Re: Instance Digests in HTTP (RFC3230) from Lisa Dusseault on 2009-10-06 (ietf-http-wg@w3.org from October to December 2009)

From: Lisa Dusseault <lisa.dusseault@gmail.com>
Date: Tue, 6 Oct 2009 12:09:01 -0700
To: Nicolas Alvarez <nicolas.alvarez@gmail.com>
Cc: ietf-http-wg@w3.org
Message-ID: <ca722a9e0910061209y55d1c074n41ee4b0b6ea4666b@mail.gmail.com>

These responses do convince me why we need to add at least a couple more
digest types to the registry.  Since changes to this registry require a
specification, I can offer to shepherd that specification (it can be an
individual submission to Informational status, I'm pretty sure).

Thanks,
Lisa

On Tue, Oct 6, 2009 at 9:30 AM, Nicolas Alvarez
<nicolas.alvarez@gmail.com>wrote:

> Anthony Bryan wrote:
> > On Thu, Oct 1, 2009 at 7:22 PM, Lisa Dusseault wrote:
> >> Isn't more digest values worse for interoperability?  Is there an
> >> overriding security concern that would justify worse interoperability?
> >
> > Because there are no recent values in the registry, I see download
> > clients do this (3x variants of SHA1, 2x of other hashes):
> >
> > Want-Digest: MD5;q=0.3, MD-5;q=0.3, SHA1;q=0.8, SHA;q=0.8,
> > SHA-1;q=0.8, SHA256;q=0.9, SHA-256;q=0.9, SHA384;q=0.9, SHA-384;q=0.9,
> > SHA512;q=1, SHA-512;q=1
>
> Clearly, if we don't add SHA-1 to the registry, people will use it anyway,
> but won't decide on a single name for it. *That's* worse for
> interoperability.
>
>
>
>

Received on Tuesday, 6 October 2009 19:09:37 UTC