On Mon, Aug 2, 2021 at 5:50 PM Mark Nottingham <mnot@xxxxxxxx> wrote:
Hi Joe,
> On 3 Aug 2021, at 6:33 am, Joseph Salowey <joe@xxxxxxxxxxx> wrote:
> [Joe] I think we should deprecate MD5 in all cases and I also think you should treat digest as basic auth and run it over a secure channel in all cases. The text update looks good.
There's been some... pushback on list since:
https://www.w3.org/mid/2E8A6D6C-50DC-4753-916E-3AE43BBFECAE@xxxxxxxx
Would you be comfortable if we just removed the discussion of digest and MD5 completely, and deferred action to an (eventual) update of 7616?
[Joe] The document is already down the path of adding normative language around 7616 by requiring a secure channel just when using digest MD5. This guidance doesn't seem specific to the APIs case. Why can't the document improve the normative guidance to update to MUST NOT use MD5 and MUST use a secure channel with digest?
Cheers,
--
Mark Nottingham https://www.mnot.net/
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
