IETF Logo Mail Archive

Re: Adding user@ to HTTP[S] URIs

Amos Jeffries <squid3@treenet.co.nz> Mon, 27 January 2020 15:11 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27A501208B9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jan 2020 07:11:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.652
X-Spam-Level:
X-Spam-Status: No, score=-2.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IKNUD4xmTmF4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jan 2020 07:11:48 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4445C12088A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 27 Jan 2020 07:11:48 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iw61d-0000l5-Qn for ietf-http-wg-dist@listhub.w3.org; Mon, 27 Jan 2020 15:10:05 +0000
Resent-Date: Mon, 27 Jan 2020 15:10:05 +0000
Resent-Message-Id: <E1iw61d-0000l5-Qn@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <squid3@treenet.co.nz>) id 1iw61b-0008GC-JD for ietf-http-wg@listhub.w3.org; Mon, 27 Jan 2020 15:10:03 +0000
Received: from [116.251.193.116] (helo=treenet.co.nz) by titan.w3.org with esmtp (Exim 4.92) (envelope-from <squid3@treenet.co.nz>) id 1iw61a-0007b4-0l for ietf-http-wg@w3.org; Mon, 27 Jan 2020 15:10:03 +0000
Received: from [192.168.20.251] (unknown [121.98.62.26]) by treenet.co.nz (Postfix) with ESMTPA id 2DAA73000D2 for <ietf-http-wg@w3.org>; Tue, 28 Jan 2020 04:09:33 +1300 (NZDT)
To: ietf-http-wg@w3.org
References: <5E2B76EC.5000300@openfortress.nl> <BB50C7B7-3861-4054-AFB7-6F1C287AFEE6@gmail.com> <5E2C2039.7080303@openfortress.nl> <0bb7f153-57ea-7cb4-59e2-26ee2e41d928@treenet.co.nz> <5E2C4738.8010609@openfortress.nl> <alpine.DEB.2.20.2001251614520.15685@tvnag.unkk.fr> <5E2C65D7.7030408@openfortress.nl> <4859592D-1B93-49E0-9661-5E24FDAC276F@bzfx.net> <5E2D630A.604@openfortress.nl> <CAEaz5mtYyvei8wxb4_1H36N2PkrU+-47uqn2KtitqMtd9LRwsQ@mail.gmail.com> <5E2ED158.1030909@openfortress.nl>
From: Amos Jeffries <squid3@treenet.co.nz>
Autocrypt: addr=squid3@treenet.co.nz; prefer-encrypt=mutual; keydata= mQINBFiOEzoBEADuuawHiMOqHBjL5Mk6IfPCgJmY3oqJDmykzve+vDh7jArtFnOG067ftaML ligGh3y6LOLh3r1kIZ254CPHuKFYssA1p9mXL9YJnZ1qHrQVhqZwDq7dH/UtBQ2IM1QukoTo 1VRTB3ppiPHKTSa2zZ/kgBs0d+1MOi8DY2SmIDYVhUJI55qSqpxlcs6MyG4KxlEPD35J3nL4 hIzLzuzIbZoUO6M+dLvnqiFu2+mm6o75nxYmq+JCPwN5biETkSvndqr56t/W0ajlU1MpFXfO YJ8PfutrIBUPsRJUqWQjGg6uXp4torC1q2XasfSKVIQ+8duw7MCrkAfRv5BtDtpesAAsScvY TwUaDYVioiNNK1uJQZlrpYY4I0EbHI4GHKq7Q4VmotcQ2BhigqRIdh7kD3corddhlLTvTs0G 5Pjk/T2ZoMFZI03g+ieuo1l8VhCGdlqSQd8d1Np9WWwS9899QSgucwEeG+OK2f1IxxD12HiC gNoSh9id9vTYLTZK+HM1FEu+iwTxfQ9F/kDN49IaPhfvjJTs86Ov4FBTtaNUN2pF0qXpQr3A RisxZt7t7MVls+570sNnaijYYkLZdZj+49QArJxallltX3sbc9AK5JxkT8XivRCeLTKOngZE zIZCBeZuyI8cCemhU0csl89ZcORbMsgFS28FyWH4+X6lA+R5HQARAQABtCJBbW9zIEplZmZy aWVzIDxhbW9zQHRyZWVuZXQuY28ubno+iQJOBBMBCAA4FiEEAimzwkzOwlQSfJUyANhjZ5Qg vdMFAliOEzoCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQANhjZ5QgvdOKkhAAseag 7QTzRF20TDwc6QQpfYdUyuuMqyEV3AwATtJxF2Y+aF/hEHXU9XBCM8EMyiJR816haC+86Wci 0cXYj7pmR80psR9C6JoaNos89CrgsmMx9tZR5yJXrdTCnQajbZf3ozs7IDk41g4NvWg5GtHM 3MYriL0LUBXLT+YSZ9Qq2DmRZRatCjk6tiMYeHG/GtH6GZs3YExRO9Am16C1gTJRao9mJtCB DR+0NrRB2E7tKN8EZySAsZkDzbL+hL/LpdWkEZvlBsSxJebAN0x64w3FSztHGfZwLfLsxdva 6CfYs8kalHoTxRoRhpIKmTtGFJI4v9cR0+Ua5trMPgHG2QIOgXOKtOTgdYF5ksA98ZF+Odsu W7yCe9POqc4bnDbOXByxVuNMPwVSESk/GJwnxRB2vW4nywQKREJ2H6HeDO+KVhLE9nH5Alsp XpEgPpzYVeplhcKKi6H56bI0anIHvao7vEEXNP2pwRWSoMKEwGWGG7QvmemQ0YbsUqJSK563 