IETF Logo Mail Archive

Re: [Technical Errata Reported] RFC7235 (6307)

Mark Nottingham <mnot@mnot.net> Fri, 16 October 2020 02:28 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A57B3A0E9D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 15 Oct 2020 19:28:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.749
X-Spam-Level:
X-Spam-Status: No, score=-7.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=JSg6NrAo; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=f9VbnAnW
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7AgdcrQQ2zOl for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 15 Oct 2020 19:28:09 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F04283A0E99 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 15 Oct 2020 19:28:08 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1kTFQl-0005PT-2o for ietf-http-wg-dist@listhub.w3.org; Fri, 16 Oct 2020 02:25:19 +0000
Resent-Date: Fri, 16 Oct 2020 02:25:19 +0000
Resent-Message-Id: <E1kTFQl-0005PT-2o@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1kTFQi-0005OW-Jj for ietf-http-wg@listhub.w3.org; Fri, 16 Oct 2020 02:25:16 +0000
Received: from out4-smtp.messagingengine.com ([66.111.4.28]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1kTFQf-0008Ia-Uu for ietf-http-wg@w3.org; Fri, 16 Oct 2020 02:25:16 +0000
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id E7B7C5C01AE; Thu, 15 Oct 2020 22:25:00 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Thu, 15 Oct 2020 22:25:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm1; bh=7 ixg5tqos4QyA6aZPJOaimI4sSHMiKpQ5CAxj2T2Dp8=; b=JSg6NrAoD6wrOc7dl jPk8qf37vq0zF6GwIhmKQAjuqsGV84sRjWVuYuBkJPjeMuB1+NLURRubdeUycofR xrOZldpiQmSdD1cDeXXQDuRyDHNtYb6MeCph8bmC8CA66Atng5ITgghIHw6Pp2vv fQJZjbvGbE8NWkXAM3pRaoleRx7w0cs/jh3fNCYsoReCkHBfxdkidtuX0zD+ibmv KeyqsCsbqU5ZvLdHSzAxK+HrfEwk498NXg5HIcwRNPxN0+bJTKwu192KgfmvNKou tKTQRAgPUj3/Jge9GyFQB1iPgYtpRwm6QjBCPA0eb/5hgLMHhOjeaAnlY6n+fFjL jdlVQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=7ixg5tqos4QyA6aZPJOaimI4sSHMiKpQ5CAxj2T2D p8=; b=f9VbnAnWm5OogPS+97qZpTZYEhS4G+fE30BUrxJbx2SmU1HvE1pUFSJug Fn/Ef/WVk6fLSnOgNTFrPEHpXTwNpAPlbicBsfsM2kU/tce8I2zLefJuIokC2tNi KXJYpNpz2HVHrDS/9EmgQ7UfwSvdFiCwQk6+zpLozRcssBRG70OWW6IvxUJh7ldw E+qq5n2ns+tiu1G/ZwxysjPK2aTNdgPcYgd3GTJlWxxq0C2kcNT7/BEnBIa+jj+b fDJ40sBoQQ+xXOfR7t+jhZT57AKSnkxWiDNC6saL96Al1SY29lWsBSV1Mr9+bY8D gy3R405jZ2KcOd2tEphsChdLRBZXg==
X-ME-Sender: <xms:dwSJX20ALz7fWTFamUyz-C8HGTMSVqDu2aOUPF_o64P7s2Vd_VSJ4Q> <xme:dwSJX5E41-Y5doXqNtvBQ3WgyhV-enZZndgeGqTcP_BMkfbpjCq1lHdJLCDh6mmjF 0rEVF4ALB5uzwlN4g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrieeggdehlecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghrkhcu pfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrthhtvg hrnhepfeejgfevheegvdeuudelffdvjeejuedugfeltdffgeelhffhteeigfejtdeggfej necuffhomhgrihhnpehgihhthhhusgdrtghomhdpudgruhhthhgvnhhtihgtrghtihhonh drqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddq qddqqddqhihouhdprhhftgdqvgguihhtohhrrdhorhhgpdhmnhhothdrnhgvthenucfkph epudduledrudejrdduheekrddvhedunecuvehluhhsthgvrhfuihiivgeptdenucfrrghr rghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:dwSJX-6zgYFR3-s0LIjKQXVdRF7JH0UZBn0whBoWvWFH7lVdwzEtKQ> <xmx:dwSJX33cLDQK6Sgngy40OrGHU25nC2t6JHCvSJ3tv_BK_Gem46QiVw> <xmx:dwSJX5HzsWr8Qcho_V929dAFMqsmRYeAWz0JwKzW9NgIG8_vx_6USA> <xmx:fASJX_Zz3eTy2punAfWZcyCV5FDVDYAYbrMOO_ky0pQDpAdIYB28QA>
Received: from [192.168.7.30] (119-17-158-251.77119e.mel.static.aussiebb.net [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id 5C1413280059; Thu, 15 Oct 2020 22:24:53 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <20201015120537.EA4BFF406D4@rfc-editor.org>
Date: Fri, 16 Oct 2020 13:24:51 +1100
Cc: Roy Fielding <fielding@gbiv.com>, "Julian F. Reschke" <julian.reschke@greenbytes.de>, superuser@gmail.com, barryleiba@computer.org, tpauly@apple.com, nick.a.cullen@googlemail.com, ietf-http-wg@w3.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B9B4F009-6408-4393-9225-E16AF486360E@mnot.net>
References: <20201015120537.EA4BFF406D4@rfc-editor.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Received-SPF: pass client-ip=66.111.4.28; envelope-from=mnot@mnot.net; helo=out4-smtp.messagingengine.com
X-W3C-Hub-Spam-Status: No, score=-9.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1kTFQf-0008Ia-Uu aaf8899446d584a83ccee926d48355a1
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [Technical Errata Reported] RFC7235 (6307)
Archived-At: <https://www.w3.org/mid/B9B4F009-6408-4393-9225-E16AF486360E@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38097
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Reject. ABNF is already case-insensitive, and limiting token goes far beyond the scope of an errata report.

