W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: security impact of dropping charset default

From: Frank Ellermann <nobody@xyzzy.claranet.de>
Date: Wed, 23 Jan 2008 18:02:43 +0100
To: ietf-http-wg@w3.org
Message-ID: <fn7rup$if2$1@ger.gmane.org>

Anne van Kesteren wrote:
> What does deprecate mean?

My best guess is what I wrote on the "apps" list, it means updating
the reference in the registry to a document explaining why UTF-7 is
generally considered as bad idea today (with limited legacy usage
in e-mail).  To be sure we could ask on the "charset" list.
> If support for UTF-7 can't be removed than deprecating it will
> hardly matter.

You're not forced to support all registered charsets today, do you
support say pc-multilingual-850+euro (a.k.a. cp00858) or any older
incarnations of "cp850" ?  Likely you don't, and IMO "deprecating"
UTF-7 +/- Unicode-1-1 just offers you a reference to justify your
decision to drop it from your list of supported charsets.

Likely you also don't support UTF-1, BOCU-1, SCSU, or UTF-EBCDIC,
what's special with UTF-7 ?

As far as the IETF is concerned only UTF-8 is a MUST (including
US-ASCII is a nobrainer outside of "mobileok" validators ;-), as
far as XML is concerned you also need all UTF-16s (I'm too lazy
to check what XML says about UTF-32), and anything else is your
decision.  Not covering windows-1252 would be of course odd, and
I think you need Latin-1 for HTML versions before HTML I18N, but
UTF-7 isn't required (IIRC IMAP requires its own variant, that's
not the UTF-7 we're talking about).

> Roy's suggestion of not sniffing for it seems like better advice
> to implementors than a notion of it being deprecated.

His advice could be also put in a document deprecating it.  It's
not clear what HTTP has to do with it, UTF-7 is not "better" when
you find it in documents behind ftp: or file: URLs, or is it ?

Received on Wednesday, 23 January 2008 17:02:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:44 UTC