Re: [Technical Errata Reported] RFC7235 (6307)

Julian Reschke <julian.reschke@gmx.de> Thu, 15 October 2020 13:05 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AE613A1416 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 15 Oct 2020 06:05:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.862
X-Spam-Level:
X-Spam-Status: No, score=-2.862 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.213, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z7zB-_pZEWc1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 15 Oct 2020 06:05:18 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 106F93A1412 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 15 Oct 2020 06:05:17 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1kT2tz-00077C-Qm for ietf-http-wg-dist@listhub.w3.org; Thu, 15 Oct 2020 13:02:39 +0000
Resent-Date: Thu, 15 Oct 2020 13:02:39 +0000
Resent-Message-Id: <E1kT2tz-00077C-Qm@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <julian.reschke@gmx.de>) id 1kT2tv-00076G-Mx for ietf-http-wg@listhub.w3.org; Thu, 15 Oct 2020 13:02:36 +0000
Received: from mout.gmx.net ([212.227.15.19]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <julian.reschke@gmx.de>) id 1kT2tt-00032Q-5u for ietf-http-wg@w3.org; Thu, 15 Oct 2020 13:02:35 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1602766940; bh=j/tF8x8Lun7YgWofwPyk1pgln5c94K27elPEHmI3QUw=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=BWyovU5fJI1M2poB4IC4R7PplR8ckICiX1DWal8aCrrD39tGklvAvrw+I9eWosS4E +yoTLwTdVkCxe9IuOp1eo0W6x48MhYLZelt2qkzQn1CW5eeluAcsGUcpoZjwY0qfA0 mCj9iXIBq9KEFLLLMNuX2xsL0eSpuAs1ufbbOk+Q=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [10.0.4.47] ([81.4.162.254]) by mail.gmx.com (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MRTRH-1kqNAX22Dt-00NRzz for <ietf-http-wg@w3.org>; Thu, 15 Oct 2020 15:02:20 +0200
To: ietf-http-wg@w3.org
References: <20201015120537.EA4BFF406D4@rfc-editor.org>
From: Julian Reschke <julian.reschke@gmx.de>
Message-ID: <a4cacf04-ecdf-4987-57f5-d45950872868@gmx.de>
Date: Thu, 15 Oct 2020 15:02:21 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.2
MIME-Version: 1.0
In-Reply-To: <20201015120537.EA4BFF406D4@rfc-editor.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:6Z6kCAQ62GKDEwIR+iALMenCshmodc8rWuNYqUE7ayUvEu8n22w nT+4lc3gJFUrpjcDL+4JoF9bv6HbO5WUHzU5FRmuGyweeJBAdAzvtU5QDYwM0leDwZro87C hy1tpuu7FKLo+HT9Vb6nI8z/Eu4PDphYgB8zJUHUgqzwvlWD0jBWuuU2m5JuOu/cutST6J4 gtgViky9wXuV8v1SgouzA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:grlVbvHe9v8=:kcet2/fwjntjcCGXCr2tPm PoyYXhlY1hUeEE+v0XGOV/ZX5u9bAzmZ4mFA6GwkJ5LqemnZM44Ya33q7Dko7T7jQojN4PBvF QmtFk9yRM3iSib+5GzfMhTiUSGLCbrxnCgH35Pi2/AdwULFWUYjXI8KLoPUYdeYdY08qeT8yv MMgMJK27HTpYHVLLq4ZqvhPRfWlJkO6C286W601F5SFqGrLEip+IV7vzdr0hv5qf1zKPHgLWL 4ERDgtFsI5kQAijqThYniBKHOwm04WUHqlBkZd+/0617YcmSsO19jU4pA5Q91VQiISy/Ty/hH HpoaaphC6VgWYPxcCAFbLQ8BXAH88FyEXEuaXZECVihykf7ffNVlAy6Uub4k5JJD8HTWAqH4S 4usAaEaIj+CWSbvGoC7rCrtz3Ma6wJwlBhkoNHDRFGlsOREX97LLmCnzoX3oS/YKBjZUiXx+j t3B56Sw2eNr+R4RP+w8kb44V8uEkFa/c+kaNshI/IZNsOjeN/ZpcqhwjMAfGwukzUEy7aIhii ya+DoQ5M+jAys+/Y2SMfqWoPPBhyXyGC+Z/fkIMtjtJDuUNaioWmKgk/GYET/1ph4taiZ5QOb GJTrt/VzDJsXyKMr8NlcAILtqtNVdFgGRStEMCXLOzmthSYJfCBejYGrDJYma7MzA7WUJHFVL FPQd9QKFdwZ3TPJdvnDmcTzH+mSEqaR7rVMeBEZDDSbq2KfpcaYWotEBXi3X+Q+V5ssw5GTxY cIEMfmcuXbH5GdUID/Zi0cRkgCQhF7kTBL//DYJr3Gq+G+MMXNpNgH0Hg7hhKEyc3/FH9gKJI 9jfb3njyJ4/BgjjWyXEX3CeTeNLH56T58YtVCHdrRGObTrVpCFJa9ZIUV2Ty2LyxL3hA0JWXB Dieg1BAR9njfnPP1YjDvNzY9mv+KiSJPArDNdOfWk=
Received-SPF: pass client-ip=212.227.15.19; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-Spam-Status: No, score=-3.3
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.019, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1kT2tt-00032Q-5u d966e8b49b43dee9c49070655c6b78f8
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [Technical Errata Reported] RFC7235 (6307)
Archived-At: <https://www.w3.org/mid/a4cacf04-ecdf-4987-57f5-d45950872868@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38095
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

