W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: Instance Digests in HTTP (RFC3230)

From: Lisa Dusseault <lisa.dusseault@gmail.com>
Date: Tue, 6 Oct 2009 12:09:01 -0700
Message-ID: <ca722a9e0910061209y55d1c074n41ee4b0b6ea4666b@mail.gmail.com>
To: Nicolas Alvarez <nicolas.alvarez@gmail.com>
Cc: ietf-http-wg@w3.org
These responses do convince me why we need to add at least a couple more
digest types to the registry.  Since changes to this registry require a
specification, I can offer to shepherd that specification (it can be an
individual submission to Informational status, I'm pretty sure).

Thanks,
Lisa

On Tue, Oct 6, 2009 at 9:30 AM, Nicolas Alvarez
<nicolas.alvarez@gmail.com>wrote:

> Anthony Bryan wrote:
> > On Thu, Oct 1, 2009 at 7:22 PM, Lisa Dusseault wrote:
> >> Isn't more digest values worse for interoperability?  Is there an
> >> overriding security concern that would justify worse interoperability?
> >
> > Because there are no recent values in the registry, I see download
> > clients do this (3x variants of SHA1, 2x of other hashes):
> >
> > Want-Digest: MD5;q=0.3, MD-5;q=0.3, SHA1;q=0.8, SHA;q=0.8,
> > SHA-1;q=0.8, SHA256;q=0.9, SHA-256;q=0.9, SHA384;q=0.9, SHA-384;q=0.9,
> > SHA512;q=1, SHA-512;q=1
>
> Clearly, if we don't add SHA-1 to the registry, people will use it anyway,
> but won't decide on a single name for it. *That's* worse for
> interoperability.
>
>
>
>
Received on Tuesday, 6 October 2009 19:09:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:12 GMT