- From: Joe Orton <joe@manyfish.co.uk>
- Date: Fri, 19 Aug 2022 18:33:44 +0100
- To: ahrensdc@gmail.com, sophie.bremer@netzkonform.de, rdd@cert.org, paul.wouters@aiven.io, ynir.ietf@gmail.com, patrick.ni@redant.ca, ietf-http-wg@w3.org
On Fri, Aug 19, 2022 at 02:33:02PM +0100, Joe Orton wrote: > On Thu, Jun 23, 2022 at 02:32:41PM -0700, RFC Errata System wrote: > > The following errata report has been submitted for RFC7616, > > "HTTP Digest Access Authentication". > > > > -------------------------------------- > > You may review the report below and at: > > https://www.rfc-editor.org/errata/eid7005 > > I reported this to the list a couple of years ago as well. > > A partial resolution is: > > Section 3.4. Replace section about "Effective Request URI" here, which > is wrong, because the effective request URI is completely different to > request-target if the latter is "*". It should read something like: > > uri > The request-target of the HTTP request, per Section 3.1.1 of [RFC7230]. > This is duplicated here because proxies may change the request-target. > > Section 3.4.3. Replace request-uri with request-target > > The examples using an abspath are then all fine. > > This leaves Section 3.5, where "request-uri" is used in the rspauth > construction. I think the only way to fix this is to actually require > use of the effective request URI here, which is be different behaviour > to 2617 (again for the "*" case) and possibly fragile. Is there a better > option? Hmm, in fact you can do the same with rspauth, use uri, not sure what I was thinking earlier. So it really looks like the text from 2617 - using "digest-uri-value" everywhere as the uri= parameter value - was better, but it got mangled badly when trying to update it for 7230. If 7616 kept using "digest-uri-value" everywhere and updated it to mean request-target instead of request-uri, and dropped references to "effective request URI" it would all be fine, I think. Regards, Joe
Received on Friday, 19 August 2022 17:34:12 UTC