On 2012-03-20 16:29, SM wrote:
Hi Julian,
At 02:35 19-03-2012, Julian Reschke wrote:
I'd like to point out that I still think my concerns over the
inconsistent use of quoted-string
(<http://www.ietf.org/mail-archive/web/websec/current/msg01044.html>)
are valid and not addressed; and I think they should be before you go
to IETF LC.
Wasn't a similar issue raised in another WG recently?
...
Indeed; in the context of the auth parameters in the OAuth Bearer
authentication scheme.
There's a slight difference though, the Bearer spec defined new
parameters for an HTTP header field that already exists
(WWW-Authenticate), while STS is a completely new header field.
In the first case, it's a bug (that got fixed), in this case it's "just"
a bad idea. Note that HTTPbis P2 has advice with respect to this:
"Many header fields use a format including (case-insensitively) named
parameters (for instance, Content-Type, defined in Section 6.8 of
[Part3]). Allowing both unquoted (token) and quoted (quoted-string)
syntax for the parameter value enables recipients to use existing parser
components. When allowing both forms, the meaning of a parameter value
ought to be independent of the syntax used for it (for an example, see
the notes on parameter handling for media types in Section 2.3 of
[Part3])." --
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-19.html#rfc.section.3.1.p.8>
Best regards, Julian
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
