Plus should be treated literally.
I've ran into a similar issue recently with a time with timezone passed as an url parameter... The timezone in "2012-10-03T11:00+02:00" is truncated due to the '+' being converted to a space.
Now, I have to confess that using CGI.escape('2012-10-03T11:00+02:00') works perfectly fine, as '+' is then encoded as '%2B'.
CGI.escape is not an option in my case. Param with "+" sign is sent from external service provider.
I was curious about your issue since I've always seen '+' being encoded as a param, so I did some digging in order to see where did the current behavior come from.
the rfc1738 you quote has been updated by 2396 and later replaced by 3986, which does not consider '+' a 'special character to be used unencoded' but instead puts it in the list 'sub-delims reserved characters'.
For completeness, the only non alphanumeric unreserved characters on 3986 are "-", ".", "_" and "~".
Therefore I believe you'll have to ask the external service provider to encode the '+' character just as he should have been encoding the '=' character.
You are right. I think we can close this issue.