hello,
draft link: https://datatracker.ietf.org/doc/draft-soni-auth-uri/
we discussed this in the DISPATCH session, and the outcome was that we
should discuss it here.
so, to re-state our goal, we want to get rid of userinfo altogether, not
just in http but in... just about everything really. but we know we
can't "just" do that, we have to acknowledge where it's still used,
provide alternatives, and all that stuff... (particularly databases and
ORMs, whose connect method often just takes a single string where you're
supposed to just embed authentication details...)
and there were comments saying we can't get rid of it. we like to think
that's not entirely true, but it would take a lot of work, and some
churn, to get there. importantly, the inconsistencies we brought up
(or... we'd rather call them footguns especially for those working on
new URI schemes) don't just apply to individual apps but also to
interactions between apps (granted, our proposal is also pretty explicit
about getting in the way of interactions between apps, but at least you
can't attempt to repurpose our proposal because - unlike userinfo - one
of the things it does is decouple the concepts of authentication from
the target URI scheme).
we do see that our proposal can't actually restrict userinfo in the
embedded URI, at least as per RFC 8820, section 2.2
https://www.rfc-editor.org/rfc/rfc8820#name-uri-authorities (not to be
confused with section 2.1 (we feel sorry for the correspondent on the
ART list who kept telling us to look at section 2.1 in increasing
frustration...)), and... well, browsers are certainly not complying with
that because they absolutely do strip userinfo from arbitrary
(non-http(s)) URIs. but aside from that it just means we might have to
change either our proposal, BCP 190, or maybe RFC 3986? not entirely
sure about that last one.
(also, we just realized, looking over RFC3986 again... it only
deprecates "user:password", despite the clear acknowledgement of
semantic attacks involving just the username portion (the provided
example doesn't use the "user:password" format). why is that?)
thanks! (and apologies for the delay, anxiety is hard)
(p.s.: so if we're understanding correctly WIT is for URIs as in the
generic syntax, and ART is for URI schemes? we would appreciate
clarification on this.)
--
plural system (tend to say 'we'), it/she/they, it instead of you
--
Witarea mailing list -- [email protected]
To unsubscribe send an email to [email protected]
