diff --git a/inbox/signing-forms.xml b/inbox/signing-forms.xml
index f07d593e..28906cec 100644
--- a/inbox/signing-forms.xml
+++ b/inbox/signing-forms.xml
@@ -31,6 +31,16 @@
Removed links to articles expression opinions. Reformulated the reference to SASL in the introduction. A reference to Unicode Standard Annex #15, Unicode Normalization Forms, and NFC normalization has been added.
- The algorithm used to sign a form, is the
- OAuth 1.0 Protocol
-
+ A fixed algorithm (OAuth 1.0 Protocol
- A fixed algorithm has been chosen in favor of SASL, to avoid multiple callbacks during form signature. - The idea is to make form signature possible without having to do any intermediate server callbacks, or having to change the original request returning the form. Using SASL and - recommended SASL authentication methods, such as SCRAM-SHA-1, at least one extra server callback would be necessary. If including a callback when selecting SASL method after - having retrieved the form, at least two extra callbacks would be required in some cases. Even by fixing SASL algorithm, the common algorithms not requiring server callback, such - as DIGEST-MD5, are not considered secure enough. + ) has been chosen in favor of a method where the user can select an authentication method from a list of available methods, modelled in the likeness of SASL. The main reason is + to avoid multiple callbacks during form signature. The idea is to make form signature possible without having to do any intermediate server callbacks, or having to change the original + request returning the form. The method is still extensible, allowing possible future extensions. The form signing algorithm to use is defined by the FORM_TYPE parameter in the form + being signed.
The string s are escaped using the &rfc3986; percent-encoding (%xx) mechanism. Characters not in the unreserved character set (ยง 2.3) MUST be encoded.
- Characters in the unreserved character set MUST NOT be encoded. Hexadecimal characters in encodings MUST be upper case. Text names and values MUST be encoded as UTF-8
- octets before percent-encoding them per
+ Characters in the unreserved character set MUST NOT be encoded. Hexadecimal characters in encodings MUST be upper case. Text names and values MUST first be normalized
+ using Normalization Form C (NFC) as defined in
+ Unicode Standard Annex #15, Unicode Normalization Forms
+