See: https://github.com/httpwg/http-extensions/commit/9f3c2faa3 This fits in with the overall approach of the document -- as a BCP, we're shying away from placing requirements on implementations. Cheers, > On 4 Aug 2021, at 9:21 am, Mark Nottingham <mnot@xxxxxxxx> wrote: > > > >> On 4 Aug 2021, at 2:46 am, Joseph Salowey <joe@xxxxxxxxxxx> wrote: >> >> Would you be comfortable if we just removed the discussion of digest and MD5 completely, and deferred action to an (eventual) update of 7616? >> >> >> [Joe] The document is already down the path of adding normative language around 7616 by requiring a secure channel just when using digest MD5. This guidance doesn't seem specific to the APIs case. Why can't the document improve the normative guidance to update to MUST NOT use MD5 and MUST use a secure channel with digest? > > The proposal was to remove discussion of MD5 *and* digest, deferring to 7616 (and an eventual update). > > -- > Mark Nottingham https://www.mnot.net/ > > -- Mark Nottingham https://www.mnot.net/ -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call