Updating RFC7616 in BCP56bis

Drawing everyone's attention to <https://github.com/httpwg/http-extensions/issues/1582>:

The security directorate review of BCP56bis brought up an issue:  RFC7616 already places a SHOULD requirement on the use of a secure channel when Digest HTTP authentication is used. The current language in BCP56bis strengthens that to a MUST, but also weakens it to allowing an insecure channel if the hash algorithm is not "md5".

I think it's uncontroversial that the requirement in BCP56bis should be at least as strong as in 7617. I suspect there's also a lot of support for strengthening it, in two ways:

* Changing the SHOULD to a MUST
* Deprecating the md5 hash algorithm

However, those are both things that are not specific to HTTP APIs (the subject of BCP56bis). 

So, the "correct" way forward is to remove this text completely and make a *very* small document that updates 7616 with the two bullet points above. 

That seems like a lot of extra effort for little practical return. So the question is whether we can do those things in this document (for all uses of 7616, not just HTTP APIs), thereby updating 7616 with bcp56bis.

Does anyone object to that plan? If so, we can fall back to the "correct" way (as outlined above).

Cheers,



--
Mark Nottingham   https://www.mnot.net/

Received on Monday, 2 August 2021 06:12:45 UTC