Re: [http-auth] [Technical Errata Reported] RFC7804 (5496)

Alexey Melnikov <alexey.melnikov@isode.com> Sat, 08 September 2018 20:51 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D8DF130DDA for <http-auth@ietfa.amsl.com>; Sat, 8 Sep 2018 13:51:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1tX2lTVX94x for <http-auth@ietfa.amsl.com>; Sat, 8 Sep 2018 13:51:15 -0700 (PDT)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id DDBA8126CC7 for <http-auth@ietf.org>; Sat, 8 Sep 2018 13:51:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1536439874; d=isode.com; s=june2016; i=@isode.com; bh=kQaz51ToXh5X3oq/sLPKIMvPB/U+0PqdqUk5WkYtTqQ=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=cb6n91bkPhtEOMkRhb5jucnG20JsfA2mHKjXFZ7BjZFwfNf2B2wbpkR421WFrTyKLGmgc4 bykdHhnIz7SCoOQ09TOZB38sYqDObmo9MWz/mbJzJTvoanF+va/tTLyLKDYV0yOhu5sEhZ rJvZPPZgv/W4eme6EU5INmEbyXw82B4=;
Received: from [192.168.0.7] (cpc121086-nmal24-2-0-cust54.19-2.cable.virginm.net [77.97.145.55]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <W5Q2QAAMFlvy@statler.isode.com>; Sat, 8 Sep 2018 21:51:13 +0100
To: RFC Errata System <rfc-editor@rfc-editor.org>, kaduk@mit.edu, ekr@rtfm.com, ynir.ietf@gmail.com, rifaat.ietf@gmail.com
Cc: poccil14@gmail.com, http-auth@ietf.org
References: <20180908135146.08ECDB82672@rfc-editor.org>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Openpgp: preference=signencrypt
Message-ID: <eb57caf6-d915-607c-e328-76fa3470bd10@isode.com>
Date: Sat, 8 Sep 2018 21:51:15 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
In-Reply-To: <20180908135146.08ECDB82672@rfc-editor.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/iNVh42HGZKYsfZatcR_6hP4Y_QY>
Subject: Re: [http-auth] [Technical Errata Reported] RFC7804 (5496)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Sep 2018 20:51:17 -0000

This looks correct to me.

On 08/09/2018 14:51, RFC Errata System wrote:
> The following errata report has been submitted for RFC7804,
> "Salted Challenge Response HTTP Authentication Mechanism".
> 
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata/eid5496
> 
> --------------------------------------
> Type: Technical
> Reported by: Peter Occil <poccil14@gmail.com>
> 
> Section: 2.2
> 
> Original Text
> -------------
>    o  Normalize(str): Apply the Preparation and Enforcement steps
>       according to the OpaqueString profile (see [RFC7613]) to a UTF-8
>       [RFC3629] encoded "str".  The resulting string is also in UTF-8.
>       Note that implementations MUST either implement OpaqueString
>       profile operations from [RFC7613] or disallow the use of non
>       US-ASCII Unicode codepoints in "str".  The latter is a particular
>       case of compliance with [RFC7613].
> 
> 
> Corrected Text
> --------------
>    o  Normalize(str): Apply the Preparation and Enforcement steps
>       according to the OpaqueString profile (see [RFC7613]) to a UTF-8
>       [RFC3629] encoded "str".  The resulting string is also in UTF-8.
>       Note that implementations MUST either implement OpaqueString
>       profile operations from [RFC7613] or disallow the use of Unicode 
>       codepoints not ranging from U+0020 to U+007E in "str".  The latter
>       is a particular case of compliance with [RFC7613].
> 
> 
> Notes
> -----
> Control code points (including the ASCII controls U+0000 to U+001F as well as U+007F) are disallowed in the PRECIS FreeformClass, which the OpaqueString profile uses.  Thus it's not enough to just disallow non-US-ASCII codepoints (rather than implement the full OpaqueString profile) to comply with a subset of the OpaqueString profile.
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party  
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC7804 (draft-ietf-httpauth-scram-auth-15)
> --------------------------------------
> Title               : Salted Challenge Response HTTP Authentication Mechanism
> Publication Date    : March 2016
> Author(s)           : A. Melnikov
> Category            : EXPERIMENTAL
> Source              : Hypertext Transfer Protocol Authentication
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG
>