This appears to be a proposal for an improvement, not an erratum. Thus I
recommend to reject it.

That said: making clearer what is case-insensitive in the ABNF is an
interesting idea, but the only thing available here would be a different
name (as suggested) plus prose saying what that means.

I believe it is better to leave things as they are: the ABNF defines the
legal syntax, the prose defines the matching process.

Best regards, Julian


Am 15.10.2020 um 14:05 schrieb RFC Errata System:
> The following errata report has been submitted for RFC7235,
> "Hypertext Transfer Protocol (HTTP/1.1): Authentication".
>
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid6307
>
> --------------------------------------
> Type: Technical
> Reported by: Nick Cullen <nick.a.cullen@googlemail.com>
>
> Section: 2.1
>
> Original Text
> -------------
> 2.1.  Challenge and Response
>
>     HTTP provides a simple challenge-response authentication framework
>     that can be used by a server to challenge a client request and by a
>     client to provide authentication information.  It uses a case-
>     insensitive token as a means to identify the authentication scheme,
>     followed by additional information necessary for achieving
>     authentication via that scheme.  The latter can be either a comma-
>     separated list of parameters or a single sequence of characters
>     capable of holding base64-encoded information.
>
>     Authentication parameters are name=value pairs, where the name token
>     is matched case-insensitively, and each parameter name MUST only
>     occur once per challenge.
>
>       auth-scheme    = token
>
>       auth-param     = token BWS "=" BWS ( token / quoted-string )
>
>
> Corrected Text
> --------------
> 2.1.  Challenge and Response
>
>     HTTP provides a simple challenge-response authentication framework
>     that can be used by a server to challenge a client request and by a
>     client to provide authentication information.  It uses a case-
>     insensitive token as a means to identify the authentication scheme,
>     followed by additional information necessary for achieving
>     authentication via that scheme.  The latter can be either a comma-
>     separated list of parameters or a single sequence of characters
>     capable of holding base64-encoded information.
>
>     Authentication parameters are name=value pairs, where the name token
>     is matched case-insensitively, and each parameter name MUST only
>     occur once per challenge.
>
>       auth-scheme    = itoken
>
>       auth-param     = itoken BWS "=" BWS ( token / quoted-string )
>
> N.B. itoken is a restricted subset of token to ensure well defined case insensitivity.
>
>
> Notes
> -----
> The general token specification allows many characters (including VCHAR) which means that case insensitivity is tricky to define. A more limited subset of token would be sensible, and the distinction between itoken and token is important in understanding the BNF, and matching that to the specification. The section above is a good example of the confusion that can arise, with 3 instances of token in the ABNF, but two of them are to be interpreted in a different way than the third occurence..
> Confusion causes incompatibility with NEGOTIATE being rejected by a system that implements the ABNF, but wrongly expects Negotiate.
> P.S. My 'corrected text' and my understanding of ABNF are incomplete. I crave assistance in forming a properly written definition of itoken to 'well define' the safe subset.
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> can log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC7235 (draft-ietf-httpbis-p7-auth-26)
> --------------------------------------
> Title               : Hypertext Transfer Protocol (HTTP/1.1): Authentication
> Publication Date    : June 2014
> Author(s)           : R. Fielding, Ed., J. Reschke, Ed.
> Category            : PROPOSED STANDARD
> Source              : Hypertext Transfer Protocol Bis APP
> Area                : Applications
> Stream              : IETF
> Verifying Party     : IESG
>