Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-httpbis-bcp56bis-12

Mark Nottingham <mnot@mnot.net> Tue, 03 August 2021 23:22 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B94473A36EA; Tue, 3 Aug 2021 16:22:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=EOBrKIUy; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=FEUWJydJ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9nmMehxBPR0b; Tue, 3 Aug 2021 16:21:58 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02EA63A36E9; Tue, 3 Aug 2021 16:21:57 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 6E7885C012B; Tue, 3 Aug 2021 19:21:54 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Tue, 03 Aug 2021 19:21:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm3; bh=m UGDGB1OwGbm0PvENpMNfH/CedBA9pM9T+y0fhWmt8o=; b=EOBrKIUyYCgSm6pgV EcK2uNiU9ijdhdjBTxQBidjTxI0mAHG0KziTcZd9SP91Ak44U46yXskzpZJZ/+Me +/FH0QT+VABw1x/qP1rK0WqoAokKkWxicHmhx8Heb16zgpSfrjdqP0ZKjHNOlb7d 0yL1+m+H0oaVm6qaLug11TAHNhDER9Zu8xcWI3mj88lQhEgcW8CJ9JzPGZRB/Rga kIaJV8v+gmbeYzzNX+8KxGqDB7feZk7HXMJ4shqPxo31IBlRVK0IyPaSjf5CPEbS Y3gplnR/yikMl/MWk18jzrjdUA6G8AD40xnusGncvgTrybBc+h/+SF2B6V3sAEd8 BO/uA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=mUGDGB1OwGbm0PvENpMNfH/CedBA9pM9T+y0fhWmt 8o=; b=FEUWJydJ8zXnTcLdyN3zMRrTm0O3QMOaW4uICZKlQX7Jkvahuf4GcBGHm 2a3J/1BNKzyye9m2m+ihe5IdD1EdVyb/8BcKc3fuEu/OWdpl9pzOM/zpIaLvSpKk zOndkaMWWPXWIf0gU+z0JGOuf2Do7nn2XsFXoHsaiPErwMgfH82KHEp2JRrT+lZs Lb0l6WtOYtgJhJjpHeBGL+XEpXZx0AXt6SK7cfImyD/VOEz4eYq6fRTk3kaNLiC3 LIX2uLbfuyM2DPpBFs87sAJ/rHxvSgs7Qb6bjlxMaehkn0UCcDkx5MuD47uVuEb3 +9A8Ua8FC3B8ic6yMHHaZqFemaovg==
X-ME-Sender: <xms:kM8JYVSKD_3chBsFZ64WU-Bur3a3Kcogv3CicX7ccQYM71ZinVvJgQ> <xme:kM8JYex5S1uLFzP6EVKg624en7PkTnAmxn1TkZNB3eNsSBeGxxWWr7CMsa2zFZ-RW QZVYaCUF-ZhbyAUxA>
X-ME-Received: <xmr:kM8JYa1JnbN168ZsxkS8u77lBFhWzdKf4GjA0VEcT9zTbbp1UsDv5tikEfWVQqPVwwxdoPdfflAHMS_WK2I6_jxQtjqQy64lxMJlf2RIpyKPfyCn6LvsL75C>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrieehgddukecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurheptggguffhjgffgffkfhfvofesthhqmh dthhdtvdenucfhrhhomhepofgrrhhkucfpohhtthhinhhghhgrmhcuoehmnhhothesmhhn ohhtrdhnvghtqeenucggtffrrghtthgvrhhnpeevffffhfduteevvefhueffieegtdeutd ehffeltefffedttdeggeejheeiueetteenucffohhmrghinhepmhhnohhtrdhnvghtnecu vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhnohhtse hmnhhothdrnhgvth
X-ME-Proxy: <xmx:kM8JYdA4iQCq6X-VEWojMsnjUwSpBAhSvPwYojMkB-ZiIEcaH9_lGA> <xmx:kM8JYejUe39eNtRL1Cdrxau3ljmxdBSIKENdsho_rhR_M4bvjCOknQ> <xmx:kM8JYRqzyH_ZhdqHhgb23nefGcwdznS92AZwp09E__6MMtGUHlM3lA> <xmx:ks8JYZUshDkSyDl728Wxdqz0EQPEHCoNUT0TgC9c8gpdaO9epAoPNg>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 3 Aug 2021 19:21:50 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CAOgPGoAp_VuMe=ox=LdJD_XJqaX5fk1sX2Yt2qjec6Ywfw-NcQ@mail.gmail.com>
Date: Wed, 4 Aug 2021 09:21:48 +1000
Cc: draft-ietf-httpbis-bcp56bis.all@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, last-call@ietf.org, secdir <secdir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E660C2EF-51F4-41FF-A0F8-333322F53382@mnot.net>
References: <162723422613.4754.2816752947598222075@ietfa.amsl.com> <86B9EF7F-8AC1-49A5-B33D-F9A8D5A96A45@mnot.net> <CAOgPGoB7a1-YCdvEqr_ZAdJ38GiA5HPU+T-S10jqu=C4argp5A@mail.gmail.com> <B2E6A3FD-7FAC-45A9-B37A-78CEC54A5B59@mnot.net> <CAOgPGoAp_VuMe=ox=LdJD_XJqaX5fk1sX2Yt2qjec6Ywfw-NcQ@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ffyBo5J4NomidRwObtI9epfKJzk>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-httpbis-bcp56bis-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2021 23:22:04 -0000


> On 4 Aug 2021, at 2:46 am, Joseph Salowey <joe@salowey.net> wrote:
> 
> Would you be comfortable if we just removed the discussion of digest and MD5 completely, and deferred action to an (eventual) update of 7616?
> 
> 
> [Joe]  The document is already down the path of adding normative language around 7616 by requiring a secure channel just when using digest MD5.   This guidance doesn't seem specific to the APIs case.  Why can't the document improve the normative guidance to update to MUST NOT use MD5 and MUST use a secure channel with digest?  

The proposal was to remove discussion of MD5 *and* digest, deferring to 7616 (and an eventual update).

--
Mark Nottingham   https://www.mnot.net/