Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Earlier, Barry Leiba wrote, in part:
> What we're looking at here is the need for an HTTP authentication
> system that (for example) doesn't send reusable credentials,
> is less susceptible to spoofing attacks, and so on.

+1

More generally, I support the concerns raised by Stephen Farrell, 
Wes Hardaker, and others that if *any* work is to be done on HTTP, 
then improving the authentication/confidentiality properties 
ought to be a mandatory part of that work.

The IETF has LOTS of experience that if strong(er) security
mechanisms are not *required* in a WG Charter *very explicitly*,
then that work will not happen at all.

Security that works well and is practical to implement 
needs to be designed-in, not bolted-on later.

Separately, I would also like to see the known-weak cryptographic
algorithms/modes (i.e. published literature indicates that
an algorithm, a mode, or both is weak) that are included with HTTP
(as separate from being part of TLS) formally get deprecated as part 
of any HTTPbis work.   For example, the WG ought to consider
deprecating the use of the MD5, UNIXsum, and UNIXcksum algorithms
within HTTP Digests [RFC-2617] [RFC-3230].

Yours,

Ran



_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]