W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2006

Re: RFC 2617 errata / MD5-sess

From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
Date: Thu, 10 Aug 2006 09:12:50 -0700
Message-ID: <44DB5B02.3000101@rowe-clan.net>
To: lists@ingostruck.de
CC: ietf-http-wg@w3.org, adam@estacado.net, scott-http@skrb.org

lists@ingostruck.de wrote:
> Hello Scott, Adam, wg-list,
> 
> I just want to give some input to the discussion about
> rfc 2617 and the MD5-sess algorithm described there.

My own concern, if the MD5-sess dialog is reopened, is to account for
the complete dismissal of MD5 for any authn/authz security applications
and to reopen the spec to extending the noonce to SHA1 / SHA2 semantics.

MD5 is already past it's prime, and SHA1 is heading that way as well.
It would be good to anticipate future hash support by adding anything
of SHA2 up to SHA-512 and providing for an extensible description of
the negotiated hash employed for this purpose.
Received on Thursday, 10 August 2006 16:13:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:46 GMT