[secdir] secdir review of draft-bryan-http-digest-algorithm-values-update-03

Radia Perlman <Radia.Perlman@Sun.COM> Sat, 19 December 2009 03:43 UTC

Return-Path: <Radia.Perlman@Sun.COM>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 27C5C3A686D; Fri, 18 Dec 2009 19:43:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.753
X-Spam-Status: No, score=-4.753 tagged_above=-999 required=5 tests=[AWL=1.293, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id F+GQ7TBCSonH; Fri, 18 Dec 2009 19:43:47 -0800 (PST)
Received: from sca-es-mail-1.sun.com (sca-es-mail-1.Sun.COM []) by core3.amsl.com (Postfix) with ESMTP id 52D3E3A6829; Fri, 18 Dec 2009 19:43:47 -0800 (PST)
Received: from fe-sfbay-09.sun.com ([]) by sca-es-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id nBJ3hWpQ008585; Fri, 18 Dec 2009 19:43:32 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII; format=flowed
Received: from conversion-daemon.fe-sfbay-09.sun.com by fe-sfbay-09.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KUV00300RCAAV00@fe-sfbay-09.sun.com>; Fri, 18 Dec 2009 19:43:32 -0800 (PST)
Received: from [] ([unknown] []) by fe-sfbay-09.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KUV006JIROJOG90@fe-sfbay-09.sun.com>; Fri, 18 Dec 2009 19:43:32 -0800 (PST)
Date: Fri, 18 Dec 2009 19:42:00 -0800
From: Radia Perlman <Radia.Perlman@Sun.COM>
Sender: Radia.Perlman@Sun.COM
To: iesg@ietf.org, secdir@ietf.org, anthonybryan@gmail.com
Message-id: <4B2C4B88.2030604@sun.com>
User-Agent: Thunderbird (Windows/20090812)
Subject: [secdir] secdir review of draft-bryan-http-digest-algorithm-values-update-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Dec 2009 03:43:48 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document just updates the HTTP digest algorithm values, and as such 
doesn't really have security

First a question...this isn't a cryptographic checksum, and it might be 
nice if the document said what
its purpose is. I assume it's for caching, so that you can quickly check 
if a page has changed?

Now not to pick on this spec, but perhaps something IETF might
consider, two issues:

Terminology issue: even though people routinely use the terminology 
"SHA-256", perhaps it's time to also include
the version of SHA, as in SHA-2-256, since other versions of SHA might 
have overlapping sizes with
SHA-1 and SHA-256.

And having a registry for each algorithm for each protocol seems 
unwieldly---each time a new algorithm happens,
does it mean a bunch of specs have to come out with an update document 
like this one? Could it instead
be a single registry that all specs point to?