(keitai-l) Re: defining feature

From: Eric Hildum <Eric_Hildum_at_itochu.net>
Date: 10/19/00
Message-ID: <B6138559.1F0A%Eric_Hildum@itochu.net>
Note the keyword generic - it specifically does not replace the protocol
specific portions of 1738 and 1808.

Eric Hildum


> From: "Craig Dunn \(Chiizu\)" <craig@chiizu.com>
> Reply-To: keitai-l@appelsiini.net
> Date: Thu, 19 Oct 2000 10:37:24 +1000
> To: <keitai-l@appelsiini.net>
> Subject: (keitai-l) Re: defining feature
> 
> http://www.ietf.org/rfc/rfc2396.txt?number=2396
> RFC2396 (August '98) "revises and replaces the generic definitions in RFC
> 1738 and RFC 1808" and also addresses the questions from the list.
> 
> ...
> ss3.2.2
> Some URL schemes use the format "user:password" in the userinfo
> field. This practice is NOT RECOMMENDED, because the passing of
> authentication information in clear text (such as URI) has proven to
> be a security risk in almost every case where it has been used.
> ...
> ssG.2
> The "user:password" form in the previous BNF was changed to a
> "userinfo" token, and the possibility that it might be
> "user:password" made scheme specific. In particular, the use of
> passwords in the clear is not even suggested by the syntax.
> ...
> 
> So yes, the user:password syntax is not secure; but yes it is valid syntax
> in HTTP (I think, for Basic Authentication at least) and shouldn't break the
> gateway or browser.
> 
> Craig
> 
> 
> 
Received on Thu Oct 19 02:44:11 2000