[ogsa-hpcp-wg] [Fwd: FIle Staging Extensions Comment]

[Steven Newhouse]

Which is why we decided not to support the credential embedded in the URI and to put in an extensible Credential element placed in the JSDL document for each stage in/out element.

Steven

> -----Original Message-----
> From: Donal K. Fellows [mailto:donal.k.fellows at manchester.ac.uk]
> Sent: Sunday, June 29, 2008 4:38 PM
> To: Steven Newhouse
> Cc: ogsa-hpcp-wg at ogf.org
> Subject: Re: [ogsa-hpcp-wg] [Fwd: FIle Staging Extensions Comment]
>
> Steven Newhouse wrote:
> > It was discussed in the working group. My recollection was that there
> > was no defined 'standard' mechanism for embedding a username and
> > password into an scp uri. Therefore we did not feel happy specifying
> > one.
>
> I'd have thought in that case that going with the "generic URI" format
> for usernames and passwords would be the right thing then, leading to:
>
>    scp://user:pass@host.com/path/to/file
>
> This will be pretty easy to implement (stripping the password out and
> passing it to the copier correctly won't be a big challenge). However,
> reading http://tools.ietf.org/html/rfc3986 (the current definition of
> the generic URI format) leads to a problem with this, in that the
> embedding of passwords here is massively unsafe and leads to a range of
> troubles (including, but not limited to, making the document highly
> security-sensitive). I think we already knew that! (On the plus side, I
> don't think we need to worry so much about the issues documented in
> section 7.6 of that RFC for now; JSDL isn't a user-focussed format...)
>
> What we really need here is proper security delegation. That's the only
> solution which is actually of any real long-term good. This is just a
> (necessary) band-aid.
>
> Donal.