IETF Logo Mail Archive

Re: Adding user@ to HTTP[S] URIs

Rick van Rein <rick@openfortress.nl> Mon, 27 January 2020 13:38 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D304312004E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jan 2020 05:38:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.751
X-Spam-Level:
X-Spam-Status: No, score=-2.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openfortress.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HZjAST2e3Jb9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jan 2020 05:38:13 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E78FB120041 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 27 Jan 2020 05:38:12 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iw4YB-0003UZ-Ep for ietf-http-wg-dist@listhub.w3.org; Mon, 27 Jan 2020 13:35:35 +0000
Resent-Date: Mon, 27 Jan 2020 13:35:35 +0000
Resent-Message-Id: <E1iw4YB-0003UZ-Ep@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <rick@openfortress.nl>) id 1iw4Y9-0003To-L2 for ietf-http-wg@listhub.w3.org; Mon, 27 Jan 2020 13:35:33 +0000
Received: from lb3-smtp-cloud9.xs4all.net ([194.109.24.30]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <rick@openfortress.nl>) id 1iw4Y7-0006OS-4f for ietf-http-wg@w3.org; Mon, 27 Jan 2020 13:35:33 +0000
Received: from popmini.vanrein.org ([83.161.146.46]) by smtp-cloud9.xs4all.net with ESMTP id w4Y1iLSDNT6sRw4Y2i89sa; Mon, 27 Jan 2020 14:35:26 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openfortress.nl; i=rick@openfortress.nl; q=dns/txt; s=fame; t=1580132116; h=message-id : date : from : mime-version : to : cc : subject : references : in-reply-to : content-type : content-transfer-encoding : date : from : subject; bh=BalwMpExosCDip4BssN26OgAjkKpyTWciknZsqSTMRE=; b=PEkdoQFmCjLJ/IorKwmiaKwPMxG+5y91oIf24y+J8R3LDMItIcJ45y/T EvQJ4HPMXoKbbWMxpqCR/PdysEEpiA7gu5hEpDDGZzvkXyrKWD/uFY7Rn7 v8enOjZZ58PzxEGUivLGUXkoDzLC6WbITmivq+d5ATJPCLh/FA4V4cgfI=
Received: by fame.vanrein.org (Postfix, from userid 1006) id 9B904253CB; Mon, 27 Jan 2020 13:34:58 +0000 (UTC)
Received: from airhead.local (phantom.vanrein.org [83.161.146.46]) by fame.vanrein.org (Postfix) with ESMTPA id 3315B251F9; Mon, 27 Jan 2020 13:34:58 +0000 (UTC)
Message-ID: <5E2EE701.5080003@openfortress.nl>
Date: Mon, 27 Jan 2020 14:34:57 +0100
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Daniel Stenberg <daniel@haxx.se>
CC: James Fuller <jim@webcomposite.com>, Austin Wright <aaa@bzfx.net>, "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>
References: <5E2B76EC.5000300@openfortress.nl> <BB50C7B7-3861-4054-AFB7-6F1C287AFEE6@gmail.com> <5E2C2039.7080303@openfortress.nl> <0bb7f153-57ea-7cb4-59e2-26ee2e41d928@treenet.co.nz> <5E2C4738.8010609@openfortress.nl> <alpine.DEB.2.20.2001251614520.15685@tvnag.unkk.fr> <5E2C65D7.7030408@openfortress.nl> <4859592D-1B93-49E0-9661-5E24FDAC276F@bzfx.net> <5E2D630A.604@openfortress.nl> <CAEaz5mtYyvei8wxb4_1H36N2PkrU+-47uqn2KtitqMtd9LRwsQ@mail.gmail.com> <5E2ED158.1030909@openfortress.nl> <alpine.DEB.2.20.2001271319120.18042@tvnag.unkk.fr> <5E2ED7B0.6040606@openfortress.nl> <alpine.DEB.2.20.2001271333070.18042@tvnag.unkk.fr>
In-Reply-To: <alpine.DEB.2.20.2001271333070.18042@tvnag.unkk.fr>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4
X-CMAE-Envelope: MS4wfGvJqfteGXIcU2cv/hG6r8vZCn13czwvvgZ4VVoxTNGImqJK9oM6Kh4XUlXmkSTg9BqkGe6mDUgPOIEu1lUtWhdHlTD8UnqAh5jMF5aEktzNkAW+W7rN KSnfu0ELQ6TMT2MvUkrnwAimj5BOTVWXBIDt0Z7Hi1p7gUigo+46XHwlOxRpw+W2WeG/zIH6a/0a6w==
Received-SPF: pass client-ip=194.109.24.30; envelope-from=rick@openfortress.nl; helo=lb3-smtp-cloud9.xs4all.net
X-W3C-Hub-Spam-Status: No, score=-2.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, PDS_OTHER_BAD_TLD=1.914, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1iw4Y7-0006OS-4f 758a60ad1c1bac47e358fe9a7bc6b729
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Adding user@ to HTTP[S] URIs
Archived-At: <https://www.w3.org/mid/5E2EE701.5080003@openfortress.nl>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37301
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hey,

I think compatibility with the Basic/Digest pattern is actually quite easy.

>
>>
>> Browsers have no consistency in this usage pattern, so this is
>> definately a niche.
>
>
> Yes, but a niche with potentially a large amount of users.


Let's split those hairs; there is a clear distinction:

1. https://john:password@my.lovely.site

2. https://john@my.lovely.site

The 1. form is deprecated in RFC 3986 but, like so often, is popular for
quickfixes (that then to roll into production).  It is clearly
different from the 2. form because of the (RFC-abolished) colon.

The 2. form is less useful for password-based access with Curl, I'd say.
 It would start user interaction, which is pretty much what the 1. form
wants to avoid.  This is perfectly suitable for the User: header, which
never includes a colon.

If the 2. form is initially passed as User: header, the server either
recognises it and its ACL triggers the Basic/Digest interaction, or the
server does not recognise it, detects lacking authorisation and
explicitly triggers HTTP authentication, for instance Basic/Digest
interaction.  This is for servers that want authorisation; what the
User: header enables extra is to use the user name as a part of the
resource location.

You suggested it the other way around, which is certainly not workable
in general; I tried that.  Also, it mixes up authentication and resource
selection, which the modified form of the previous paragraph does not do.

If I didn't overlook things here, the two usage patterns can co-exist.
That means that the option to distinguish the forms may not even be
necessary, as long as the Basic/Digest submission may be part of a 2nd
round after being challenged.  It is up to the client whether it asks
for a password if that happens, and whether the user can still change
the uid from "sales" into "mary" (to reference the I-D example).


Cheers,
 -Rick

v2.23.0 | Report a Bug | By Email