Are we so sure the non-english "half" of the world only use ASCII characters in passwords? Sounds highly unlikely to me.
> Given that, as you confirmed, UTF-8 "doesn't work with Basic and Digest"... It can work. It is just underspecified. So things can get messy. draft-reschke-basicauth-enc-05 is a current draft (March 2012) attempting to fix this as much as possible. Forcing ASCII password for people feels unacceptable. Better would be to say OAuth servers accepting HTTP BASIC MUST accept UTF-8 encoded usernames and passwords. A warning about interop problems with non-ASCII password is ok. ASCII-only for usernames is almost as bad. I thought internationalized email addresses were just standardized, and email addresses are often used as usernames. For client id & password ASCII-only is less of an issue. These are values configured into apps, not remembered by human brains. -- James Manger _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
