- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 25 Mar 2013 12:39:55 +0100
- To: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>
- CC: Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org
On 2013-03-25 10:25, "Martin J. Dürst" wrote:
> On 2013/03/19 5:46, Julian Reschke wrote:
>> On 2013-03-18 21:02, Mark Nottingham wrote:
>>> Have you done any testing around what UAs currently do with RFC5987
>>> encoding there, or just UTF-8?
>>> ...
>>
>> Apparently they do either ISO-8859-1, or use the UA's locale (see
>> discussion on http-auth).
>>
>> I haven't tried RFC5987, but I'm pretty sure nobody supports it (will
>> add test case soonish).
>>
>> We may want to leave "realm" alone, and instead add something for
>> display purposes ("prompt", "name"?).
>
> I haven't worked this out, and it's not my area of expertise, so I'm
> just writing this up so that it doesn't get forgotten:
>
> If the "realm" and the "display name" are separate, that might lead to
> some subtle security issues (same display name but different realms,...).
Indeed. If we did this, we would recommend to always display the realm
*as well*.
Best regards, Julian
Received on Monday, 25 March 2013 11:40:28 UTC