SwNe5cVUg/Cqb08m7D9ybAm+hwgtvzU7OGsLyIHuyVxnGkB5A1GV1lizUmsFauBxyw8Yx6Gm wfmsiwEVYV/lidg+ubnsxqN7Kuvg9gYRvv+Yg1wl1QFRgeOFjbU8hj/AaNAP9SppHcA5joBe kakQx18Y6LIKKvdoepDg3mFXrOouo8i5Ag0EWI4TOgEQAMmEISQmHDde0q2YfyeA8MKejHlt 5vCldKYwtaN5ii077vJaNrQk9Q8Iym6ro0plAdtLDTzyQCATWUctF6B0VowB4/LqF40U4g+u NAj7fzC/mVvSIG42diN0pJYkcfd9ghVcF7H5CeYe2zL3TlqilqQA6Xmt6i7NmYUMO939jw7V ZszMHlqvDTUzcimKrTVB7oS3+r5v1GGT3q+utrxka3WoQ3IHnidsylbTfF+dlRsvtKWxtg8k mTgu/oj1CmUE0DQh67kXsiC3nhjdUh+eZfDGmLuOGgVAWU/WNCS3oaVxVXW3rX/nUc+URkiO CuxyPjBy+A8Z+I8OXpIaC6FQY9sCFVo7yK4UxsK+eM93mWGIc5cGBL99vr+7YgZ3TBjYrazL O5Z8wyw765G1U3dPZB+egRMEY5CO64eb78f7vbRl8/INZWdkJxcotR4weGnvOxxDHyncS3BT Su6iiqmXSz0ZDpaOdCMNDHE6Kmt1qw2NbuGUHohqg2K8+1mWnXwevS0afydoG7EX0AuE1YEf kODsek8ceFj4U2c1jlOQbuO01pHa6Z9VYn5NOwXETlIytjDyBt15R7Tt1BQQg7wU482a5SSl wXYyzOx42a2CLvZM2tXnbIY4VZDu+V1ywXNMGOs8Am1LJzi74eEv2NTbvdFMmsGAkWNWn6KS 77eR+pe5ABEBAAGJAjYEGAEIACAWIQQCKbPCTM7CVBJ8lTIA2GNnlCC90wUCWI4TOgIbDAAK CRAA2GNnlCC90zeSD/9qEpJAtuEAXyCCymUEpzN6XgSWdcYra+NolIGCRzWd3SnxtBi+zWwh LFxm8AEhfqSMRh95T4XWKHScIsZZuG9xiap5whJ5xLJC/NlZidQqiPSJLog2+Yqt+PBVPrMp aG7Cmq64Y4ttvFwLZ8Wn23irJzr9JiWvsjprImsCZbuG/I1JWHUIn70oknzsTgpTPWDCfnCi GhCK7vgXak9QgBKhrzgADK3o6uCjmNllUdci9gFzUSy4/x9x73xrbzXS8/pO23fnbBwPa7VV 9IRtOb8HJJk8Y79A1ZnkVANBo1KmE+Ycw92IMcz2ev4VFw+pbqZ/swHqa3y3L5cT7Keqgc67 wiahSZRc5zM0jJWxN//lpgcdnDRI1OSLCrMMI69yc2QMzUZu87BtEJzm0DBy2pIKEni9dSCw wMITUsU21Ny3RmaV7fmXYAyp9pcaQQWGOb2CIvU7k60eLWgfNTo5SGI56WYC+ndod7vPU+sw JVbKrQKqfwO5JbdY9YPbo++Z6kfrnbkmm3wkJ4W8dOcrkLYbmOk7sColcQhVbmGy74Ggzl75 R22Q7+Uhjj9iq0Kv3CGQ3rKVdXOfAo5OekdaMDx9t9HoirGiokcyCPTy7wAyvQ75lbrygxCm e05XBfLZHrMp+SdM8ONsdgIe7U0bI85zYegceSagzCtBdB8HQ10TFg==
Message-ID: <fd02c6e8-f04e-48c0-708d-a9d11dbaba35@treenet.co.nz>
Date: Tue, 28 Jan 2020 04:09:19 +1300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2
MIME-Version: 1.0
In-Reply-To: <5E2ED158.1030909@openfortress.nl>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=116.251.193.116; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-2.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_RP_RNBL=1.31, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1iw61a-0007b4-0l 310c267c75a9c1757fb5dadabe505ac3
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Adding user@ to HTTP[S] URIs
Archived-At: <https://www.w3.org/mid/fd02c6e8-f04e-48c0-708d-a9d11dbaba35@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37305
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 28/01/20 1:02 am, Rick van Rein wrote:
> Hi James,
> 
> Thanks for your cautious response.
> 
>> If I understood correctly, what is being proposed is instead of (using
>> prev response examples):
> 
> Not instead of, but in addition to.  I have no quarrel with existing
> habits, I just want also be able to express things with more semantics,
> with broader validity.
> 
> The treatment of user identities does not add something that cannot also
> be done under other conventions.  However, these other conventions are
> local, and tighten the relations between parties and reduce the
> opportunity for automation, for being systematic, for solving things
> over a broad range.
> 
> My angle on this is from architecting an identity model that spans more
> protocols than just the web.  Every time I look at HTTP, it seems to
> have invented its own wheels and not be willing to mingle with the other
> protocols.

