- From: Joe Orton <joe@manyfish.co.uk>
- Date: Fri, 19 Aug 2022 14:33:02 +0100
- To: RFC Errata System <rfc-editor@rfc-editor.org>
- Cc: rifaat.ietf@gmail.com, ahrensdc@gmail.com, sophie.bremer@netzkonform.de, rdd@cert.org, paul.wouters@aiven.io, ynir.ietf@gmail.com, patrick.ni@redant.ca, ietf-http-wg@w3.org
On Thu, Jun 23, 2022 at 02:32:41PM -0700, RFC Errata System wrote:
> The following errata report has been submitted for RFC7616,
> "HTTP Digest Access Authentication".
>
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid7005
I reported this to the list a couple of years ago as well.
A partial resolution is:
Section 3.4. Replace section about "Effective Request URI" here, which
is wrong, because the effective request URI is completely different to
request-target if the latter is "*". It should read something like:
uri
The request-target of the HTTP request, per Section 3.1.1 of [RFC7230].
This is duplicated here because proxies may change the request-target.
Section 3.4.3. Replace request-uri with request-target
The examples using an abspath are then all fine.
This leaves Section 3.5, where "request-uri" is used in the rspauth
construction. I think the only way to fix this is to actually require
use of the effective request URI here, which is be different behaviour
to 2617 (again for the "*" case) and possibly fragile. Is there a better
option?
Regards, Joe
Received on Friday, 19 August 2022 13:33:32 UTC