[Technical Errata Reported] RFC7235 (6307)
RFC Errata System <rfc-editor@rfc-editor.org> Thu, 15 October 2020 12:09 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C23913A13DE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 15 Oct 2020 05:09:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.649
X-Spam-Level:
X-Spam-Status: No, score=-2.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G1lbegtHsPNI for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 15 Oct 2020 05:09:03 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14C1E3A13DB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 15 Oct 2020 05:09:02 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1kT21O-0003Ib-9x for ietf-http-wg-dist@listhub.w3.org; Thu, 15 Oct 2020 12:06:15 +0000
Resent-Date: Thu, 15 Oct 2020 12:06:14 +0000
Resent-Message-Id: <E1kT21O-0003Ib-9x@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <wwwrun@rfc-editor.org>) id 1kT21M-0003HP-6B for ietf-http-wg@listhub.w3.org; Thu, 15 Oct 2020 12:06:12 +0000
Received: from rfc-editor.org ([4.31.198.49]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <wwwrun@rfc-editor.org>) id 1kT21J-0008Ae-Ud for ietf-http-wg@w3.org; Thu, 15 Oct 2020 12:06:11 +0000
Received: by rfc-editor.org (Postfix, from userid 30) id EA4BFF406D4; Thu, 15 Oct 2020 05:05:37 -0700 (PDT)
To: fielding@gbiv.com, julian.reschke@greenbytes.de, superuser@gmail.com, barryleiba@computer.org, mnot@mnot.net, tpauly@apple.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: nick.a.cullen@googlemail.com, ietf-http-wg@w3.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20201015120537.EA4BFF406D4@rfc-editor.org>
Date: Thu, 15 Oct 2020 05:05:37 -0700
Received-SPF: pass client-ip=4.31.198.49; envelope-from=wwwrun@rfc-editor.org; helo=rfc-editor.org
X-W3C-Hub-Spam-Status: No, score=-7.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1kT21J-0008Ae-Ud 8d46111488517827739650ac971735af
X-Original-To: ietf-http-wg@w3.org
Subject: [Technical Errata Reported] RFC7235 (6307)
Archived-At: <https://www.w3.org/mid/20201015120537.EA4BFF406D4@rfc-editor.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38094
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
The following errata report has been submitted for RFC7235, "Hypertext Transfer Protocol (HTTP/1.1): Authentication". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6307 -------------------------------------- Type: Technical Reported by: Nick Cullen <nick.a.cullen@googlemail.com> Section: 2.1 Original Text ------------- 2.1. Challenge and Response HTTP provides a simple challenge-response authentication framework that can be used by a server to challenge a client request and by a client to provide authentication information. It uses a case- insensitive token as a means to identify the authentication scheme, followed by additional information necessary for achieving authentication via that scheme. The latter can be either a comma- separated list of parameters or a single sequence of characters capable of holding base64-encoded information. Authentication parameters are name=value pairs, where the name token is matched case-insensitively, and each parameter name MUST only occur once per challenge. auth-scheme = token auth-param = token BWS "=" BWS ( token / quoted-string ) Corrected Text -------------- 2.1. Challenge and Response HTTP provides a simple challenge-response authentication framework that can be used by a server to challenge a client request and by a client to provide authentication information. It uses a case- insensitive token as a means to identify the authentication scheme, followed by additional information necessary for achieving authentication via that scheme. The latter can be either a comma- separated list of parameters or a single sequence of characters capable of holding base64-encoded information. Authentication parameters are name=value pairs, where the name token is matched case-insensitively, and each parameter name MUST only occur once per challenge. auth-scheme = itoken auth-param = itoken BWS "=" BWS ( token / quoted-string ) N.B. itoken is a restricted subset of token to ensure well defined case insensitivity. Notes ----- The general token specification allows many characters (including VCHAR) which means that case insensitivity is tricky to define. A more limited subset of token would be sensible, and the distinction between itoken and token is important in understanding the BNF, and matching that to the specification. The section above is a good example of the confusion that can arise, with 3 instances of token in the ABNF, but two of them are to be interpreted in a different way than the third occurence.. Confusion causes incompatibility with NEGOTIATE being rejected by a system that implements the ABNF, but wrongly expects Negotiate. P.S. My 'corrected text' and my understanding of ABNF are incomplete. I crave assistance in forming a properly written definition of itoken to 'well define' the safe subset. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC7235 (draft-ietf-httpbis-p7-auth-26) -------------------------------------- Title : Hypertext Transfer Protocol (HTTP/1.1): Authentication Publication Date : June 2014 Author(s) : R. Fielding, Ed., J. Reschke, Ed. Category : PROPOSED STANDARD Source : Hypertext Transfer Protocol Bis APP Area : Applications Stream : IETF Verifying Party : IESG
- [Technical Errata Reported] RFC7235 (6307) RFC Errata System
- Re: [Technical Errata Reported] RFC7235 (6307) Julian Reschke
- Re: [Technical Errata Reported] RFC7235 (6307) Mark Nottingham
- Re: [Technical Errata Reported] RFC7235 (6307) Mark Nottingham
- Re: [Technical Errata Reported] RFC7235 (6307) Barry Leiba