Bjoern Hoehrmann wrote: > > * Mike Jones wrote: > >Thanks for asking, Martin. That's effectively what the spec does > >already. It restricts the input values of these parameters to be quoted > > the HTTP specification does not give you an interface > that allows you to tell `x` and `"x"` apart in this particular case. If > the draft said "When using WWW-Authenticate: Bearer ... then the header > name must be written `wWw-authenTICate`, same problem. HTTP says case > does not matter, and if another specification says "Yes, it does" then > it is overriding the underlying specification, to some degree anyway.
Of course, what oaep-bearer could _not_ "define to not exist" (no matter how much anyone (group) might desire this), is those transformations, and their complexity, that are permitted on HTTP that headerfield, e.g. through "middle-boxes", such as client-side HTTP proxies or server-side reverse-proxies between the original creator and the final consumer, as well as permitted side-effects of other application components sharing the same client (like a browser). -Martin _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
