On 2012-01-16 06:38, Marsh Ray wrote:
On 01/05/2012 11:50 AM, Anne van Kesteren wrote:
On Thu, 05 Jan 2012 16:59:58 +0100, Paul Hoffman <paul.hoff...@vpnc.org>
wrote:
"We invented a header that your message-producing software must
special-case" is not a good way to get security.
If the header-consuming software works that way, it might be the only
way. What the right way to go here is kind of depends on how header
field values are typically implemented in practice. I suspect it to be
rather messy.
How about: servers generating the header MUST use quoted-string whenever
quoted-string is necessary, otherwise they SHOULD use the token
production on Mondays, Wednesdays, and Fridays and they SHOULD use
quoted-string on Tuesday, Thursday, Saturday, and Sunday.
Yes, I'm joking. But only half-way. I have a deep suspicion that
something like that might actually yield the best interoperability
overall. One thing worse than having arbitrarily-chosen redundant code
paths is having protocol grammar that's never ever used - until it's
needed.
...
Indeed.
Test cases!
Examples! (Section 5.2 really needs an example of a header field where
an extension parameter using q-s is used)
Best regards, Julian
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
