--On Sunday, September 28, 2008 04:48:31 PM +0200 Kjetil Torgrim Homme
if we put authentication credentials in the
"authority" (e.g., authz "=" auth ":" password "@" server), this will
too create a new namespace...
No, you don't want to do that. The whole point of the exercise is to avoid
conflating the credentials used to authenticate to managesieve with the
namespace to be manipulated, so that clients with sufficient privilege can
manipulate namespaces not belonging to them.
oh -- I think the ManageSieve specification should disallow encoding the
password as part of the URI, or it needs to go the whole hog and specify
how to encode SASL methods, the need for TLS etc.
Agree. URL's locate resources; they should specify the service to talk to,
where to reach it, and what to ask it for, but they should not specify the
identity or credentials of the entity dereferencing the URL.
to make the owner an explicit part of the path itself is a clean and
intuitively understandable solution, especially for listscripts when the
user is authorised to edit the scripts of many owners.
alternative is to make it crystal clear that the userinfo component in
authority indicates the owner, and authorization by other parties can
not be encoded in the URI.
Which defeats the point.