W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: security impact of dropping charset default

From: Frank Ellermann <nobody@xyzzy.claranet.de>
Date: Wed, 23 Jan 2008 21:09:45 +0100
To: ietf-http-wg@w3.org
Message-ID: <fn86tf$teq$1@ger.gmane.org>

Julian Reschke wrote:
> I'm not totally opposed to mentioning this, but I'd really like
> to understand how the intended change changes the situation...

I think the subject is misleading:

Whatever the default is, MIME ASCII (or the dubious Latin-1), for
authors it's an excuse where they might get away without stating
explicitly within their text/* documents what it is, because the
documents really are ASCII (or Latin-1 for RFC 2616).

For clients the wannabe-default is actually no reliable info, if
they need to know what it is they check it *assuming* ASCII (or
Latin-1) until they get to a point where it's either clear what
it is, or where the assumption is apparently okay, or where they
decide that they have no clue what it is, but certainly not the

In other words I think that the UTF-7 observation is a separate
new issue unrelated to default ASCII / Latin-1 / UTF-8, because
UTF-7 could be (mis-)interpreted as subset of of these defaults.

And if that deserves a paragraph with MUSTard in the security
considerations, then this doesn't depend on what the default is.

Received on Wednesday, 23 January 2008 20:09:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:44 UTC