RFC 7804, "Salted Challenge Response HTTP Authentication Mechanism", March 2016

Errata ID: 5496
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Peter Occil
Date Reported: 2018-09-08

Section 2.2 says:

   o  Normalize(str): Apply the Preparation and Enforcement steps
      according to the OpaqueString profile (see [RFC7613]) to a UTF-8
      [RFC3629] encoded "str".  The resulting string is also in UTF-8.
      Note that implementations MUST either implement OpaqueString
      profile operations from [RFC7613] or disallow the use of non
      US-ASCII Unicode codepoints in "str".  The latter is a particular
      case of compliance with [RFC7613].

It should say:

   o  Normalize(str): Apply the Preparation and Enforcement steps
      according to the OpaqueString profile (see [RFC7613]) to a UTF-8
      [RFC3629] encoded "str".  The resulting string is also in UTF-8.
      Note that implementations MUST either implement OpaqueString
      profile operations from [RFC7613] or disallow the use of Unicode 
      codepoints not ranging from U+0020 to U+007E in "str".  The latter
      is a particular case of compliance with [RFC7613].

Notes:

Control code points (including the ASCII controls U+0000 to U+001F as well as U+007F) are disallowed in the PRECIS FreeformClass, which the OpaqueString profile uses. Thus it's not enough to just disallow non-US-ASCII codepoints (rather than implement the full OpaqueString profile) to comply with a subset of the OpaqueString profile.

Report New Errata