<div dir="ltr">Agreed. NQCHAR would be good. <div><br></div><div>Is it a good idea or am I just being overly anxious? </div><div><br></div><div>Nat</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-08-19 8:43 GMT+09:00 Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If we’re going to do this, we should restrict it to the NQCHAR set from
<a href="http://tools.ietf.org/html/rfc6749#appendix-A.1" target="_blank">http://tools.ietf.org/html/rfc6749#appendix-A.1</a>:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN" style="font-family:"Courier New"">     NQCHAR     = %x21 / %x23-5B / %x5D-7E<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">(printable ASCII without double quote or backslash)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">                                                                -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Nat Sakimura<br>
<b>Sent:</b> Monday, August 18, 2014 4:38 PM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> [Openid-specs-ab] Session - session_state in UTF-8?<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">One question. This just occurred to me when reading the proposed text on issue #915 (
<a href="https://bitbucket.org/openid/connect/issue/915/" target="_blank">https://bitbucket.org/openid/connect/issue/915/</a> ). <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Do we want to restrict the repertoire allowed in the session_state string? <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">I am a bit concerned that bunch of unexpected consequences may happen when multi-bytes chars are used in it as it will be transmitted over the http param and usually is dealt with the middleware the software is using. <u></u><u></u></p>

</div>
<div>
<p class="MsoNormal">If we are sure that it would not, I am fine with it, but if we are not sure, it may be better to constrain the repertoire to ASCII etc. to be on the safe side. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Perhaps I should reopen issue #917 (<a href="https://bitbucket.org/openid/connect/issue/917" target="_blank">https://bitbucket.org/openid/connect/issue/917</a>) ? <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <br>
Nat Sakimura (=nat)<u></u><u></u></p>
<div>
<p class="MsoNormal">Chairman, OpenID Foundation<br>
<a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en<u></u><u></u></p>
</div>
</div>
</div></div></div>
</div>

</blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>