- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Mon, 26 Apr 2021 08:59:00 +0000
- To: Willy Tarreau <w@1wt.eu>
- cc: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
-------- Willy Tarreau writes: > Imagine a service used to retrieve signatures of package updates, it's > possible that such signatures are implicitly controllable (e.g. PGP), This is actually a very on-point use-case: Most FOSS projects cannot afford CDN's and release-day traffic can be brutal. Using HTTP and allowing sensible client-side caching is a good solution since it allows end-user sites to loft a Squid for just that. However, I'm not sure to what extent this really comes under BCP56bis, since it is usually just "dumb file download". > I really think that a strong recommendation is better, or even a SHOULD > (i.e. it's the expected way of doing it, unless there is a good reason > not to). MUST forces violations when there is a good reason that a spec > authors couldn't imagine, and I don't like encouraging violations. Agreed. Mandating HTTPS where it does not belong is not good policy. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Monday, 26 April 2021 08:59:17 UTC