[ogsa-hpcp-wg] [Fwd: FIle Staging Extensions Comment]
Donal K. Fellows
donal.k.fellows at manchester.ac.uk
Sun Jun 29 18:37:56 CDT 2008
Steven Newhouse wrote:
> It was discussed in the working group. My recollection was that there
> was no defined 'standard' mechanism for embedding a username and
> password into an scp uri. Therefore we did not feel happy specifying
> one.
I'd have thought in that case that going with the "generic URI" format
for usernames and passwords would be the right thing then, leading to:
scp://user:pass@host.com/path/to/file
This will be pretty easy to implement (stripping the password out and
passing it to the copier correctly won't be a big challenge). However,
reading http://tools.ietf.org/html/rfc3986 (the current definition of
the generic URI format) leads to a problem with this, in that the
embedding of passwords here is massively unsafe and leads to a range of
troubles (including, but not limited to, making the document highly
security-sensitive). I think we already knew that! (On the plus side, I
don't think we need to worry so much about the issues documented in
section 7.6 of that RFC for now; JSDL isn't a user-focussed format...)
What we really need here is proper security delegation. That's the only
solution which is actually of any real long-term good. This is just a
(necessary) band-aid.
Donal.
More information about the ogsa-hpcp-wg
mailing list