Add percent-encoding for identity user portion #81
Conversation
draft-ietf-rtcweb-security-arch.xml
Outdated
| ensuring that they are authoritative for the identity. | ||
| Sites that use identities that are not of the form | ||
| <user>@<domain>, or which use identities in | ||
| which the domain portion does not match the domain name of |
There was a problem hiding this comment.
I think this is a new requirement. It means that an IDP proxy of "identities-r-us.com" cannot serve identities of the form "user@federated-domain.com" without using the form "user%40federated-domain@identities-r-us.com".
It would be more aesthetically pleasing, at least to me, if the identity of the identity provider was carried in a different field than the identity of the user.
There was a problem hiding this comment.
That's already true, because the text immediately above this says that if the identity doesn't match the IdP proxy address, then it must be rejected. This text simply tells IdP proxies how not to have their identities rejected on that basis.
draft-ietf-rtcweb-security-arch.xml
Outdated
| ensuring that they are authoritative for the identity. | ||
| Sites that use identities that are not of the form | ||
| <user>@<domain>, or which use identities in | ||
| which the domain portion does not match the domain name of |
There was a problem hiding this comment.
I would not support Harald's observation (which would be reasonable if this were made 4 years ago), but would instead suggest that this simply say that if the user portion of the identity contains the characters '%' or '@', then those characters MUST be escaped [...].
There was a problem hiding this comment.
I started out trying to say that, but had difficult saying it in a sufficiently precise way. I'm happy to take edits if you think you can make a run at it, but I tried and wasn't satisfied with the result.
Simplify escaping text
|
@ekr I think this one is good to merge. |
No description provided.