IETF Logo Mail Archive

Re: Adding user@ to HTTP[S] URIs

James Fuller <jim@webcomposite.com> Sun, 26 January 2020 11:20 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF4D8120019 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 26 Jan 2020 03:20:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.652
X-Spam-Level:
X-Spam-Status: No, score=-2.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=webcomposite-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xaQ3qJ6opzuf for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 26 Jan 2020 03:20:22 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74476120018 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 26 Jan 2020 03:20:22 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ivfvn-0004sZ-6A for ietf-http-wg-dist@listhub.w3.org; Sun, 26 Jan 2020 11:18:19 +0000
Resent-Date: Sun, 26 Jan 2020 11:18:19 +0000
Resent-Message-Id: <E1ivfvn-0004sZ-6A@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <jim@webcomposite.com>) id 1ivfvl-0004rj-EM for ietf-http-wg@listhub.w3.org; Sun, 26 Jan 2020 11:18:17 +0000
Received: from mail-il1-x142.google.com ([2607:f8b0:4864:20::142]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <jim@webcomposite.com>) id 1ivfvj-00038i-Dd for ietf-http-wg@w3.org; Sun, 26 Jan 2020 11:18:17 +0000
Received: by mail-il1-x142.google.com with SMTP id l4so5223383ilj.1 for <ietf-http-wg@w3.org>; Sun, 26 Jan 2020 03:18:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=webcomposite-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=yybIvJfWaj5ZpcMnB1eoOsSyyATtfY7ENEdwAe+wPO8=; b=Fb2Z82UPxVmOOaM+UrpPgyvVDeSeRXhsNMJUZeMit92Y/WjLZrkywYICBjnnIeV2LX 9QEiEKt/Ei0vpLjXuX0jG9ltSp8GTKIeqG2TtyTR93ncaG3x2nCVLcDuNNwH4kenTkOc kEaf/A6kjehQitif2NVgb4lWUNPaBskpwxQFgBO16qzMXXdZ3NZG3b0gCIxsHE/2gf2L ynDO80WjMtVh+mass8q79+Ax1/RlhaDpD+sDNaKEUKtAzaWWLwCLzDTeIooTI2br9PT5 sXMlnzsFAxKvDt+83fTzzWZ+Gtdbu0GSz0aD8F1Q1qDevkHFeuIdCjAF4Zz3Y3M9CZ4q al2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=yybIvJfWaj5ZpcMnB1eoOsSyyATtfY7ENEdwAe+wPO8=; b=J70GT7gGdaJhBzZFoxIlPfkkqkKDb4g9TVXdwkzK4w0fkjocdvEUgSd5/3W/wEQdRz S1jV8Af5bx7NGLyp7GVe6/UXUrtQJoiicGUyUEeqNf9cjrBIjnBw9tRDPGhuSj03oQfV AlrDfGxZZTQselEH7wPiDaliLu0BqAT3IUG+4zKoF8ot4quWyiaUxlKEcRpm/51Anugp gkBFFmkuPdPqHSS9l3s4qSqtGaFhvjAqbTONRQHPkopRO72br7HJZPTIJYCHDA/8abHB T7bg4ie2T3YVX9zYjj4syZ1bbp+RAksgccu8zwSo5AhBHbDgkee4BH2aiQxLvEVHj5Ig /64Q==
X-Gm-Message-State: APjAAAVf/gsGaQkDMJ1mSlYZ8sF3Fgj1l4/VEtCxBCC3ZOHszS9yJaJv /7Deh7YbUbWcHwCjgpCYRtd4w9hwagn1AYyQtzmmEpMm1Z8=
X-Google-Smtp-Source: APXvYqyzKKilVsx+PnT8dkxH4+1qhydnTpLZoQ98INKXnl5X3wUQ1QKcAEqTOKQyBlJ10k5rhrsJma51mSPddjOCVrM=
X-Received: by 2002:a92:9a90:: with SMTP id c16mr10775886ill.3.1580037493764; Sun, 26 Jan 2020 03:18:13 -0800 (PST)
MIME-Version: 1.0
References: <5E2B76EC.5000300@openfortress.nl> <BB50C7B7-3861-4054-AFB7-6F1C287AFEE6@gmail.com> <5E2C2039.7080303@openfortress.nl> <0bb7f153-57ea-7cb4-59e2-26ee2e41d928@treenet.co.nz> <5E2C4738.8010609@openfortress.nl> <alpine.DEB.2.20.2001251614520.15685@tvnag.unkk.fr> <5E2C65D7.7030408@openfortress.nl> <4859592D-1B93-49E0-9661-5E24FDAC276F@bzfx.net> <5E2D630A.604@openfortress.nl>
In-Reply-To: <5E2D630A.604@openfortress.nl>
From: James Fuller <jim@webcomposite.com>
Date: Sun, 26 Jan 2020 12:18:02 +0100
Message-ID: <CAEaz5mtYyvei8wxb4_1H36N2PkrU+-47uqn2KtitqMtd9LRwsQ@mail.gmail.com>
To: Rick van Rein <rick@openfortress.nl>
Cc: Austin Wright <aaa@bzfx.net>, "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: none client-ip=2607:f8b0:4864:20::142; envelope-from=jim@webcomposite.com; helo=mail-il1-x142.google.com
X-W3C-Hub-Spam-Status: No, score=-5.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1ivfvj-00038i-Dd cb6445f82838ae40a8a32149dc0fd6ad
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Adding user@ to HTTP[S] URIs
Archived-At: <https://www.w3.org/mid/CAEaz5mtYyvei8wxb4_1H36N2PkrU+-47uqn2KtitqMtd9LRwsQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37288
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Sun, 26 Jan 2020 at 11:03, Rick van Rein <rick@openfortress.nl> wrote:
> I know, but this kind of thinking is always hindering HTTP progress or,
> more in general, the development of any client/server protocol in use.
> This style of thought is not helpful during innovation, I think.

