W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: Updating RFC7616 in BCP56bis

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 2 Aug 2021 08:34:04 +0200
To: ietf-http-wg@w3.org
Message-ID: <a5f6c5b3-00c6-77fb-7912-ff0c69f7afe2@gmx.de>
Am 02.08.2021 um 08:12 schrieb Mark Nottingham:
> Drawing everyone's attention to <https://github.com/httpwg/http-extensions/issues/1582>:
>
> The security directorate review of BCP56bis brought up an issue:  RFC7616 already places a SHOULD requirement on the use of a secure channel when Digest HTTP authentication is used. The current language in BCP56bis strengthens that to a MUST, but also weakens it to allowing an insecure channel if the hash algorithm is not "md5".
>
> I think it's uncontroversial that the requirement in BCP56bis should be at least as strong as in 7617. I suspect there's also a lot of support for strengthening it, in two ways:
>
> * Changing the SHOULD to a MUST
> * Deprecating the md5 hash algorithm
>
> However, those are both things that are not specific to HTTP APIs (the subject of BCP56bis).
>
> So, the "correct" way forward is to remove this text completely and make a *very* small document that updates 7616 with the two bullet points above.

I think that BCP56bis should stay away from this (adding non-normative
prose would of course be ok).

Furthermore I believe that essentially patching standards track
documents with minor changes is the wrong approach. We should collect
these change requests, and eventually update this documents completely.

> ...

Best regards, Julian
Received on Monday, 2 August 2021 06:34:19 UTC

This archive was generated by hypermail 2.4.0 : Monday, 2 August 2021 06:34:20 UTC