On 12/11/06, Johannes Ernst <[EMAIL PROTECTED]> wrote: > >> Section 4.1.1 - Key-Value Form Encoding > >> > >> If in the key-value form, I wish to transmit a value that includes > >> a '\n', what am I supposed to do? > > > > Encode it such that it doesn't have a '\n' in it, e.g using base64. > > If '\n' was allowed, the protocol would permit the kind of attack > > described in this thread: > > http://openid.net/pipermail/specs/2006-November/000901.html > > I understand that is one possible fix. What about we define one of > the possible fixes as the "canonical" fix for text data, otherwise > different implementors will implement different fixes (base64, C- > style \n, URL-style %0D%0a, ... ) and interop will suffer.
I'm uncomfortable defining an escaping mechanism when there are different possibilities that are appropriate for different contexts. I think that extension authors will define an appropriate scheme for the problem that they are solving (e.g. if it's binary data, use base64), and everyone who is using that extension will use that same encoding, so there will not be interoperability issues. If there were multiple extensions defining escaping mechanisms today, and they agreed, then I might agree to specify one, but there are not, so I'd rather leave it open. Josh _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs