Errata Search
RFC Number:		Errata ID:
Source of RFC		Status:	All/Any Verified+Reported Verified Reported Held for Document Update Rejected
Area Acronym:	All/Any app art gen int ops rai rtg sec tsv wit	Type:	All/Any Editorial Technical
WG Acronym:		Submitter Name:
Other:	All/Any IAB INDEPENDENT IRTF Legacy Editorial	Date Submitted:
Summary Table Full Records

Found 2 records.

Status: Verified (1)

RFC 4643, "Network News Transfer Protocol (NNTP) Extension for Authentication", October 2006

Source of RFC: nntpext (app)

Errata ID: 1787
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Antti-Juhani Kaijanaho
Date Reported: 2009-05-24
Verifier Name: Lisa Dusseault
Date Verified: 2009-11-25

Section 3.1 says:

user-pass-char = B-CHAR

NOTE: a server implementation MAY parse AUTHINFO USER and AUTHINFO
PASS specially so as to allow white space to be used within the
username or password.  Such implementations accept the additional
syntax (making these two items inconsistent with "token" in Section
9.8 of [NNTP]):

user-pass-char =/ SP / TAB

It should say:

user-pass-char = CTRL / %x21-FF

NOTE: a server implementation MAY parse AUTHINFO USER and AUTHINFO
PASS specially so as to allow white space to be used within the
username or password.  Such implementations accept the additional
syntax (making these two items inconsistent with "token" in Section
9.8 of [NNTP]):

user-pass-char =/ SP / TAB

Notes:

RFC 3977 defines B-CHAR in section 9.8 as:

B-CHAR = CTRL / TAB / SP / %x21-FF

It already contains TAB (%x09) and SP (%x20). Therefore, we have
to define user-pass-char as any byte character except NUL, TAB, LF, CR
and SP. Otherwise, the note does not make sense.

--- RFC Editor Note ---
This report was updated 2009-12-07 per a request from Julien Élie.

Status: Reported (1)

RFC 4643, "Network News Transfer Protocol (NNTP) Extension for Authentication", October 2006

Source of RFC: nntpext (app)

Errata ID: 8515
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Julien ÉLIE
Date Reported: 2025-07-16

Section 2.4.2 says:

To ensure interoperability, client and server implementations of this
extension MUST implement the [DIGEST-MD5] SASL mechanism.

It should say:

To ensure interoperability, client and server implementations of this
extension MUST implement the [SCRAM-SHA-256] SASL mechanism.

Notes:

The DIGEST-MD5 mechanism was marked as obsolete more than a decade ago, in 2011, by RFC 6331 ("Moving DIGEST-MD5 to Historic") because of several flaws. The new recommendation is to use SCRAM:

The Salted Challenge Response Authentication Mechanism (SCRAM) family
of SASL mechanisms [RFC5802] has been developed to provide similar
features as DIGEST-MD5 but with a better design.

SASL libraries begin to retire DIGEST-MD5 so it may no longer be available in current software implementations. I believe another mechanism should be mentioned in RFC 4643 for interoperability. Either SCRAM-SHA-256 or SCRAM-SHA-512 (which may last some more years) for instance.

DIGEST-MD5 should also be removed from all the examples it appears in RFC 4643.

Report New Errata