On 2012-01-05 18:50, Anne van Kesteren wrote:
On Thu, 05 Jan 2012 16:59:58 +0100, Paul Hoffman <paul.hoff...@vpnc.org>
wrote:
FWIW, I'm with Julian on this, particularly:
- principle of least surprise and consistency - if quoted-string
works in other header fields with param syntax, why not here?
"We invented a header that your message-producing software must
special-case" is not a good way to get security.
If the header-consuming software works that way, it might be the only
way. What the right way to go here is kind of depends on how header
field values are typically implemented in practice. I suspect it to be
rather messy.
It is indeed messy. And I think one of the reasons it is that there are
too many different formats, and too many special cases within a single
format; thus my proposal to allow token/quoted-string for all
parameters, and not only some.
Best regards, Julian
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
