Re: Adding user@ to HTTP[S] URIs
Rick van Rein <rick@openfortress.nl> Mon, 27 January 2020 12:05 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22C011200DF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jan 2020 04:05:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.752
X-Spam-Level:
X-Spam-Status: No, score=-2.752 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openfortress.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ICUF7odddYX9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jan 2020 04:05:27 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5973F12001E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 27 Jan 2020 04:05:27 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iw36X-0005x7-Jv for ietf-http-wg-dist@listhub.w3.org; Mon, 27 Jan 2020 12:02:57 +0000
Resent-Date: Mon, 27 Jan 2020 12:02:57 +0000
Resent-Message-Id: <E1iw36X-0005x7-Jv@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <rick@openfortress.nl>) id 1iw36V-0005vv-Ai for ietf-http-wg@listhub.w3.org; Mon, 27 Jan 2020 12:02:55 +0000
Received: from lb1-smtp-cloud9.xs4all.net ([194.109.24.22]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <rick@openfortress.nl>) id 1iw36T-00021f-LD for ietf-http-wg@w3.org; Mon, 27 Jan 2020 12:02:55 +0000
Received: from popmini.vanrein.org ([83.161.146.46]) by smtp-cloud9.xs4all.net with ESMTP id w36KiKvOAT6sRw36Li7mkI; Mon, 27 Jan 2020 13:02:45 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openfortress.nl; i=rick@openfortress.nl; q=dns/txt; s=fame; t=1580126558; h=message-id : date : from : mime-version : to : cc : subject : references : in-reply-to : content-type : content-transfer-encoding : date : from : subject; bh=eqlNbrNGYgESEN/Mr/XFAdS7jVXBrLZaeLO2flb7fn4=; b=faAX6NCMAPZMgN7HgcOahKHYO/xV6iIE9mxkyuyzMNh2o1rwnBLfPf8X zvK4yuBag39kTo2mtrA+w0vdtURzM3XQy/0Mn7dlOlfEBy5PFt1Yq8kyYc gwlMvsSP+W7QVoF5JMDwifeEcSHSxxlFI2cWCKXlSKNvtUKpQYO1giwu0=
Received: by fame.vanrein.org (Postfix, from userid 1006) id 128A82568B; Mon, 27 Jan 2020 12:02:38 +0000 (UTC)
Received: from airhead.local (phantom.vanrein.org [83.161.146.46]) by fame.vanrein.org (Postfix) with ESMTPA id 4AB0D2549A; Mon, 27 Jan 2020 12:02:34 +0000 (UTC)
Message-ID: <5E2ED158.1030909@openfortress.nl>
Date: Mon, 27 Jan 2020 13:02:32 +0100
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: James Fuller <jim@webcomposite.com>
CC: Austin Wright <aaa@bzfx.net>, "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>
References: <5E2B76EC.5000300@openfortress.nl> <BB50C7B7-3861-4054-AFB7-6F1C287AFEE6@gmail.com> <5E2C2039.7080303@openfortress.nl> <0bb7f153-57ea-7cb4-59e2-26ee2e41d928@treenet.co.nz> <5E2C4738.8010609@openfortress.nl> <alpine.DEB.2.20.2001251614520.15685@tvnag.unkk.fr> <5E2C65D7.7030408@openfortress.nl> <4859592D-1B93-49E0-9661-5E24FDAC276F@bzfx.net> <5E2D630A.604@openfortress.nl> <CAEaz5mtYyvei8wxb4_1H36N2PkrU+-47uqn2KtitqMtd9LRwsQ@mail.gmail.com>
In-Reply-To: <CAEaz5mtYyvei8wxb4_1H36N2PkrU+-47uqn2KtitqMtd9LRwsQ@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4
X-CMAE-Envelope: MS4wfCcAeiKoS4vme0DzoOqkUF6/G1lnFjhS88SUfkGvdZSPkFPm/fmvrsE4Kx7ps7XvJhDRPP4nDmT/LTgQwAE3eY9yw6UjjjK9sFZitWHPWqPqxciIwIaw qvKicCbhLkVbWlnzRVRANHIsyoeOMTB1juAUc/NvQy0EyNVn5dKOxMlwZ1jLpI6FPpuWUL8iZ4/1ug==
Received-SPF: pass client-ip=194.109.24.22; envelope-from=rick@openfortress.nl; helo=lb1-smtp-cloud9.xs4all.net
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1iw36T-00021f-LD 6bd9ea94b2faf0bdb536b4bcc8f85993
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Adding user@ to HTTP[S] URIs
Archived-At: <https://www.w3.org/mid/5E2ED158.1030909@openfortress.nl>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37293
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi James, Thanks for your cautious response. > If I understood correctly, what is being proposed is instead of (using > prev response examples): Not instead of, but in addition to. I have no quarrel with existing habits, I just want also be able to express things with more semantics, with broader validity. The treatment of user identities does not add something that cannot also be done under other conventions. However, these other conventions are local, and tighten the relations between parties and reduce the opportunity for automation, for being systematic, for solving things over a broad range. My