[Resending to list with correct From: header]
Marc, thanks for your comments. Comments inline.
Marc Mutz <mutz(_at_)kde(_dot_)org> writes:
On Sunday 05 May 2002 13:11, Simon Josefsson wrote:
<snip>
+ sieveurl = "sieve://" [ hostport ] "/" scriptname
<snip>
s/hostport/server/
Use of server (to get username/password) is NOT RECOMMENDED according
to RFC 2396 and I kind of agree with their rationale. But I'm sure
this issue come up with almost every URL syntax, so perhaps the "best
practices" for this has changed since 2396. Any W3C/URI gurus here?
I don't care much either way, only that we should not go against
established procedures.
(Who came up with "NOT RECOMMENDED"? I wish they had read RFC2119.)
Do we need a way to activate a script via URLs? Like
sieve://user(_at_)host/myscript1.siv?activate=1
?
Personally I dislike this abuse of URLs. URLs should point to network
resources, not embed actions. I know the history is full of bad
examples when it comes to these things; pop URL etc, but perhaps
that's not a good enough reason to perpetuate it. Embedding username
and passwords is also an example of this abuse, and it is a
particulary bad one since it is not generic over all authentication
mechanisms (no way of expressing similar things for STARTTLS, GSSAPI
etc authentication), so in the end username/passwords gets used just
because it is easier to use it than other mechanisms, which has
security implications.
But again, I don't care much either way and if people think it is OK
then let's change it.