On Thu, May 20, 2021 at 11:23:15AM -0400, David Benjamin wrote:
> SVCB's syntax would need us to not only exclude non-ASCII characters but
> also avoid random delimiters like commas, right? I think that's going a bit
> too far. As Ryan notes, complex definitions for allowed strings result in
> ambiguities around who is responsible for validating what and subtle
> variations in different implementations. That ambiguity can lead to
> injection attacks when one component of a system expects some validation,
> but the other component disagrees.
Just the registry needs to be restricted. TLS implementations would
support all possible inputs. HTTPS/SVCB would no longer need to parse
complex quoted input formats.
--
Viktor.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
