RFC Errata
RFC 7804, "Salted Challenge Response HTTP Authentication Mechanism", March 2016
Source of RFC: httpauth (sec)
Errata ID: 5496
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Peter Occil
Date Reported: 2018-09-08
Section 2.2 says:
o Normalize(str): Apply the Preparation and Enforcement steps according to the OpaqueString profile (see [RFC7613]) to a UTF-8 [RFC3629] encoded "str". The resulting string is also in UTF-8. Note that implementations MUST either implement OpaqueString profile operations from [RFC7613] or disallow the use of non US-ASCII Unicode codepoints in "str". The latter is a particular case of compliance with [RFC7613].
It should say:
o Normalize(str): Apply the Preparation and Enforcement steps according to the OpaqueString profile (see [RFC7613]) to a UTF-8 [RFC3629] encoded "str". The resulting string is also in UTF-8. Note that implementations MUST either implement OpaqueString profile operations from [RFC7613] or disallow the use of Unicode codepoints not ranging from U+0020 to U+007E in "str". The latter is a particular case of compliance with [RFC7613].
Notes:
Control code points (including the ASCII controls U+0000 to U+001F as well as U+007F) are disallowed in the PRECIS FreeformClass, which the OpaqueString profile uses. Thus it's not enough to just disallow non-US-ASCII codepoints (rather than implement the full OpaqueString profile) to comply with a subset of the OpaqueString profile.