If I understood correctly, what is being proposed is instead of (using
prev response examples):

  https://family.redbarn.org/~vixie/
or
  https://family.redbarn.org/@vixie/

one may perform an HTTP request with either of the following:

  https://vixie@family.redbarn.org
or
  GET /index.html HTTP/1.1
  Host: family.redbarn.org
  User: vixie

> Note that what I am tackling here is based on misinterpretation of
> RFC3986, so it is a bug that ought to be fixed.  Also note that nothing
> is breaking by adding this facilty, only enforcing its use could.

what a URI can and cannot be (or should be) is a minefield with
respect to specifications vs what we have in the 'real world' eg. a
mixture of interpretation from several specs, what the major browser
vendors support with a dash of adhoc. A few years back Daniel Stenberg
overview still applies:

  https://daniel.haxx.se/blog/2016/05/11/my-url-isnt-your-url/

I only mention this link because your spec seems to imply that URI (as
a technology) have a single, stable, canonical specification
describing behaviour from which we can incrementally define/refactor
new behavior from... that is not the case.

> Users who do have a compliant user agent can immediately experience the
> benefits for their own use, against their own sites.  That might be
> their own IDP, but the support might explode when large providers
> support it, as in https://godfried.boomans@gmail.com for access to webmail.

I think I completely understand the rationale for your proposal ...
just 'old man cranky' on the reality of adopting such a change.

Some observations:

The userinfo section is optional with scope and context related to the
denoted host ... as prev mentioned should not be transmitted.

   authority = [userinfo@]host[:port]

In HTTP we often conflate the 'User' of a software system/application
as equiv to a 'user' against a specific host in terms of an HTTP
conversation ...  though the semantics are important eg. links, logs,
search engines will hover up such information. That may create an
unpredicted new burden to redact (for privacy or security purposes) or
assist in replay (where Authorization headers are being stripped).
Then I wonder what should happen when User: Mary1 has an authorisation
with user="mary" ... having such drift may confuse things.

It is not obvious how this change might affect idempotency eg. what
happens when Mary gets a different document then John based on routing
with the new User: header. Existing servers, clients, cache (middle
box or otherwise) may have to cater for this change.

URI's are 'forever' and used in a lot (a lot) of different places ...
eg. what happens if a URI identifying a resource is then used
(unintentionally) in some other technology (semweb, rdf triple,
namespaces, etc etc etc) ...  it may not be in scope to define that
behaviour but might be worth thinking a bit beyond a 'browser hitting
a web server' type of use case.

(no doubt due to my own ignorance) I struggle to see the benefits over
using existing 'machinery' and there maybe 'dragons' ...

,Jim

>
> Thanks,
>  -Rick
>
>
> > Consider: If a user clicks on your link, some user agents will send:
> >
> > GET /index.html HTTP/1.1
> > Host: example.com
> > User: john
> >
> > And others will send (because they choose not to implement the feature):
> >
> > GET /index.html HTTP/1.1
> > Host: example.com
> >
> > So what functionality is this offering, if servers can’t rely on user agents sending the header?
> >
> > There’s an easy solution, just put it in the hier-part:
> >
> > http://example.com/~john/index.html
> >
> > Or maybe define a standard that allows the _server_ to specify: “URIs of this format <http://example.com/~{user}/> belong to the specified user”
> >
> > Austin Wright.
> >
> >
> >> On Jan 25, 2020, at 08:59, Rick van Rein <rick@openfortress.nl> wrote:
> >>
> >> Hi Daniel,
> >>
> >>> You can't fix this simply by saying that setting the name part of the
> >>> userinfo in a HTTP URI is OK. HTTP has no established way to send a
> >>> user name outside of authentication.
> >> Exactly.  That's why I started this thread with an Internet Draft,
> >> https://datatracker.ietf.org/doc/draft-vanrein-http-unauth-user/
> >>
> >> For http://john@example.com/index.html it sends
> >>
> >> GET /index.html HTTP/1.1
> >> Host: example.com
> >> User: john
> >>
> >>
> >> Cheers,
> >> -Rick
> >>
> >
>

v2.23.0 | Report a Bug | By Email