If you think there's an issue to discuss here, please file at:
  https://github.com/httpwg/http-core/issues/

Cheers,


> On 15 Oct 2020, at 11:05 pm, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
> 
> The following errata report has been submitted for RFC7235,
> "Hypertext Transfer Protocol (HTTP/1.1): Authentication".
> 
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid6307
> 
> --------------------------------------
> Type: Technical
> Reported by: Nick Cullen <nick.a.cullen@googlemail.com>
> 
> Section: 2.1
> 
> Original Text
> -------------
> 2.1.  Challenge and Response
> 
>   HTTP provides a simple challenge-response authentication framework
>   that can be used by a server to challenge a client request and by a
>   client to provide authentication information.  It uses a case-
>   insensitive token as a means to identify the authentication scheme,
>   followed by additional information necessary for achieving
>   authentication via that scheme.  The latter can be either a comma-
>   separated list of parameters or a single sequence of characters
>   capable of holding base64-encoded information.
> 
>   Authentication parameters are name=value pairs, where the name token
>   is matched case-insensitively, and each parameter name MUST only
>   occur once per challenge.
> 
>     auth-scheme    = token
> 
>     auth-param     = token BWS "=" BWS ( token / quoted-string )
> 
> 
> Corrected Text
> --------------
> 2.1.  Challenge and Response
> 
>   HTTP provides a simple challenge-response authentication framework
>   that can be used by a server to challenge a client request and by a
>   client to provide authentication information.  It uses a case-
>   insensitive token as a means to identify the authentication scheme,
>   followed by additional information necessary for achieving
>   authentication via that scheme.  The latter can be either a comma-
>   separated list of parameters or a single sequence of characters
>   capable of holding base64-encoded information.
> 
>   Authentication parameters are name=value pairs, where the name token
>   is matched case-insensitively, and each parameter name MUST only
>   occur once per challenge.
> 
>     auth-scheme    = itoken
> 
>     auth-param     = itoken BWS "=" BWS ( token / quoted-string )
> 
> N.B. itoken is a restricted subset of token to ensure well defined case insensitivity.
> 
> 
> Notes
> -----
> The general token specification allows many characters (including VCHAR) which means that case insensitivity is tricky to define. A more limited subset of token would be sensible, and the distinction between itoken and token is important in understanding the BNF, and matching that to the specification. The section above is a good example of the confusion that can arise, with 3 instances of token in the ABNF, but two of them are to be interpreted in a different way than the third occurence..
> Confusion causes incompatibility with NEGOTIATE being rejected by a system that implements the ABNF, but wrongly expects Negotiate.
> P.S. My 'corrected text' and my understanding of ABNF are incomplete. I crave assistance in forming a properly written definition of itoken to 'well define' the safe subset.
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party  
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC7235 (draft-ietf-httpbis-p7-auth-26)
> --------------------------------------
> Title               : Hypertext Transfer Protocol (HTTP/1.1): Authentication
> Publication Date    : June 2014
> Author(s)           : R. Fielding, Ed., J. Reschke, Ed.
> Category            : PROPOSED STANDARD
> Source              : Hypertext Transfer Protocol Bis APP
> Area                : Applications
> Stream              : IETF
> Verifying Party     : IESG

--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email