W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: Instance Digests in HTTP (RFC3230)

From: Anthony Bryan <anthonybryan@gmail.com>
Date: Thu, 15 Oct 2009 10:53:27 -0400
Message-ID: <bb9e09ee0910150753x70d6012ega1fb1d1aa7edbcaa@mail.gmail.com>
To: Lisa Dusseault <lisa.dusseault@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
New version incorporates comments from Pasi Eronen.

-02 : October 15, 2009.
   o  New title.
   o  "Note: This is unrelated to HTTP Digest Authentication."
   o  Remove SHA-224 and SHA-384.
   o  "Changes compared to RFC3230" section added.

A new version of I-D,
draft-bryan-http-digest-algorithm-values-update-02.txt has been
successfuly submitted by Anthony Bryan and posted to the IETF

Filename:        draft-bryan-http-digest-algorithm-values-update
Revision:        02
Title:           Additional Hash Algorithms for HTTP Instance Digests
Creation_date:   2009-10-15
WG ID:           Independent Submission
Number_of_pages: 5

[RFC3230] created the IANA registry named "Hypertext Transfer
Protocol (HTTP) Digest Algorithm Values" which defines values for
digest algorithms used in HTTP.  This draft adds new values to the
registry and updates previous values.

On Tue, Oct 6, 2009 at 3:09 PM, Lisa Dusseault <lisa.dusseault@gmail.com> wrote:
> These responses do convince me why we need to add at least a couple more
> digest types to the registry.  Since changes to this registry require a
> specification, I can offer to shepherd that specification (it can be an
> individual submission to Informational status, I'm pretty sure).
> Thanks,
> Lisa
> On Tue, Oct 6, 2009 at 9:30 AM, Nicolas Alvarez <nicolas.alvarez@gmail.com>
> wrote:
>> Anthony Bryan wrote:
>> > On Thu, Oct 1, 2009 at 7:22 PM, Lisa Dusseault wrote:
>> >> Isn't more digest values worse for interoperability?  Is there an
>> >> overriding security concern that would justify worse interoperability?
>> >
>> > Because there are no recent values in the registry, I see download
>> > clients do this (3x variants of SHA1, 2x of other hashes):
>> >
>> > Want-Digest: MD5;q=0.3, MD-5;q=0.3, SHA1;q=0.8, SHA;q=0.8,
>> > SHA-1;q=0.8, SHA256;q=0.9, SHA-256;q=0.9, SHA384;q=0.9, SHA-384;q=0.9,
>> > SHA512;q=1, SHA-512;q=1
>> Clearly, if we don't add SHA-1 to the registry, people will use it anyway,
>> but won't decide on a single name for it. *That's* worse for
>> interoperability.

(( Anthony Bryan ... Metalink [ http://www.metalinker.org ]
  )) Easier, More Reliable, Self Healing Downloads
Received on Thursday, 15 October 2009 14:54:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:12 GMT