On Mon, 29 Sep 2008, Dan Fandrich wrote:

>> I guess I wasn't clear: my point was to make sure the new *API* we
>> introduce implies as few restrictions as possible on the user name and
>> passwords. By assuming that the strings are URL encoded, many applications
>> can even get away without encoding them at all (unless they use '%' or
>> zeroes in the strings).
>
> I'm worried that too many applications will assume that they can "get away
> without encoding them at all" and therefore not encode them. Then everyone
> with a % in his password will suffer. Is a NUL byte in a password actually
> allowed in any kind of reasonable system today?

I'm not really sure about how the situation is. Based on this and the complete
lack of anyone ever expressed a wish to do this, I withdraw my suggestion and
I'm all for going back to the plain unencoded version!

-- 
  / daniel.haxx.se