Re: [Last-Call] Secdir last call review of draft-ietf-httpbis-bcp56bis-12

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



See:
  https://github.com/httpwg/http-extensions/commit/9f3c2faa3

This fits in with the overall approach of the document -- as a BCP, we're shying away from placing requirements on implementations. 

Cheers,


> On 4 Aug 2021, at 9:21 am, Mark Nottingham <mnot@xxxxxxxx> wrote:
> 
> 
> 
>> On 4 Aug 2021, at 2:46 am, Joseph Salowey <joe@xxxxxxxxxxx> wrote:
>> 
>> Would you be comfortable if we just removed the discussion of digest and MD5 completely, and deferred action to an (eventual) update of 7616?
>> 
>> 
>> [Joe]  The document is already down the path of adding normative language around 7616 by requiring a secure channel just when using digest MD5.   This guidance doesn't seem specific to the APIs case.  Why can't the document improve the normative guidance to update to MUST NOT use MD5 and MUST use a secure channel with digest?  
> 
> The proposal was to remove discussion of MD5 *and* digest, deferring to 7616 (and an eventual update).
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 
> 

--
Mark Nottingham   https://www.mnot.net/

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux