Re: Re-WGLC for BCP65bis from Martin Thomson on 2021-04-06 (ietf-http-wg@w3.org from April to June 2021)

From: Martin Thomson <mt@lowentropy.net>
Date: Tue, 06 Apr 2021 12:47:53 +1000
To: ietf-http-wg@w3.org
Message-Id: <c88944cd-cd75-4050-b95d-4c689ba51106@www.fastmail.com>

Looks good to me.

A request:

Section 4.4.2 says " "https" is RECOMMENDED".  I think that we can make this mandatory.  I am not aware of any case today where unsecured HTTP would be appropriate.  If non-compliance is necessary, I'm sure that a specification can make that case and directly address this point.

A minor note:

Section 4.3 talks about certificates as being something special that APIs need to address.  I would instead invert this and suggest that an advantage of using HTTP is the ability to rely on the WebPKI (Section 3.3 could say "Integration with TLS and the Web PKI" and be more accurate).

For this context, I think that what you want to establish here is the divergence from normal.  It's entirely appropriate to establish your own trust anchors here.  That would NOT make your protocol a different protocol in quite the same way as other divergences do.  However, it does diminish that benefit and requires careful specification.  Yes, redirection is just something you need to accept and you probably want to default to not using cookies.  However, as it relates to Web PKI, we're now assuming it rather than actively deciding to use it.

I think that's consistent with the rest of the advice, which is mostly "use the same HTTP as everyone else unless you are sure that you need something different".

On Fri, Apr 2, 2021, at 04:31, Tommy Pauly wrote:
> Hello all,
> 
> Now that the core documents have been completed, it’s time for us to 
> un-park draft-ietf-httpbis-bcp56bis and progress it along towards 
> publication.
> 
> However, you may note that it’s been a couple years since our last 
> working group last call on this document, so I’d like to have the WG 
> take another quick review of the document before moving it along. It 
> has a few updates, which largely get it inline with the core documents.
> 
> The current version is here:
> https://www.ietf.org/archive/id/draft-ietf-httpbis-bcp56bis-11.html
> 
> You can see a diff between the older version here:
> https://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-httpbis-bcp56bis-11.txt
> 
> Please reply to this email to indicate if you think this document is 
> ready to progress, or if you have any review comments. We’d like 
> feedback by *April 12, 2021*.
> 
> Best,
> Tommy

Received on Tuesday, 6 April 2021 02:48:28 UTC