RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 1 record.

Status: Rejected (1)

RFC 7235, "Hypertext Transfer Protocol (HTTP/1.1): Authentication", June 2014

Source of RFC: httpbis (app)

Errata ID: 6307
Status: Rejected
Type: Technical
Publication Format(s) : TEXT

Reported By: Nick Cullen
Date Reported: 2020-10-15
Rejected by: Barry Leiba
Date Rejected: 2020-10-19

Section 2.1 says:

2.1.  Challenge and Response

   HTTP provides a simple challenge-response authentication framework
   that can be used by a server to challenge a client request and by a
   client to provide authentication information.  It uses a case-
   insensitive token as a means to identify the authentication scheme,
   followed by additional information necessary for achieving
   authentication via that scheme.  The latter can be either a comma-
   separated list of parameters or a single sequence of characters
   capable of holding base64-encoded information.

   Authentication parameters are name=value pairs, where the name token
   is matched case-insensitively, and each parameter name MUST only
   occur once per challenge.

     auth-scheme    = token

     auth-param     = token BWS "=" BWS ( token / quoted-string )

It should say:

2.1.  Challenge and Response

   HTTP provides a simple challenge-response authentication framework
   that can be used by a server to challenge a client request and by a
   client to provide authentication information.  It uses a case-
   insensitive token as a means to identify the authentication scheme,
   followed by additional information necessary for achieving
   authentication via that scheme.  The latter can be either a comma-
   separated list of parameters or a single sequence of characters
   capable of holding base64-encoded information.

   Authentication parameters are name=value pairs, where the name token
   is matched case-insensitively, and each parameter name MUST only
   occur once per challenge.

     auth-scheme    = itoken

     auth-param     = itoken BWS "=" BWS ( token / quoted-string )

N.B. itoken is a restricted subset of token to ensure well defined case insensitivity.

Notes:

The general token specification allows many characters (including VCHAR) which means that case insensitivity is tricky to define. A more limited subset of token would be sensible, and the distinction between itoken and token is important in understanding the BNF, and matching that to the specification. The section above is a good example of the confusion that can arise, with 3 instances of token in the ABNF, but two of them are to be interpreted in a different way than the third occurence..
Confusion causes incompatibility with NEGOTIATE being rejected by a system that implements the ABNF, but wrongly expects Negotiate.
P.S. My 'corrected text' and my understanding of ABNF are incomplete. I crave assistance in forming a properly written definition of itoken to 'well define' the safe subset.
--VERIFIER NOTES--
The RFC says exactly what was intended, and changing that is beyond the scope of errata reports, and likely beyond the scope of the document. If there's an issue to discuss for a future revision of the RFC, an issue can be filed here:
https://github.com/httpwg/http-core/issues/

Report New Errata