angle on this is from architecting an identity model that spans more protocols than just the web. Every time I look at HTTP, it seems to have invented its own wheels and not be willing to mingle with the other protocols. That is the kind of problem for which I would like to have handle bars, instead of being forced into local conventions that are meaningful to a server but leave the client unaware of meaning. > what a URI can and cannot be (or should be) is a minefield with > respect to specifications vs what we have in the 'real world' I suppose the question is if there is any concrete mine below the lines I've written. There are surely problems but I wonder if any apply here. > I think I completely understand the rationale for your proposal ... > just 'old man cranky' on the reality of adopting such a change. I think a proposal that creates new corners for use of HTTP is helpful on its own. The risk, if we only look at overall domination, is that we enslave ourselves to a few very large corporations and basically give up our control over Internet technology. Said the innovator, who also happens to be old :) > The userinfo section is optional with scope and context related to the > denoted host ... as prev mentioned should not be transmitted. Should not be transmitted as part of the Host header, indeed. I also found that everyone is welcome to define a new header :) > Then I wonder what should happen when User: Mary1 has an authorisation > with user="mary" ... having such drift may confuse things. In the example I gave, they are identities from different name spaces; and they are linked by the server, presumably through some kind of ACL. That ACL would say things like "Mary1" is the resource being addressed, and it accepts/rejects users who authenticated as "mary". ACLs tend to be pretty accurate in linking resources and users ;-) This decoupling is at the heart of my reasoning. It makes sense in most of the protocols, but HTTP has, probably due to Basic/Digest authentication, gotten them mixed up. > It is not obvious how this change might affect idempotency eg. what > happens when Mary gets a different document then John based on routing > with the new User: header. Idempotency means that doing the same thing again has no added effect. What does that mean here? > Existing servers, clients, cache (middle > box or otherwise) may have to cater for this change. Please let me know if the cache solution in the proposal is incomplete. Please let me know if the statement that a server may ignore the User: header (and presumably present a fallback page) is insufficient. Please let me know whatever concrete issue you are seeing that I missed! > URI's are 'forever' and used in a lot (a lot) of different places ... I think this is your assumption that I would abolished existing patterns. Far be it from me to stop anyone from doing anything that they have grown accustomed to, or fallen in love with. I would however like to have an alternative path that offers more semantics, and that may very well be an alias to the existing practice. (I actually coded the User: header into Apache's mod_userdir as an alias.) > (no doubt due to my own ignorance) I struggle to see the benefits over > using existing 'machinery' and there maybe 'dragons' ... Please introduce me to any dragons you encounter; this caution alone does not seem cause for action yet. Thanks, -Rick
- Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Michael Toomim
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Amos Jeffries
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Daniel Stenberg
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Paul Vixie
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Julian Reschke
- Re: Adding user@ to HTTP[S] URIs James Fuller
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Amos Jeffries
- Re: Adding user@ to HTTP[S] URIs Matthew Kerwin
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Daniel Stenberg
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Julian Reschke
- Re: Adding user@ to HTTP[S] URIs Daniel Stenberg
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Daniel Stenberg
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Amos Jeffries
- Re: Adding user@ to HTTP[S] URIs Willy Tarreau
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein