Sorry, I tried to make this post look all pretty and stuff, but Moodle kept on rejecting it as spam. Probably good reason for it...
I am not an expert, but my understanding of the RFC spec is that field names are case-insentive, per both a reading of the spec and a thread on StackOverflow. Field values it seems can be case sensitive. So it seems like an update to Moodle would be the more spec-appropriate change? This problem affects multiple spots in the LTI implementation, as I discovered yesterday (i.e. in checking the body hash).
In case it does matter, I am using the Python oauth2 library, v 0.7.0, which uses Python's httplib2 as it's web request engine.
stackoverflow.com/questions/5258977/are-http-headers-case-sensitive
http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2