Re: [Technical Errata Reported] RFC7230 (5964)
Mark Nottingham <mnot@mnot.net> Thu, 23 January 2020 22:05 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 669DA120077 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 23 Jan 2020 14:05:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.751
X-Spam-Level:
X-Spam-Status: No, score=-2.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=g2Y/tKFb; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=dAgC8Pm6
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LV2b3yGVQO2l for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 23 Jan 2020 14:05:10 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3231612011C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 23 Jan 2020 14:05:10 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iukYT-0005wH-KD for ietf-http-wg-dist@listhub.w3.org; Thu, 23 Jan 2020 22:02:25 +0000
Resent-Date: Thu, 23 Jan 2020 22:02:25 +0000
Resent-Message-Id: <E1iukYT-0005wH-KD@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <mnot@mnot.net>) id 1iukYR-0005vV-V0 for ietf-http-wg@listhub.w3.org; Thu, 23 Jan 2020 22:02:23 +0000
Received: from wout4-smtp.messagingengine.com ([64.147.123.20]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1iukYK-0003Z6-Hq for ietf-http-wg@w3.org; Thu, 23 Jan 2020 22:02:23 +0000
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 1D989611; Thu, 23 Jan 2020 17:02:12 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Thu, 23 Jan 2020 17:02:12 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm1; bh=o 48iuZliQ+22/uzE1t8JgSufgQeIdWylT9e6z+ghiJI=; b=g2Y/tKFbWu4cTAyAs np1i+rLKmGVABxpJuXyLS+B1omzeIWdQfv1VgEVB7cLJygnTu/o+dYtrMEsquyz/ jaZuemnJaZwVlsRrpBhy5HfUiBD3U0Ef5DeQfo5497bFBDUx8MGMeL4/aY7BFxeN Fa4b0fHZUV5qUYbwQOnWHI7NmH9nRBJIOtE6B2w6QBrBr3ENf7EaweYLsbWrOHqi pF+6x1+ZZaMfnrWOeJQLb/c34XbJQ8zvaptA3AiWHuoujktElsOsEk6ZfdKo4lVg GwA0GdRMpudkOdyqSOdN5DwzS8wYWzq0pPWxn8T7pYTzKB6+1LvUy0ljAOMb1Kse sv2LA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=o48iuZliQ+22/uzE1t8JgSufgQeIdWylT9e6z+ghi JI=; b=dAgC8Pm6evHCZdrUsZ2H/MJ1QDLzgs++VJbFlZ0Yf0/GXfguB5CiRHBkp 5MKe+opED7bh7JarW3ZOHSuT+6Z7xuBpqbX+nJOI+ImeEf7J+Mf/bhID3WjlThFW CGcSDg4J/Zt1rMnwC2kHiaQU9QZTOiq81MHGdFDeuf3xkbZFhE7fhyrHtXN8UGOa szgabB6rZ86XpHw0EnKV0NuDBUIiE3pzt3kNRGNwCrcLBD46Vwv6L/VAF8vh32Bj JgChXspW19FHA1uHj4U1GNRi+TaH+eYZZDPVuOnZXLswYpWIuFcTBRjz00GUxlBe H3xLqHuLvst18FTzsGVzPNYaNGj6A==
X-ME-Sender: <xms:4BcqXsEIQasa5eais6TnPrajVRsa8y_7Pn53MXaeKp4lcQOsBHVUnQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrvddvgdeliecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghrkhcu pfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuffhomhgrihhnpe hgihhthhhusgdrtghomhdpudhmvghsshgrghgvshihnhhtrgigrghnughrohhuthhinhhg rddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqd dqqddqqdihohhupdhrfhgtqdgvughithhorhdrohhrghdpmhhnohhtrdhnvghtnecukfhp peduudelrddujedrudehkedrvdehudenucevlhhushhtvghrufhiiigvpedtnecurfgrrh grmhepmhgrihhlfhhrohhmpehmnhhothesmhhnohhtrdhnvght
X-ME-Proxy: <xmx:4BcqXt9jyL8t_eIndyryHMVOGTLJAUN9fyQm-acD8EZd578j2Dv39Q> <xmx:4BcqXtmyhRwEANFBRsY467daoZn4Xy9TuxGfZU3G_dJK_EqbzMyuOg> <xmx:4BcqXoA3cyGcSnXf7V2CpaZQ1UyrGfoGcAVWrxFF2hKeJ1ElRYuCtA> <xmx:4xcqXsw5c7yt1_ZriBvxLe-XGCW72_N3ferPNZVF_Z-BkbNDjZ90fw>
Received: from macbook-pro.mnot.net (unknown [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id B76E73280060; Thu, 23 Jan 2020 17:02:05 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <20200123155840.241DDF406CD@rfc-editor.org>
Date: Fri, 24 Jan 2020 09:02:02 +1100
Cc: Roy Fielding <fielding@gbiv.com>, "Julian F. Reschke" <julian.reschke@greenbytes.de>, ben@nostrum.com, aamelnikov@fastmail.fm, adam@nostrum.com, tpauly@apple.com, rick@openfortress.nl, ietf-http-wg@w3.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <FF06904B-55AC-46C6-A20B-68FF435C98DC@mnot.net>
References: <20200123155840.241DDF406CD@rfc-editor.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Received-SPF: pass client-ip=64.147.123.20; envelope-from=mnot@mnot.net; helo=wout4-smtp.messagingengine.com
X-W3C-Hub-Spam-Status: No, score=-6.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1iukYK-0003Z6-Hq 21135b0380e87c1622a4991982f9234d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [Technical Errata Reported] RFC7230 (5964)
