Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-httpbis-bcp56bis-12

Mark Nottingham <mnot@mnot.net> Wed, 04 August 2021 01:52 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28EFF3A3BDC; Tue, 3 Aug 2021 18:52:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=lcWxxsp7; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=PdZkUSxb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qiJX3ajmxNDc; Tue, 3 Aug 2021 18:52:12 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F10883A3BD9; Tue, 3 Aug 2021 18:52:11 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id A0F493200583; Tue, 3 Aug 2021 21:52:07 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Tue, 03 Aug 2021 21:52:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm3; bh=u atpYeZrZ4XAViaJyZGrZIV+p5zY/1RXxphtWHhZt1E=; b=lcWxxsp7FWrPM60/O 7ZOL9uOJtRmBmh4b1147QJEt0pGrM4mtmnf0CVBV5un5yrOElCLzGx1Y5rN207qN gV6xI0q4WAcl2C3y1vcpdENd8BVxIgH/5ja1C0/I1qe3LNr/YqBIi1w7nhLfEEIu eQO7u6wBWvWT1JdhXgPq/5apTaAYGmLfbyPXahdpXoPs+apKofqhhlu2Irr/wJEN ryHZWRcVa6fR9hIR3d/i58l+Q2+5KLAYeyQYsYWwNjkt/seMeW++GCRFlagf+MKY IYvg749rQtcwDPg85qQaH4nr7j9TMnErbqViH6Fsna2JVgdSN4RB9VmVTmepWb4v dWNfA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=uatpYeZrZ4XAViaJyZGrZIV+p5zY/1RXxphtWHhZt 1E=; b=PdZkUSxbdE4kdPjtxbzc48aKugMKm962DUryZH+Qy3thdIL9Rntb7sFO+ YJfgciHeU85QlYIc5/pd2QKbiSGrG4ZGOcS1HHhJVyTv2A6gXePHpYMXX1grFX2l m/nJHoH4gTr29SayY/Fh9p7xAkbyBXSuPHjrTwgfZSG3TmRLuGtXOGBpAdKL4HFU f+bok8dN0AK8XgbQ75kopAvcjpRk8Ru6szwla/waRsPREE1Y3KE8YiaJyrNwN626 pgk+3J1gouDpiz6Y0Q9jWKCnSnmiz7eYQBIEXmkC8B/DyYxhhM5zThJy9Et6XwIA rlW/21RWSBf1BDEGnsFLW9aJ/xrzw==
X-ME-Sender: <xms:xfIJYavPlSTcObWIUqxnUm7AqLOFaFlLQz2AMUvIpBQcY-n6-d_owg> <xme:xfIJYfcp9y_Se2GJx-LlF4wTb7OodYMVNF-Un9PC_N8fiJyHQ8V5zCty05RES7MrW W5g_-odkBXCI4Q9Vw>
X-ME-Received: <xmr:xfIJYVwgBVWlBsDmgKOM64cpWC_8-ZCxj8USKV67KoRFhGfvwjum57TYvpg2Yzjxf8YIJ10RlcC1qMuebGDcue76ATiVt0EvRFtMcz5BaVYz4HWy3t_SvuSb>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrieehgdegkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurheptggguffhjgffgffkfhfvofesthhqmh dthhdtvdenucfhrhhomhepofgrrhhkucfpohhtthhinhhghhgrmhcuoehmnhhothesmhhn ohhtrdhnvghtqeenucggtffrrghtthgvrhhnpeelffdvueevffffkeeggfffueegheelke ekteejlefhleekveekudeiieevvdetgfenucffohhmrghinhepghhithhhuhgsrdgtohhm pdhmnhhothdrnhgvthenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehmnhhothesmhhnohhtrdhnvght
X-ME-Proxy: <xmx:xfIJYVPb9K85xDNMSFpHzAbnxvevOx8ZXT5rSwAP2mSVHDvvCV10hg> <xmx:xfIJYa-4FU_r4-LDRw865KpVuiYVgzR4SjBYBtvgq6eaj9WatlrFRw> <xmx:xfIJYdV4Z7Q5ueIpXhv3w_9VF_9jFniT7yWSp0yaBmFQxY2QVxgJYA> <xmx:x_IJYax1klpKbRT9cib0gM5PNeyOxob0XIzLdahpUugQ9R4k6NNrkA>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 3 Aug 2021 21:52:03 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <E660C2EF-51F4-41FF-A0F8-333322F53382@mnot.net>
Date: Wed, 4 Aug 2021 11:51:58 +1000
Cc: draft-ietf-httpbis-bcp56bis.all@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, last-call@ietf.org, secdir <secdir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3BBEE7C6-238C-425D-AC8F-F4E04C38A158@mnot.net>
References: <162723422613.4754.2816752947598222075@ietfa.amsl.com> <86B9EF7F-8AC1-49A5-B33D-F9A8D5A96A45@mnot.net> <CAOgPGoB7a1-YCdvEqr_ZAdJ38GiA5HPU+T-S10jqu=C4argp5A@mail.gmail.com> <B2E6A3FD-7FAC-45A9-B37A-78CEC54A5B59@mnot.net> <CAOgPGoAp_VuMe=ox=LdJD_XJqaX5fk1sX2Yt2qjec6Ywfw-NcQ@mail.gmail.com> <E660C2EF-51F4-41FF-A0F8-333322F53382@mnot.net>
To: Joseph Salowey <joe@salowey.net>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/CUEhr7RG3sxIYZPCQJqHIRlefgQ>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-httpbis-bcp56bis-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2021 01:52:17 -0000

See:
  https://github.com/httpwg/http-extensions/commit/9f3c2faa3

This fits in with the overall approach of the document -- as a BCP, we're shying away from placing requirements on implementations. 

Cheers,


> On 4 Aug 2021, at 9:21 am, Mark Nottingham <mnot@mnot.net> wrote:
> 
> 
> 
>> On 4 Aug 2021, at 2:46 am, Joseph Salowey <joe@salowey.net> wrote:
>> 
>> Would you be comfortable if we just removed the discussion of digest and MD5 completely, and deferred action to an (eventual) update of 7616?
>> 
>> 
>> [Joe]  The document is already down the path of adding normative language around 7616 by requiring a secure channel just when using digest MD5.   This guidance doesn't seem specific to the APIs case.  Why can't the document improve the normative guidance to update to MUST NOT use MD5 and MUST use a secure channel with digest?  
> 
> The proposal was to remove discussion of MD5 *and* digest, deferring to 7616 (and an eventual update).
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 
> 

--
Mark Nottingham   https://www.mnot.net/