janinamincer-daszkiewicz
commented
5 years ago Wojtek answered: We needed something stable and ready to be implemented in production, so we had to choose either case sensitive, or case insensitive, because the specification did not do it. Probably before I made a choice, I looked through various sources, to see which option seems more standard, and has a better chance of being chosen for the final standard. Anyway, it does not really matter anymore, because even if I chose wrong then, everyone agreed that case insensitive is OK. By the way, the draft-10 should not be looked at, because we base our specification on the draft-7 version.
According to specifications, the identifier rsa-sha256 given in the Accept-Signature header should be case insensitive. Why is that? The draft specifications https://datatracker.ietf.org/doc/draft-cavage-http-signatures/, https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html and https://tools.ietf.org/html/draft-ietf-httpbis-header-structure-10 don't seem to mention this.