Re: Adding user@ to HTTP[S] URIs
Rick van Rein <rick@openfortress.nl> Mon, 27 January 2020 13:38 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D304312004E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jan 2020 05:38:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.751
X-Spam-Level:
X-Spam-Status: No, score=-2.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openfortress.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HZjAST2e3Jb9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jan 2020 05:38:13 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E78FB120041 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 27 Jan 2020 05:38:12 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iw4YB-0003UZ-Ep for ietf-http-wg-dist@listhub.w3.org; Mon, 27 Jan 2020 13:35:35 +0000
Resent-Date: Mon, 27 Jan 2020 13:35:35 +0000
Resent-Message-Id: <E1iw4YB-0003UZ-Ep@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <rick@openfortress.nl>) id 1iw4Y9-0003To-L2 for ietf-http-wg@listhub.w3.org; Mon, 27 Jan 2020 13:35:33 +0000
Received: from lb3-smtp-cloud9.xs4all.net ([194.109.24.30]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <rick@openfortress.nl>) id 1iw4Y7-0006OS-4f for ietf-http-wg@w3.org; Mon, 27 Jan 2020 13:35:33 +0000
Received: from popmini.vanrein.org ([83.161.146.46]) by smtp-cloud9.xs4all.net with ESMTP id w4Y1iLSDNT6sRw4Y2i89sa; Mon, 27 Jan 2020 14:35:26 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openfortress.nl; i=rick@openfortress.nl; q=dns/txt; s=fame; t=1580132116; h=message-id : date : from : mime-version : to : cc : subject : references : in-reply-to : content-type : content-transfer-encoding : date : from : subject; bh=BalwMpExosCDip4BssN26OgAjkKpyTWciknZsqSTMRE=; b=PEkdoQFmCjLJ/IorKwmiaKwPMxG+5y91oIf24y+J8R3LDMItIcJ45y/T EvQJ4HPMXoKbbWMxpqCR/PdysEEpiA7gu5hEpDDGZzvkXyrKWD/uFY7Rn7 v8enOjZZ58PzxEGUivLGUXkoDzLC6WbITmivq+d5ATJPCLh/FA4V4cgfI=
Received: by fame.vanrein.org (Postfix, from userid 1006) id 9B904253CB; Mon, 27 Jan 2020 13:34:58 +0000 (UTC)
Received: from airhead.local (phantom.vanrein.org [83.161.146.46]) by fame.vanrein.org (Postfix) with ESMTPA id 3315B251F9; Mon, 27 Jan 2020 13:34:58 +0000 (UTC)
Message-ID: <5E2EE701.5080003@openfortress.nl>
Date: Mon, 27 Jan 2020 14:34:57 +0100
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Daniel Stenberg <daniel@haxx.se>
CC: James Fuller <jim@webcomposite.com>, Austin Wright <aaa@bzfx.net>, "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>
References: <5E2B76EC.5000300@openfortress.nl> <BB50C7B7-3861-4054-AFB7-6F1C287AFEE6@gmail.com> <5E2C2039.7080303@openfortress.nl> <0bb7f153-57ea-7cb4-59e2-26ee2e41d928@treenet.co.nz> <5E2C4738.8010609@openfortress.nl> <alpine.DEB.2.20.2001251614520.15685@tvnag.unkk.fr> <5E2C65D7.7030408@openfortress.nl> <4859592D-1B93-49E0-9661-5E24FDAC276F@bzfx.net> <5E2D630A.604@openfortress.nl> <CAEaz5mtYyvei8wxb4_1H36N2PkrU+-47uqn2KtitqMtd9LRwsQ@mail.gmail.com> <5E2ED158.1030909@openfortress.nl> <alpine.DEB.2.20.2001271319120.18042@tvnag.unkk.fr> <5E2ED7B0.6040606@openfortress.nl> <alpine.DEB.2.20.2001271333070.18042@tvnag.unkk.fr>
In-Reply-To: <alpine.DEB.2.20.2001271333070.18042@tvnag.unkk.fr>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4
X-CMAE-Envelope: MS4wfGvJqfteGXIcU2cv/hG6r8vZCn13czwvvgZ4VVoxTNGImqJK9oM6Kh4XUlXmkSTg9BqkGe6mDUgPOIEu1lUtWhdHlTD8UnqAh5jMF5aEktzNkAW+W7rN KSnfu0ELQ6TMT2MvUkrnwAimj5BOTVWXBIDt0Z7Hi1p7gUigo+46XHwlOxRpw+W2WeG/zIH6a/0a6w==
Received-SPF: pass client-ip=194.109.24.30; envelope-from=rick@openfortress.nl; helo=lb3-smtp-cloud9.xs4all.net
X-W3C-Hub-Spam-Status: No, score=-2.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, PDS_OTHER_BAD_TLD=1.914, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1iw4Y7-0006OS-4f 758a60ad1c1bac47e358fe9a7bc6b729
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Adding user@ to HTTP[S] URIs
Archived-At: <https://www.w3.org/mid/5E2EE701.5080003@openfortress.nl>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37301
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hey, I think compatibility with the Basic/Digest pattern is actually quite easy. > >> >> Browsers have no consistency in this usage pattern, so this is >> definately a niche. > > > Yes, but a niche with potentially a large amount of users. Let's split those hairs; there is a clear distinction: 1. https://john:password@my.lovely.site 2. https://john@my.lovely.site The 1. form is deprecated in RFC 3986 but, like so often, is popular for quickfixes (that then to roll into production). It is clearly different from the 2. form because of the (RFC-abolished) colon. The 2. form is less useful for password-based access with Curl, I'd say. It would start user interaction, which is pretty much what the 1. form wants to avoid. This is perfectly suitable for the User: header, which never includes a colon. If the 2. form is initially passed as User: header, the server either recognises it and its ACL triggers the Basic/Digest interaction, or the server does not recognise it, detects lacking authorisation and explicitly triggers HTTP authentication, for instance Basic/Digest interaction. This is for servers that want authorisation; what the User: header enables extra is to use the user name as a part of the resource location. You suggested it the other way around, which is certainly not workable in general; I tried that. Also, it mixes up authentication and resource selection, which the modified form of the previous paragraph does not do. If I didn't overlook things here, the two usage patterns can co-exist. That means that the option to distinguish the forms may not even be necessary, as long as the Basic/Digest submission may be part of a 2nd round after being challenged. It is up to the client whether it asks for a password if that happens, and whether the user can still change the uid from "sales" into "mary" (to reference the I-D example). Cheers, -Rick
- Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Michael Toomim
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Amos Jeffries
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Daniel Stenberg
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Paul Vixie
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Julian Reschke
- Re: Adding user@ to HTTP[S] URIs James Fuller
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Amos Jeffries
- Re: Adding user@ to HTTP[S] URIs Matthew Kerwin
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Daniel Stenberg
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Julian Reschke
- Re: Adding user@ to HTTP[S] URIs Daniel Stenberg
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Daniel Stenberg
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Amos Jeffries
- Re: Adding user@ to HTTP[S] URIs Willy Tarreau
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein
- Re: Adding user@ to HTTP[S] URIs Rick van Rein