On Tuesday, May 11, 2021 11:18:30 AM EDT Ned Freed wrote:
> This one is ... interesting, in a pedantic sort of way.
>
> The current ABNF is clearly incorrect; the question is how best to fix it.
>
> The simplest fix is:
>
> spf-rp-tag = "rp=" 1*3DIGIT
>
> This conforms to the ABNF used for similar percentage values
> in related specifications. For example RFC 7489 defines pct as:
>
> dmarc-percent = "pct" *WSP "=" *WSP
> 1*3DIGIT
>
> Even though the pct value is restricted in the text to the
> same 0-100 range as is allowed here.
>
> But this allows values outside the allowed range, as well as leading zeros.
> The fix suggested in the report restricts things to the allowed range:
>
> spf-rp-tag = "rp=" "100" / 1*2DIGIT
>
> But it doesn't deal with the leading zero issue. And it now disallows things
> like "001" that were allowed before, and which do specify an in-range
> value.
>
> If you also want to eliminate leading zeros, then you need something like:
>
> spf-rp-tag = "rp=" ("100" / ([%x31-39] DIGIT))
>
> Of course there are other ways to do it, but I don't think there are
> any that involve fewer terminals.
>
> As to what implementations do, my guess is most call whatever integer parser
> they have handy, and then check to see if the result is in range. This
> probably means they are tolerant of leading zeros - although I guess it's
> faintly possible that a value with a leading zero will be interpreted in
> base 8 - and some probably allow a leading +/-.
>
> And finally, there's the question of whether this is a correction or an
> update. I think 1*3DIGIT clearly qualifies as a correction given that's
> what is in other RFCs, but the more restrictive you get the closer you are
> to this being an update.
>
> Anyway, my recommendation is to go with 1*3DIGIT for now, although I don't
> feel strongly about it.
>
> Ned
I think that's reasonable.
Scott K
>
> > The following errata report has been submitted for RFC6652,
> > "Sender Policy Framework (SPF) Authentication Failure Reporting Using the
> > Abuse Reporting Format".
> >
> > --------------------------------------
> > You may review the report below and at:
> > https://www.rfc-editor.org/errata/eid6579
> >
> > --------------------------------------
> > Type: Technical
> > Reported by: Benjamin Schwarze <[email protected]>
> >
> > Section: 3.
> >
> > Original Text
> > -------------
> > spf-rp-tag = "rp=" 1*12DIGIT "/" 1*12DIGIT
> >
> > Corrected Text
> > --------------
> > spf-rp-tag = "rp=" "100" / 1*2DIGIT
> >
> > Notes
> > -----
> >
> > As explained in paragraph 3, the value of the "rp" modifier should be an
> > integer value between 0 and 100. However, the specified abnf does not fit
> > this requirement.
> >
> > Instructions:
> > -------------
> > This erratum is currently posted as "Reported". If necessary, please
> > use "Reply All" to discuss whether it should be verified or
> > rejected. When a decision is reached, the verifying party
> > can log in to change the status and edit the report, if necessary.
> >
> > --------------------------------------
> > RFC6652 (draft-ietf-marf-spf-reporting-11)
> > --------------------------------------
> > Title : Sender Policy Framework (SPF) Authentication Failure
> > Reporting Using the Abuse Reporting Format Publication Date : June
> > 2012
> > Author(s) : S. Kitterman
> > Category : PROPOSED STANDARD
> > Source : Messaging Abuse Reporting Format
> > Area : Applications
> > Stream : IETF
> > Verifying Party : IESG
> >
> > _______________________________________________
> > marf mailing list
> > [email protected]
> > https://www.ietf.org/mailman/listinfo/marf
_______________________________________________
marf mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/marf
