[Top] [All Lists]

Re: Proposal to change sieve: URL syntax used by the ManageSieve protocol

2008-09-30 00:26:20

--On Sunday, September 28, 2008 04:48:31 PM +0200 Kjetil Torgrim Homme <kjetilho(_at_)ifi(_dot_)uio(_dot_)no> wrote:

if we put authentication credentials in the
"authority" (e.g., authz "=" auth ":" password "@" server), this will
too create a new namespace...

No, you don't want to do that. The whole point of the exercise is to avoid conflating the credentials used to authenticate to managesieve with the namespace to be manipulated, so that clients with sufficient privilege can manipulate namespaces not belonging to them.

oh -- I think the ManageSieve specification should disallow encoding the
password as part of the URI, or it needs to go the whole hog and specify
how to encode SASL methods, the need for TLS etc.

Agree. URL's locate resources; they should specify the service to talk to, where to reach it, and what to ask it for, but they should not specify the identity or credentials of the entity dereferencing the URL.

to make the owner an explicit part of the path itself is a clean and
intuitively understandable solution, especially for listscripts when the
user is authorised to edit the scripts of many owners.


the other
alternative is to make it crystal clear that the userinfo component in
authority indicates the owner, and authorization by other parties can
not be encoded in the URI.

Which defeats the point.

-- Jeff

<Prev in Thread] Current Thread [Next in Thread>