Realm is described as:

The realm authentication parameter is reserved for use by authentication schemes that wish to indicate a scope of protection.

This says that it is a parameter, but does it appear on challenges or responses?Section 11.2 only establishes that authentication parameters parameterize authentication schemes, there is no mention of how those relate to what is sent.

I think that this first problem only requires a mention of WWW-Authenticate and Proxy-Authenticate.

The second problem is inthis text:

The protection space determines the domain over which credentials can be automatically applied. If a prior request has been authorized, the user agent MAY reuse the same credentials for all other requests within that protection space for a period of time determined by the authentication scheme, parameters, and/or user preferences (such as a configurable inactivity timeout).

Clients would seem to have no way of knowing whether reuse is likely to be successful. A protection space is defined as the tuple of origin and realm, but there is no acknowledgment that how a protection space might correspond to the URI space is only known to the server. (The next sentence, which I omitted from this quote acknowledges that the client needs special knowledge in order to understand that a protection space might span origins; that's very useful information.)

I think that this requires only that the text acknowledge this uncertainty and note that clients could decide to provide authentication information on every request made to the origin, without knowledge of the extent of the protection space. It might also note that particular authentication schemes might define mechanisms that allow clients to decide where to use credentials. RFC 7616 definesdomain, which allows for scoping; RFC 7617 has a section onreusing credentials.