Changeset 1157 for draft-ietf-httpbis

Timestamp:

Mar 9, 2011, 4:25:45 PM (9 years ago)

Author:

fielding@…

Message:

Discussion on list suggests that userinfo remains in common use
for configuration or command options, so it needs to be defined.
However, we can exclude it from being sent in messages.

Addresses #159

Location:

draft-ietf-httpbis/latest

Files:

• p1-messaging.html (modified) (1 diff)
• p1-messaging.xml (modified) (1 diff)

draft-ietf-httpbis/latest/p1-messaging.html

@@ -1134 +1134 @@
          — it is only the authoritative interface used for mapping the namespace that is specific to TCP.
       </p>
-      <p id="rfc.section.2.6.1.p.7">The URI generic syntax for authority also includes a deprecated userinfo subcomponent (<a href="#RFC3986" id="rfc.xref.RFC3986.15"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-3.2.1">Section 3.2.1</a>) for including user authentication information in the URI. The userinfo subcomponent (and its "@" delimiter) <em class="bcp14">MUST NOT</em> be used in an "http" URI. URI reference recipients <em class="bcp14">SHOULD</em> parse for the existence of userinfo and treat its presence as an error, likely indicating that the deprecated subcomponent
+      <p id="rfc.section.2.6.1.p.7">The URI generic syntax for authority also includes a deprecated userinfo subcomponent (<a href="#RFC3986" id="rfc.xref.RFC3986.15"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-3.2.1">Section 3.2.1</a>) for including user authentication information in the URI. Some implementations make use of the userinfo component for internal
+         configuration of authentication information, such as within command invocation options, configuration files, or bookmark lists,
+         even though such usage might expose a user identifier or password. Senders <em class="bcp14">MUST NOT</em> include a userinfo subcomponent (and its "@" delimiter) when transmitting an "http" URI in a message. Recipients of HTTP messages
+         that contain a URI reference <em class="bcp14">SHOULD</em> parse for the existence of userinfo and treat its presence as an error, likely indicating that the deprecated subcomponent
          is being used to obscure the authority for the sake of phishing attacks.
       </p>

draft-ietf-httpbis/latest/p1-messaging.xml

@@ -1057 +1057 @@
    The URI generic syntax for authority also includes a deprecated
    userinfo subcomponent (<xref target="RFC3986" x:fmt="," x:sec="3.2.1"/>)
-   for including user authentication information in the URI.  The userinfo
-   subcomponent (and its "@" delimiter) &MUST-NOT; be used in an "http"
-   URI.  URI reference recipients &SHOULD; parse for the existence of
-   userinfo and treat its presence as an error, likely indicating that
-   the deprecated subcomponent is being used to obscure the authority
-   for the sake of phishing attacks.
+   for including user authentication information in the URI.  Some
+   implementations make use of the userinfo component for internal
+   configuration of authentication information, such as within command
+   invocation options, configuration files, or bookmark lists, even
+   though such usage might expose a user identifier or password.
+   Senders &MUST-NOT; include a userinfo subcomponent (and its "@"
+   delimiter) when transmitting an "http" URI in a message.  Recipients
+   of HTTP messages that contain a URI reference &SHOULD; parse for the
+   existence of userinfo and treat its presence as an error, likely
+   indicating that the deprecated subcomponent is being used to obscure
+   the authority for the sake of phishing attacks.
 </t>
 </section>