Re: [art] Putting actual credentials in URIs was an accident of history, let's repurpose those fields instead?
"Soni L." <fakedme+art@gmail.com> Tue, 28 February 2023 11:47 UTC
Return-Path: <fakedme@gmail.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7EA0C15155E for <art@ietfa.amsl.com>; Tue, 28 Feb 2023 03:47:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.095
X-Spam-Level:
X-Spam-Status: No, score=-1.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ubCYdv2ckwRt for <art@ietfa.amsl.com>; Tue, 28 Feb 2023 03:47:07 -0800 (PST)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97063C14CEFE for <art@ietf.org>; Tue, 28 Feb 2023 03:47:07 -0800 (PST)
Received: by mail-ot1-x330.google.com with SMTP id q11-20020a056830440b00b00693c1a62101so5397552otv.0 for <art@ietf.org>; Tue, 28 Feb 2023 03:47:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YLvTNAJZ7LoRv4sRdZk7wje+2ARx+CuIVaHoP/Fci68=; b=BeR0yji1vk5YDN0mRqz8fFH1lENc5XLDycWJFaK2JoKrk+IothfTgR4TMzxSJkH3q3 0rBRXunKPKutg1kRQlu9F0T7HHNC8Gfw6Q/xkSHDZNpSINWUQEhIral8rDQQdmRp9vsa 4m3/NLc/jThReQV5mOO71s4eH2yQcTYrM1kqv06L+s/IAhURvhIT2lRVk+UlXN/iIT4p 3GR4LyKE96K3VQFQVkgAEWmKiOY0z7FK5LzDgheTrroKSSIAIXBWZZyj1ijs6xFvDzyI XLXF63ZIwaGN8U1a0Ccj8onXC2HlreVVf6YBrH50mAt4DhpSMHcgPruCVZoLO50czqtc 4uzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YLvTNAJZ7LoRv4sRdZk7wje+2ARx+CuIVaHoP/Fci68=; b=rVqH18TkQUzsxtw8lu2xBYz+pciAVkC8ipoPvLCL4ns3fRRsqB6sWCJbItGHtSaAFS MLU/jE5NTDQb/2cZbuIr7AsexbVTzmqQqTSHnEDTs5URtdnbHkzeqXiHUqIYTlLzxBaK OgXP7FdQxuN4O0WqKukqbyQo+0Yg/vZ6rvwv8heLygrNHBlKeYaKcW8klc7qUJaBqyOt D3zmtzdCseai2Z/1JdBZRbV07vjrDAvj8xNgTJb3uS3EN8u6mxLt58jACpA5LrnJ+lwj narbP818uaM1uH2z0jqIj0EonmVj1hVdcofM6HIYZT6tFqN3llQNI+UCr2SghhApxT6y 37Rw==
X-Gm-Message-State: AO0yUKUx0ot4ol8ZTKqbQDYiC41OSf3VwTHndxz3l7SPSYTpCKstD+eT /0ejahJHrZfhA7GWaOavFs3C5nfCqJQbwetUf4LKH/5Q
X-Google-Smtp-Source: AK7set+WcOWh6Xz62xAdHEHQ2AhZJqAc777k1KU04LExh5v4q8uiZGfWdwUQzDDdpWJmsKAw828wjFeLMz/gThRlW8o=
X-Received: by 2002:a9d:701c:0:b0:68d:bd4d:f4b8 with SMTP id k28-20020a9d701c000000b0068dbd4df4b8mr908129otj.0.1677584826453; Tue, 28 Feb 2023 03:47:06 -0800 (PST)
MIME-Version: 1.0
References: <9568aaa5-21f3-a40c-92ed-57d8b217813f@gmail.com> <87D11F6BD1CB162884B065D5@PSB>
In-Reply-To: <87D11F6BD1CB162884B065D5@PSB>
From: "Soni L." <fakedme+art@gmail.com>
Date: Tue, 28 Feb 2023 08:46:54 -0300
Message-ID: <CA+-cKyN-EBNj21AA3Yx5N_Hmuz2QTnB0oRdPmgM2AwTvrnyruQ@mail.gmail.com>
To: John C Klensin <john-ietf@jck.com>
Cc: art@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a95b3505f5c1277d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/WoVapOs2hpx9luhBsDKPzJg-ccw>
Subject: Re: [art] Putting actual credentials in URIs was an accident of history, let's repurpose those fields instead?
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2023 11:47:12 -0000
Okay... How about renaming "username@" to "servicetag@"? This would make a good excuse to stop the WHATWG from swallowing the "git@" part of "ssh:// git@github.com" and is entirely backwards-compatible, and it also better aligns with how these things get used in public APIs anyway (case in point: how github uses it). (This is, in fact, the whole motivation for doing something cursed like attempting to repurpose these: simply having the WHATWG stop swallowing the actually very important "username" tag.) On Tue, Feb 28, 2023, 00:32 John C Klensin <john-ietf@jck.com> wrote: > Soni, > > With the caveat that I'm still not convinced that sub-schemes > are a good idea and noting that I can find nothing in either RFC > 3986 or BCP35 that gives "+" any special status (e.g., there is > no more inherent relationship between web+git: and web+xyz: than > there is between the former and a hypothetical "example:" > scheme), the idea of "repurposing" a some syntax so that a > construction that once meant one thing would henceforth mean > something else is, for lack of a better term, creepy. An obvious > problem is that, regardless of what contemporary web browsers > and servers do, there are devices around with embedded HTTP > servers and URL processors that date from the mid-1990s. Might > some of them still be around and dependent on the old > interpretation of the syntax? It would be really hard to prove > otherwise but, unless one could do so, to "repurpose" those > fields would be an attack on the IETF's obligations about > stability and interoperability. Might be worth doing anyway if > it were clear that the functionality was critical _and_ there > were no plausible alternatives, but it seems to me that Dale > Worley's note [1] provides both a good analysis and a collection > of plausible alternatives. > > So let's not go there. > > john > > > [1] > https://mailarchive.ietf.org/arch/msg/art/A6PXgEvhZ50JHViQgWntdCxzg9U > > --On Friday, February 24, 2023 12:42 -0300 "Soni L." > <fakedme+art@gmail.com> wrote: > > > So how bad of an idea would it be to repurpose "username" and > > "password" in URIs for all sorts of stuff? E.g. > > https://soniex2.tumblr.com/post/705832532473724928/so-heres-ou > > r-plan-we-wanna-have-web-git-urls > > > > --- > > > > so here's our plan: we wanna have web+git URLs, and it > > should look like web+git://username:namespace@hostname/path > > > > so for example, on something like github, username = the > > username of the owner of the repo, namespace = always empty > > since github doesn't support namespaces, hostname = > > github.com, path = repo name. > > > > on something like bitbucket, which does support namespaces, > > the namespace can be non-empty. > > > > on something more selfhosted, the username and namespace could > > be omitted entirely. > > > > e.g. we could have > > web+git://fedi-to@github.com/fedi-to.github.io > > > > e.g. we could have web+git://soniex2.autistic.space/dfu > > > > how cursed is this? > > >