- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 4 Aug 2021 09:21:48 +1000
- To: Joseph Salowey <joe@salowey.net>
- Cc: draft-ietf-httpbis-bcp56bis.all@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, last-call@ietf.org, secdir <secdir@ietf.org>
> On 4 Aug 2021, at 2:46 am, Joseph Salowey <joe@salowey.net> wrote: > > Would you be comfortable if we just removed the discussion of digest and MD5 completely, and deferred action to an (eventual) update of 7616? > > > [Joe] The document is already down the path of adding normative language around 7616 by requiring a secure channel just when using digest MD5. This guidance doesn't seem specific to the APIs case. Why can't the document improve the normative guidance to update to MUST NOT use MD5 and MUST use a secure channel with digest? The proposal was to remove discussion of MD5 *and* digest, deferring to 7616 (and an eventual update). -- Mark Nottingham https://www.mnot.net/
Received on Tuesday, 3 August 2021 23:22:10 UTC