Re: security impact of dropping charset default from Frank Ellermann on 2008-01-23 (ietf-http-wg@w3.org from January to March 2008)

From: Frank Ellermann <nobody@xyzzy.claranet.de>
Date: Wed, 23 Jan 2008 13:46:00 +0100
To: ietf-http-wg@w3.org
Message-ID: <fn7cte$mb1$1@ger.gmane.org>

Roy T. Fielding wrote:

> I think it would be easier to simply say that (i.e., "The charset
> guessing algorithm MUST exclude 7-bit character encodings other
> than US-ASCII.  In particular, UTF-7 MUST NOT be guessed.")

I'm not sure about other 7-bit character encodings, all I'm aware
of (excl. UTF-7) are harmless wrt security.  Deprecating UTF-7 for
use agents using HTTP (among other protocols) is IMO not the job
of HTTPbis.  It is also not the job of "net-utf8" as proposed on
the "apps" list recently:

<http://permalink.gmane.org/gmane.ietf.apps-discuss/946>

IMO it's generally a good idea to deprecate UTF-7 and Unicode-1-1,
and as far as I know one of the authors (Mark) and other experts
(Addison) would also support to deprecate UTF-7.  How about that
"general" solution ?

 Frank

Received on Wednesday, 23 January 2008 12:46:01 UTC