IETF Logo Mail Archive

Re: Adding user@ to HTTP[S] URIs

Rick van Rein <rick@openfortress.nl> Mon, 27 January 2020 12:05 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22C011200DF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jan 2020 04:05:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.752
X-Spam-Level:
X-Spam-Status: No, score=-2.752 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openfortress.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ICUF7odddYX9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jan 2020 04:05:27 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5973F12001E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 27 Jan 2020 04:05:27 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iw36X-0005x7-Jv for ietf-http-wg-dist@listhub.w3.org; Mon, 27 Jan 2020 12:02:57 +0000
Resent-Date: Mon, 27 Jan 2020 12:02:57 +0000
Resent-Message-Id: <E1iw36X-0005x7-Jv@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <rick@openfortress.nl>) id 1iw36V-0005vv-Ai for ietf-http-wg@listhub.w3.org; Mon, 27 Jan 2020 12:02:55 +0000
Received: from lb1-smtp-cloud9.xs4all.net ([194.109.24.22]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <rick@openfortress.nl>) id 1iw36T-00021f-LD for ietf-http-wg@w3.org; Mon, 27 Jan 2020 12:02:55 +0000
Received: from popmini.vanrein.org ([83.161.146.46]) by smtp-cloud9.xs4all.net with ESMTP id w36KiKvOAT6sRw36Li7mkI; Mon, 27 Jan 2020 13:02:45 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openfortress.nl; i=rick@openfortress.nl; q=dns/txt; s=fame; t=1580126558; h=message-id : date : from : mime-version : to : cc : subject : references : in-reply-to : content-type : content-transfer-encoding : date : from : subject; bh=eqlNbrNGYgESEN/Mr/XFAdS7jVXBrLZaeLO2flb7fn4=; b=faAX6NCMAPZMgN7HgcOahKHYO/xV6iIE9mxkyuyzMNh2o1rwnBLfPf8X zvK4yuBag39kTo2mtrA+w0vdtURzM3XQy/0Mn7dlOlfEBy5PFt1Yq8kyYc gwlMvsSP+W7QVoF5JMDwifeEcSHSxxlFI2cWCKXlSKNvtUKpQYO1giwu0=
Received: by fame.vanrein.org (Postfix, from userid 1006) id 128A82568B; Mon, 27 Jan 2020 12:02:38 +0000 (UTC)
Received: from airhead.local (phantom.vanrein.org [83.161.146.46]) by fame.vanrein.org (Postfix) with ESMTPA id 4AB0D2549A; Mon, 27 Jan 2020 12:02:34 +0000 (UTC)
Message-ID: <5E2ED158.1030909@openfortress.nl>
Date: Mon, 27 Jan 2020 13:02:32 +0100
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: James Fuller <jim@webcomposite.com>
CC: Austin Wright <aaa@bzfx.net>, "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>
References: <5E2B76EC.5000300@openfortress.nl> <BB50C7B7-3861-4054-AFB7-6F1C287AFEE6@gmail.com> <5E2C2039.7080303@openfortress.nl> <0bb7f153-57ea-7cb4-59e2-26ee2e41d928@treenet.co.nz> <5E2C4738.8010609@openfortress.nl> <alpine.DEB.2.20.2001251614520.15685@tvnag.unkk.fr> <5E2C65D7.7030408@openfortress.nl> <4859592D-1B93-49E0-9661-5E24FDAC276F@bzfx.net> <5E2D630A.604@openfortress.nl> <CAEaz5mtYyvei8wxb4_1H36N2PkrU+-47uqn2KtitqMtd9LRwsQ@mail.gmail.com>
In-Reply-To: <CAEaz5mtYyvei8wxb4_1H36N2PkrU+-47uqn2KtitqMtd9LRwsQ@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4
X-CMAE-Envelope: MS4wfCcAeiKoS4vme0DzoOqkUF6/G1lnFjhS88SUfkGvdZSPkFPm/fmvrsE4Kx7ps7XvJhDRPP4nDmT/LTgQwAE3eY9yw6UjjjK9sFZitWHPWqPqxciIwIaw qvKicCbhLkVbWlnzRVRANHIsyoeOMTB1juAUc/NvQy0EyNVn5dKOxMlwZ1jLpI6FPpuWUL8iZ4/1ug==
Received-SPF: pass client-ip=194.109.24.22; envelope-from=rick@openfortress.nl; helo=lb1-smtp-cloud9.xs4all.net
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1iw36T-00021f-LD 6bd9ea94b2faf0bdb536b4bcc8f85993
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Adding user@ to HTTP[S] URIs
Archived-At: <https://www.w3.org/mid/5E2ED158.1030909@openfortress.nl>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37293
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi James,

