IETF Logo Mail Archive

Re: revised "generic syntax" and "data:" internet drafts

Larry Masinter <masinter@parc.xerox.com> Fri, 04 April 1997 01:09 UTC

Received: from cnri by ietf.org id aa23616; 3 Apr 97 20:09 EST
Received: from services.Bunyip.Com by CNRI.Reston.VA.US id aa24626; 3 Apr 97 20:09 EST
Received: (from daemon@localhost) by services.bunyip.com (8.8.5/8.8.5) id TAA16011 for uri-out; Thu, 3 Apr 1997 19:51:46 -0500 (EST)
Received: from mocha.bunyip.com (mocha.Bunyip.Com [192.197.208.1]) by services.bunyip.com (8.8.5/8.8.5) with SMTP id TAA16006 for <uri@services.bunyip.com>; Thu, 3 Apr 1997 19:51:43 -0500 (EST)
Received: from alpha.Xerox.COM by mocha.bunyip.com with SMTP (5.65a/IDA-1.4.2b/CC-Guru-2b) id AA25873 (mail destined for uri@services.bunyip.com); Thu, 3 Apr 97 19:51:41 -0500
Received: from casablanca.parc.xerox.com ([13.2.16.111]) by alpha.xerox.com with SMTP id <19023(4)>; Thu, 3 Apr 1997 13:53:34 PST
Received: from bronze.parc.xerox.com ([13.1.100.114]) by casablanca.parc.xerox.com with SMTP id <72043>; Thu, 3 Apr 1997 13:53:28 PST
Message-Id: <334426D5.600F@parc.xerox.com>
Date: Thu, 03 Apr 1997 13:53:25 -0800
From: Larry Masinter <masinter@parc.xerox.com>
Reply-To: masinter@parc.xerox.com
Organization: PARC
X-Mailer: Mozilla 3.01Gold (Win95; I)
Mime-Version: 1.0
To: Chris Newman <Chris.Newman@innosoft.com>
Cc: IETF URI list <uri@bunyip.com>, ietf-url@imc.org
Subject: Re: revised "generic syntax" and "data:" internet drafts
References: <Pine.SOL.3.95.970402171120.2607A-100000@eleanor.innosoft.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-uri@bunyip.com
Precedence: bulk

Chris,

I use cleartext passwords all the time, for things that aren't
actually 'secret'. I can't see dropping something from the generic
syntax which is deployed and widely used, when it WAS in the
proposed standard. I do believe that the security considerations
should be explicit about when it is and isn't appropriate to
rely on that feature.

>  > I think the ":<password>" should be removed from the default Internet
> > > component.  Otherwise you encourage plaintext passwords (people will use
> > > them anyway if really necessary).
> > 
> > This isn't the "default" Internet component, it is the "generic" Internet
> > component. And the security considerations section says:
> > 
> >    It is clearly unwise to use a URL that contains a password which is
> >    intended to be secret.
> > 
> > Need it say more?
> 
> No.  It needs to say less.  Don't even bother suggesting a syntax for
> cleartext passwords -- it's not useful in the "generic" case.

There is no "generic" case. There is a generic syntax, and then
there are instances of the generic syntax. cleartext passwords
are useful in some instances and dangerous (but presumably also
useful) in others.

I think it is important to separate syntax and semantics from
rules about applicability and advice about use. 
--
http://www.parc.xerox.com/masinter

v2.23.0 | Report a Bug | By Email