- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 2 Aug 2021 08:34:04 +0200
- To: ietf-http-wg@w3.org
Am 02.08.2021 um 08:12 schrieb Mark Nottingham: > Drawing everyone's attention to <https://github.com/httpwg/http-extensions/issues/1582>: > > The security directorate review of BCP56bis brought up an issue: RFC7616 already places a SHOULD requirement on the use of a secure channel when Digest HTTP authentication is used. The current language in BCP56bis strengthens that to a MUST, but also weakens it to allowing an insecure channel if the hash algorithm is not "md5". > > I think it's uncontroversial that the requirement in BCP56bis should be at least as strong as in 7617. I suspect there's also a lot of support for strengthening it, in two ways: > > * Changing the SHOULD to a MUST > * Deprecating the md5 hash algorithm > > However, those are both things that are not specific to HTTP APIs (the subject of BCP56bis). > > So, the "correct" way forward is to remove this text completely and make a *very* small document that updates 7616 with the two bullet points above. I think that BCP56bis should stay away from this (adding non-normative prose would of course be ok). Furthermore I believe that essentially patching standards track documents with minor changes is the wrong approach. We should collect these change requests, and eventually update this documents completely. > ... Best regards, Julian
Received on Monday, 2 August 2021 06:34:19 UTC