Thanks for your cautious response.

> If I understood correctly, what is being proposed is instead of (using
> prev response examples):

Not instead of, but in addition to.  I have no quarrel with existing
habits, I just want also be able to express things with more semantics,
with broader validity.

The treatment of user identities does not add something that cannot also
be done under other conventions.  However, these other conventions are
local, and tighten the relations between parties and reduce the
opportunity for automation, for being systematic, for solving things
over a broad range.

My angle on this is from architecting an identity model that spans more
protocols than just the web.  Every time I look at HTTP, it seems to
have invented its own wheels and not be willing to mingle with the other
protocols.  That is the kind of problem for which I would like to have
handle bars, instead of being forced into local conventions that are
meaningful to a server but leave the client unaware of meaning.

> what a URI can and cannot be (or should be) is a minefield with
> respect to specifications vs what we have in the 'real world'

I suppose the question is if there is any concrete mine below the lines
I've written.  There are surely problems but I wonder if any apply here.

> I think I completely understand the rationale for your proposal ...
> just 'old man cranky' on the reality of adopting such a change.

I think a proposal that creates new corners for use of HTTP is helpful
on its own.  The risk, if we only look at overall domination, is that we
enslave ourselves to a few very large corporations and basically give up
our control over Internet technology.  Said the innovator, who also
happens to be old :)

> The userinfo section is optional with scope and context related to the
> denoted host ... as prev mentioned should not be transmitted.

Should not be transmitted as part of the Host header, indeed.  I also
found that everyone is welcome to define a new header :)

> Then I wonder what should happen when User: Mary1 has an authorisation
> with user="mary" ... having such drift may confuse things.

In the example I gave, they are identities from different name spaces;
and they are linked by the server, presumably through some kind of ACL.
That ACL would say things like "Mary1" is the resource being addressed,
and it accepts/rejects users who authenticated as "mary".  ACLs tend to
be pretty accurate in linking resources and users ;-)

This decoupling is at the heart of my reasoning.  It makes sense in most
of the protocols, but HTTP has, probably due to Basic/Digest
authentication, gotten them mixed up.

> It is not obvious how this change might affect idempotency eg. what
> happens when Mary gets a different document then John based on routing
> with the new User: header.

Idempotency means that doing the same thing again has no added effect.
What does that mean here?

> Existing servers, clients, cache (middle
> box or otherwise) may have to cater for this change.

Please let me know if the cache solution in the proposal is incomplete.
 Please let me know if the statement that a server may ignore the User:
header (and presumably present a fallback page) is insufficient.  Please
let me know whatever concrete issue you are seeing that I missed!

> URI's are 'forever' and used in a lot (a lot) of different places ...

I think this is your assumption that I would abolished existing
patterns.  Far be it from me to stop anyone from doing anything that
they have grown accustomed to, or fallen in love with.  I would however
like to have an alternative path that offers more semantics, and that
may very well be an alias to the existing practice.  (I actually coded
the User: header into Apache's mod_userdir as an alias.)

> (no doubt due to my own ignorance) I struggle to see the benefits over
> using existing 'machinery' and there maybe 'dragons' ...

Please introduce me to any dragons you encounter; this caution alone
does not seem cause for action yet.

Thanks,
 -Rick

v2.23.0 | Report a Bug | By Email