Early Review of draft-bryan-http-digest-algorithm-values-update-
review-bryan-http-digest-algorithm-values-update-secdir-early-perlman-2009-12-24-00

I have reviewed this document as part of the security directorate's 


ongoing effort to review all IETF documents being processed by the 


IESG.  These comments were written primarily for the benefit of the 


security area directors.  Document editors and WG chairs should treat 


these comments just like any other last call comments.






This document just updates the HTTP digest algorithm values, and as such 


doesn't really have security



considerations.



First a question...this isn't a cryptographic checksum, and it might be 


nice if the document said what


its purpose is. I assume it's for caching, so that you can quickly check 


if a page has changed?




Now not to pick on this spec, but perhaps something IETF might
consider, two issues:



Terminology issue: even though people routinely use the terminology 


"SHA-256", perhaps it's time to also include


the version of SHA, as in SHA-2-256, since other versions of SHA might 


have overlapping sizes with



SHA-1 and SHA-256.



And having a registry for each algorithm for each protocol seems 


unwieldly---each time a new algorithm happens,


does it mean a bunch of specs have to come out with an update document 


like this one? Could it instead



be a single registry that all specs point to?

Radia