Now, when I encode this value:
"foo?a=b",
it turns into "foo%3Fa%3Db". (note the uppercase hex here)
The MD5 hash of that is "33055fd2671b42eee16b4e3a1149784c"

The recipient of this hash also urlencodes "foo?a=b",
THEY believe the value is "foo%3fa%3db" (note the lowercase hex)
The MD5 hash of that is "3ad8f06c0aaca4ec46b08123271e794c". totally different.

The hashes don't match, and the request is denied.

Fixing this was pretty simple. Even though I had to use a regular expression to lowercase %xx values to match what the API expects.

But now I ask: what is the "right" case for hex values? the JavaScript function encodeURIComponent() outputs uppercase letters. .NET tends to deliver lowercase. But sometimes POST data shows up with uppercase. It's all over the place. Chaos!

Any manuals I've looked in say that case is insensitive - "%3D" is the same as "%3d". But when you're comparing strings and making cryptographic hashes, they are not the same.

Though there is no real right answer, surely there must be an according-to-Hoyle best practice. If you asked Sir Berners-Lee which one he prefers, what would he say? Which one would the Queen use? When Oprah Winfrey urlencodes a string, which case does she use?

What case do you use in CSS? is it "#FFF" or "#fff"? Photoshop describes colors in uppercase, and a lot of people cut and paste colors into code using that tool. Though most of the W3C's examples show colors in lowercase.

As I discovered today, it matters.
Let us as the world's dominant webmaster forum please come to a consensus on this.