- From: Frank Ellermann <nobody@xyzzy.claranet.de>
- Date: Wed, 30 Apr 2008 02:26:46 +0200
- To: ietf-http-wg@w3.org
Brian Smith wrote: > "\d" and "d" mean the same thing according to the definition > of quoted-string in RFC 2616, AFAICT. We are supposed to > unescape quoted-strings before processing them, right? That is a dark corner in the spec. RFC 2617 specifies unq(X) as "the value of the quoted-string X without the surrounding quotes". RFC 2831 adopted this algorithm in its <qdstr-val>. I-D 2831bis was about to change it, but the SASL folks later decided to give up on updating RFC 2831 as hopeless case - an unfixed erratum in RFC 2617 rendered "md5-sess" in RFC 2831 and RFC 2617 as incompatible, among other Digest-MD5 issues. Whatever you do - please be very clear about it, add MUSTard, a note in the 2616bis security considerations, and recommend "future work" for a 2617bis based on 2616bis. Frank
Received on Wednesday, 30 April 2008 00:24:53 UTC