Re: [Last-Call] Secdir last call review of draft-ietf-httpbis-bcp56bis-12 from Mark Nottingham on 2021-08-03 (ietf-http-wg@w3.org from July to September 2021)

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 3 Aug 2021 10:50:39 +1000
To: Joseph Salowey <joe@salowey.net>
Cc: secdir <secdir@ietf.org>, draft-ietf-httpbis-bcp56bis.all@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, last-call@ietf.org
Message-Id: <B2E6A3FD-7FAC-45A9-B37A-78CEC54A5B59@mnot.net>

Hi Joe,

> On 3 Aug 2021, at 6:33 am, Joseph Salowey <joe@salowey.net> wrote:
> [Joe]  I think we should deprecate MD5 in all cases and I also think you should treat digest as basic auth and run it over a secure channel in all cases.  The text update looks good.  

There's been some... pushback on list since:
  https://www.w3.org/mid/2E8A6D6C-50DC-4753-916E-3AE43BBFECAE@mnot.net

Would you be comfortable if we just removed the discussion of digest and MD5 completely, and deferred action to an (eventual) update of 7616?

Cheers,

--
Mark Nottingham   https://www.mnot.net/

Received on Tuesday, 3 August 2021 00:50:59 UTC