Re: [Last-Call] Secdir last call review of draft-ietf-httpbis-bcp56bis-12 from Mark Nottingham on 2021-08-03 (ietf-http-wg@w3.org from July to September 2021)

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 4 Aug 2021 09:21:48 +1000
To: Joseph Salowey <joe@salowey.net>
Cc: draft-ietf-httpbis-bcp56bis.all@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, last-call@ietf.org, secdir <secdir@ietf.org>
Message-Id: <E660C2EF-51F4-41FF-A0F8-333322F53382@mnot.net>

> On 4 Aug 2021, at 2:46 am, Joseph Salowey <joe@salowey.net> wrote:
> 
> Would you be comfortable if we just removed the discussion of digest and MD5 completely, and deferred action to an (eventual) update of 7616?
> 
> 
> [Joe]  The document is already down the path of adding normative language around 7616 by requiring a secure channel just when using digest MD5.   This guidance doesn't seem specific to the APIs case.  Why can't the document improve the normative guidance to update to MUST NOT use MD5 and MUST use a secure channel with digest?  

The proposal was to remove discussion of MD5 *and* digest, deferring to 7616 (and an eventual update).

--
Mark Nottingham   https://www.mnot.net/

Received on Tuesday, 3 August 2021 23:22:10 UTC