How many of those other protocols are newer than HTTP though?

RFC 3986 specification also is itself much newer than HTTP/. Back when
HTTP/1.0 was documented the URL syntax was defined by RFC 1738 which said:
"
   In general, URLs are written as follows:

       <scheme>:<scheme-specific-part>
"
...
"
3.1. Common Internet Scheme Syntax

   While the syntax for the rest of the URL may vary depending on the
   particular scheme selected, URL schemes that involve the direct use
   of an IP-based protocol to a specified host on the Internet use a
   common syntax for the scheme-specific data:

        //<user>:<password>@<host>:<port>/<url-path>

"

And then because HTTP/0.9 practices predated even this spec ...
"
   An HTTP URL takes the form:

      http://<host>:<port>/<path>?<searchpart>

...  No user name or password is allowed.
"

HTTP has a long tail of infrastructure to support. Which includes
infrastructure designed and assuming those definitions. Some following
the RFC1738 no user:password@ section requirement. Some following the
common-URI  user:password@ requirement. Some following the RFC3986
adjustments.

The RFC723* documents went back to that original RFC1738 definition to
resolve these problems and ensure best interoperability. It is unlikely
to have been long enough for that long tail of software to have churned
out of existence yet and make the field usable again. Meanwhile we have
pseudo-headers now for URL parts.


NP: I am supportive of the effort to get a standard for translating
between URL syntaxes. But worried the authors view is badly mistaken
about the situation from HTTP viewpoint.



> 
>> Then I wonder what should happen when User: Mary1 has an authorisation
>> with user="mary" ... having such drift may confuse things.
> 
> In the example I gave, they are identities from different name spaces;
> and they are linked by the server, presumably through some kind of ACL.
> That ACL would say things like "Mary1" is the resource being addressed,
> and it accepts/rejects users who authenticated as "mary".  ACLs tend to
> be pretty accurate in linking resources and users ;-)
> 
> This decoupling is at the heart of my reasoning.  It makes sense in most
> of the protocols, but HTTP has, probably due to Basic/Digest
> authentication, gotten them mixed up.
> 

I think it is probably you that have the concepts mixed up.

As you should be able to see from the above text HTTP is *old*. From a
time when userinfo@ was outright forbidden through years when it means
exclusively Basic authentication credentials. Decades when there was not
much in the way of other authentication or authorization mechanisms
existing.

It is not *wrong*, so much as it is burdened by the large amount of
historic software relying on and assuming different definitions.
Software which is still hanging around. In the Squid Project we are only
just starting to see lack of push back against removing HTTP/0.9 support
sometime later this decade - gopher and FTP are still very much alive
and well.



>> It is not obvious how this change might affect idempotency eg. what
>> happens when Mary gets a different document then John based on routing
>> with the new User: header.
> 
> Idempotency means that doing the same thing again has no added effect.
> What does that mean here?
> 

That "PUT http://john@example.com/" stores the correct document on the
server, in the correct place. Even when the server does not understand
the new header.

The client MUST NOT assume that the header works everywhere all the time.



>> Existing servers, clients, cache (middle
>> box or otherwise) may have to cater for this change.
> 
> Please let me know if the cache solution in the proposal is incomplete.
>  Please let me know if the statement that a server may ignore the User:
> header (and presumably present a fallback page) is insufficient.  Please
> let me know whatever concrete issue you are seeing that I missed!
> 

I see only use of Vary header for caching.

It would be useful to add text clarifying non-GET requests cannot depend
on the header being obeyed. Such as the above a client using PUT.


Amos

v2.23.0 | Report a Bug | By Email