Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-httpbis-bcp56bis-12

Joseph Salowey <joe@salowey.net> Tue, 03 August 2021 16:47 UTC

Return-Path: <joe@salowey.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6579B3A29DE for <secdir@ietfa.amsl.com>; Tue, 3 Aug 2021 09:47:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZswrU3toB_GY for <secdir@ietfa.amsl.com>; Tue, 3 Aug 2021 09:47:06 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEA443A29E0 for <secdir@ietf.org>; Tue, 3 Aug 2021 09:47:06 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id p38so25865577lfa.0 for <secdir@ietf.org>; Tue, 03 Aug 2021 09:47:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FT0cRsM0vLqDQOmmTi+z8qfpudEZKLsAW3UVfS7HxsA=; b=zUQjwh9pGKBKGPbkEqhJYm6UAS/JiHy+mTwi0mGAJK5P8yIsa9BtL6K9urpKBb7MxV l7u4Wpe2pwcc9yz4NAhg2hE+Pnb1D7Z13FPdclvDMh2+PHB5RLLfVHKcCOyfpi+mAJsz gU+UFCMxSro2NM5YLA5j3+Kmea9Jvx2HDb+vE/XdNupt7q6UZNxajGG2EQfeE07WAAga lo41rU+4dfieQEJc34hgdHYnEtra8zdgPRi3ryRqhP92i0j2hWCPBk1516PhUQW9twTJ d6vLJnF5XNjn+nkC5/2iLkfNUXgDlE2SLVWznCfioEc9q/Il3ZV66zPgbEERO7XgJZY1 Qa6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FT0cRsM0vLqDQOmmTi+z8qfpudEZKLsAW3UVfS7HxsA=; b=myWqZzBmHZKCqi0Wqfk2Ir8DVeOn4Hywg8IJiCRPZg5ZhOPup/jhdun+J0ZZlj8oXX YS6kuF2f4n9g6XIUL17Gtrtcj3XxPYynoY3QlCBYtM4Gfc+juHX+TXcfYWT1XK08WN2j C/Mq+Wi61KhO+4s2yS7A6DLtPkoAbwAhLyHAY3LPvKrGeFYpA/IUTYDI0rNu/wuPskg1 OH7iJSgYUgUkBvGN3INI+f8JRBaOm7Xh6MJk/DZ+i62G9nxJU1FekGIYFSEY8XH0YqY2 0u4E8dLULNlJQCZm/rHmChz0ArZn91m+I4vmgYGIROrsBMejrTcrK50jON4lOzo2OMhL 55vQ==
X-Gm-Message-State: AOAM532kDMDMokvqGTwmx0vki3vX8M2PdF3Z6fxiI9uTgOBxOQ117Rdp kSUv5jnpJww9ec05JJY9UbHU/Hy1NPJCg/tuGB2dGQ==
X-Google-Smtp-Source: ABdhPJwq6xUtP/iIXJrbuTob7JPcEP3DP2cxYAf2yGRJ/VGevk5WxsT6qJ73BNW4OzMg7m16s2xBa5lNN7UUJ0iSLec=
X-Received: by 2002:ac2:4ecd:: with SMTP id p13mr8695821lfr.525.1628009221984; Tue, 03 Aug 2021 09:47:01 -0700 (PDT)
MIME-Version: 1.0
References: <162723422613.4754.2816752947598222075@ietfa.amsl.com> <86B9EF7F-8AC1-49A5-B33D-F9A8D5A96A45@mnot.net> <CAOgPGoB7a1-YCdvEqr_ZAdJ38GiA5HPU+T-S10jqu=C4argp5A@mail.gmail.com> <B2E6A3FD-7FAC-45A9-B37A-78CEC54A5B59@mnot.net>
In-Reply-To: <B2E6A3FD-7FAC-45A9-B37A-78CEC54A5B59@mnot.net>
From: Joseph Salowey <joe@salowey.net>
Date: Tue, 3 Aug 2021 09:46:51 -0700
Message-ID: <CAOgPGoAp_VuMe=ox=LdJD_XJqaX5fk1sX2Yt2qjec6Ywfw-NcQ@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: secdir <secdir@ietf.org>, draft-ietf-httpbis-bcp56bis.all@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, last-call@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005e2d9905c8aa6faf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ahQA71qxM68ZVPnNlZ7vLBW_fZ8>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-httpbis-bcp56bis-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2021 16:47:16 -0000

On Mon, Aug 2, 2021 at 5:50 PM Mark Nottingham <mnot@mnot.net> wrote:

> Hi Joe,
>
>
> > On 3 Aug 2021, at 6:33 am, Joseph Salowey <joe@salowey.net> wrote:
> > [Joe]  I think we should deprecate MD5 in all cases and I also think you
> should treat digest as basic auth and run it over a secure channel in all
> cases.  The text update looks good.
>
> There's been some... pushback on list since:
>   https://www.w3.org/mid/2E8A6D6C-50DC-4753-916E-3AE43BBFECAE@mnot.net
>
> Would you be comfortable if we just removed the discussion of digest and
> MD5 completely, and deferred action to an (eventual) update of 7616?
>
>
[Joe]  The document is already down the path of adding normative language
around 7616 by requiring a secure channel just when using digest MD5.
 This guidance doesn't seem specific to the APIs case.  Why can't
the document improve the normative guidance to update to MUST NOT use MD5
and MUST use a secure channel with digest?



> Cheers,
>
>
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>