it still is not clear  
>> to me whether <server> could include user+password information, and if  
>> so what one does if the authentication required by the server is SASL  
>> based, which will soon become the norm.
>
> OK, I need a specific answer on those. Otherwise, it is just a host name.

Well according to RFC 2396 (and I presume 2396bis is essentially the  
same), the syntax is:

       server        = [ [ userinfo "@" ] hostport ]
       userinfo      = *( unreserved | escaped |
                          ";" | ":" | "&" | "=" | "+" | "$" | "," )
       hostport      = host [ ":" port ]
where:
    where <userinfo> may consist of a user name and, optionally, scheme-
    specific information about how to gain authorization to access the
    server.  The parts "<userinfo>@" and ":<port>" may be omitted.
...
    Some URL schemes use the format "user:password" in the userinfo
    field. This practice is NOT RECOMMENDED, because the passing of
    authentication information in clear text (such as URI) has proven to
    be a security risk in almost every case where it has been used.

That may be NOT RECOMMENDED, but it is widely deployed. NNTP servers  
regularly require authentication, and that is what they usually provide.  
But there is a SASL draft in hand which hopefully will take over in, say,  
100 years time :-( .

So what do we want to do here? Or, first of all, what have other schemes  
done about this problem? I see that Al once proposed an 'snews' scheme,  
but do we really want a totally separate scheme just to deal with SASL?  
Surely this is a generic problem that affects many schemes, and a generic  
solution would make more sense.

Clearly, the <port> parameter is needed in the news scheme, and should  
default to 119. I note also that the syntax will allow
     news:///<mesage-id>
which presumably means the same as
     news:<message-id>

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133   Web: http://www.cs.man.ac.uk/~chl
Email: chl@clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

Received on Thursday, 23 September 2004 16:12:57 UTC