Archived-At: <https://www.w3.org/mid/FF06904B-55AC-46C6-A20B-68FF435C98DC@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37271
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Rick, This is better filed as an issue on the HTTP core revisions [1] than as an erratum. Recommending REJECT. Cheers, 1. https://github.com/httpwg/http-core#draft-http-core-documents > On 24 Jan 2020, at 2:58 am, RFC Errata System <rfc-editor@rfc-editor.org> wrote: > > The following errata report has been submitted for RFC7230, > "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid5964 > > -------------------------------------- > Type: Technical > Reported by: Rick van Rein <rick@openfortress.nl> > > Section: 2.7.1 > > Original Text > ------------- > The URI generic syntax for authority also includes a deprecated > userinfo subcomponent ([RFC3986], Section 3.2.1) for including user > authentication information in the URI. Some implementations make use > of the userinfo component for internal configuration of > authentication information, such as within command invocation > options, configuration files, or bookmark lists, even though such > usage might expose a user identifier or password. A sender MUST NOT > generate the userinfo subcomponent (and its "@" delimiter) when an > "http" URI reference is generated within a message as a request > target or header field value. Before making use of an "http" URI > reference received from an untrusted source, a recipient SHOULD parse > for userinfo and treat its presence as an error; it is likely being > used to obscure the authority for the sake of phishing attacks. > > > Corrected Text > -------------- > The URI generic syntax for authority also includes a > userinfo subcomponent in which the format "user:password" is deprecated > ([RFC3986], Section 3.2.1). The user is permitted, but the password > is not. Some implementations make use > of the userinfo component for internal configuration of > authentication information, such as within command invocation > options, configuration files, or bookmark lists, even though such > usage might expose a user identifier or password. A sender MUST NOT > generate a colon in a userinfo subcomponent when an > "http" URI reference is generated within a message as a request > target or header field value, but it may prefix a user and an "@" delimiter > before the host name in an "http" URI. Before making use of an "http" URI > reference received from an untrusted source, a recipient SHOULD parse > for userinfo and treat the presence of a colon in it as an error. > > > Notes > ----- > RFC3986 does not forbid or even discourage the "user" in the userinfo subcomponent. It only says > > Use of the format "user:password" in the userinfo field is > deprecated. > > and continues to describe ":password" handling. > > Obscuring the authority for the purposes of phishing is not mitigated by parsing the userinfo; subdomains in DNS offer similar notational flexibility. Parsing does help against misleading password popups. > > The user is part of the authority section of the URI and its purpose is to zoom in on a scope for authoritative resource addressing. This syntax has in the past been (ab)used for Basic/Digest authentication details, which only works if visitor and visited resource happen to be the same user; it is this (ab)use that is now deprecated. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC7230 (draft-ietf-httpbis-p1-messaging-26) > -------------------------------------- > Title : Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing > Publication Date : June 2014 > Author(s) : R. Fielding, Ed., J. Reschke, Ed. > Category : PROPOSED STANDARD > Source : Hypertext Transfer Protocol Bis APP > Area : Applications > Stream : IETF > Verifying Party : IESG -- Mark Nottingham https://www.mnot.net/
- [Technical Errata Reported] RFC7230 (5964) RFC Errata System
- Re: [Technical Errata Reported] RFC7230 (5964) Mark Nottingham
- Re: [Technical Errata Reported] RFC7230 (5964) Rick van Rein
- Re: [Technical Errata Reported] RFC7230 (5964) Mark Nottingham
- Re: [Technical Errata Reported] RFC7230 (5964) Rick van Rein
- Re: [Technical Errata Reported] RFC7230 (5964) Julian Reschke
- Re: [Technical Errata Reported] RFC7230 (5964) Mark Nottingham
- Re: [Technical Errata Reported] RFC7230 (5964) Rick van Rein