Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-httpbis-bcp56bis-12

Joseph Salowey <joe@salowey.net> Wed, 04 August 2021 05:27 UTC

Return-Path: <joe@salowey.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35EB03A0C0A for <secdir@ietfa.amsl.com>; Tue, 3 Aug 2021 22:27:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BGmJwPX354i6 for <secdir@ietfa.amsl.com>; Tue, 3 Aug 2021 22:27:30 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6567F3A0C02 for <secdir@ietf.org>; Tue, 3 Aug 2021 22:27:30 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id e5so1202954ljp.6 for <secdir@ietf.org>; Tue, 03 Aug 2021 22:27:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zQ7xfvearU9zTgcQKL2Gw6NauJe0G9V4TLXY5AClj3Y=; b=Yd7/TQAIMBC9WOtQCin54q6ZxjhlDJrRnPrPh8ewHkdJjRcKzv0BNROGq7+PR93f3I gtFpjHCVlKu1YEOAF0uh3Tr0/NbK0cigfRG/2N621+0kS8LC5HUWJM8yRkdeTr9fm+G7 yEMmkHS+qXyKDVzubE22cApqFB2qQymnJJ8SaLs50+Dw8FznQjudNRREEeASpNVDuRcJ RFYZdKzh94QBi4qvEFQPodUEEbnnFSEHnDK0/VPRXfR2LBR65m5vxNkYbzI6qxPgrhiF 0x2IMMG0llRZKOKnJzMG1IjIv1fEYqt4HCR7wQEIy6TuhbaM+xhoaO+15/qv5iq7LjAx lHmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zQ7xfvearU9zTgcQKL2Gw6NauJe0G9V4TLXY5AClj3Y=; b=HbIwr7UcBdETw9PruRDjyV1aJLPetosiiKqUUL0Dd4QUflQygiwlCbCe8/PdJY7f6K hCZ8OnwVklWr6rj0TV6/4i+5k2fYZZ5ZpLRV4qzuB1bT9XM3gpoRysqDBDNFG0ufhDNr nFoDD/oU2x8LQrPQPPyeYMimyXQ1evJmn3eOby/R7LkAdmQpVSu6CTWkYZxI4xVWQDPB e1PtU8Mjo9Gh9W4XT976IwLNCvS251R+o3AJYxbRnblfyiaexdxey6JmO9EoxOnCdse0 f81JrjYE8ZQ2W3gHcXBkM3Puw3emEvw3puLn/6IeFgcX+CzCl8VL7SjKVXy9oq/itD4M jlAQ==
X-Gm-Message-State: AOAM53296fPgeUEoLnhzT5yVCr154Yf3+cQHqX7KllJWsJNIjGfWg6SU h0AmR38yGfZ1JEXj9ZK+SI8m02P6B6lAynzohE71UgmpC6I=
X-Google-Smtp-Source: ABdhPJzI334o6bB32LCouSp+xMofjlXusei/HHAhzR7p5BzMjqf+oKt62UMqv6ee/kOtH5GrYs4/R4kH0s3leuJ8U5k=
X-Received: by 2002:a2e:9b90:: with SMTP id z16mr17212326lji.444.1628054848008; Tue, 03 Aug 2021 22:27:28 -0700 (PDT)
MIME-Version: 1.0
References: <162723422613.4754.2816752947598222075@ietfa.amsl.com> <86B9EF7F-8AC1-49A5-B33D-F9A8D5A96A45@mnot.net> <CAOgPGoB7a1-YCdvEqr_ZAdJ38GiA5HPU+T-S10jqu=C4argp5A@mail.gmail.com> <B2E6A3FD-7FAC-45A9-B37A-78CEC54A5B59@mnot.net> <CAOgPGoAp_VuMe=ox=LdJD_XJqaX5fk1sX2Yt2qjec6Ywfw-NcQ@mail.gmail.com> <E660C2EF-51F4-41FF-A0F8-333322F53382@mnot.net> <3BBEE7C6-238C-425D-AC8F-F4E04C38A158@mnot.net>
In-Reply-To: <3BBEE7C6-238C-425D-AC8F-F4E04C38A158@mnot.net>
From: Joseph Salowey <joe@salowey.net>
Date: Tue, 3 Aug 2021 22:27:17 -0700
Message-ID: <CAOgPGoDtJ4ZneEGZB+71Mw+bip+FFDxoGJrMfvS6GvgWyMAbzg@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: draft-ietf-httpbis-bcp56bis.all@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, last-call@ietf.org, secdir <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e4084705c8b50ed6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Hx9p4SrWklP4SZODUnfsd9PyJ5E>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-httpbis-bcp56bis-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2021 05:27:37 -0000

On Tue, Aug 3, 2021 at 6:52 PM Mark Nottingham <mnot@mnot.net> wrote:

> See:
>   https://github.com/httpwg/http-extensions/commit/9f3c2faa3
>
> This fits in with the overall approach of the document -- as a BCP, we're
> shying away from placing requirements on implementations.
>
>
[Joe] Thanks, this looks good.


> Cheers,
>
>
> > On 4 Aug 2021, at 9:21 am, Mark Nottingham <mnot@mnot.net> wrote:
> >
> >
> >
> >> On 4 Aug 2021, at 2:46 am, Joseph Salowey <joe@salowey.net> wrote:
> >>
> >> Would you be comfortable if we just removed the discussion of digest
> and MD5 completely, and deferred action to an (eventual) update of 7616?
> >>
> >>
> >> [Joe]  The document is already down the path of adding normative
> language around 7616 by requiring a secure channel just when using digest
> MD5.   This guidance doesn't seem specific to the APIs case.  Why can't the
> document improve the normative guidance to update to MUST NOT use MD5 and
> MUST use a secure channel with digest?
> >
> > The proposal was to remove discussion of MD5 *and* digest, deferring to
> 7616 (and an eventual update).
> >
> > --
> > Mark Nottingham   https://www.mnot.net/
> >
> >
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>