Re: Review of draft-ietf-httpbis-http2-encryption-10 from Mark Nottingham on 2017-02-27 (ietf-http-wg@w3.org from January to March 2017)

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 27 Feb 2017 12:22:34 +1100
To: Brian Carpenter <brian.e.carpenter@gmail.com>
Cc: gen-art@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <DD581639-035F-4C57-9DBC-9254658374D1@mnot.net>

[ editor hat ]

That all seems reasonable to me; see:

  https://github.com/httpwg/http-extensions/commit/ca56fd8365
  https://github.com/httpwg/http-extensions/commit/31c11b4683

Will incorporate into the next draft when we issue.

Thanks!


> On 26 Feb 2017, at 12:20 pm, Brian Carpenter <brian.e.carpenter@gmail.com> wrote:
> 
> Reviewer: Brian Carpenter
> Review result: Ready with Issues
> 
> Gen-ART Last Call review of draft-ietf-httpbis-http2-encryption-10
> 
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
> 
> For more information, please see the FAQ at
> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
> 
> Document: draft-ietf-httpbis-http2-encryption-10.txt
> Reviewer: Brian Carpenter
> Review Date: 2017-02-26
> IETF LC End Date: 2017-03-06
> IESG Telechat date: 2017-03-16 
> 
> Summary: Ready with issues
> --------
> 
> Comments:
> ---------
> 
> Note: Category is Experimental.
> 
> Quoting the writeup:
> 
> 'The primary concern voiced by dissenters has been that widespread
> deployment might provide a false sense of security, slowing the
> adoption of "real" HTTPS or confusing users."'
> 
> FWIW, I share that concern, even with the tag 'Experimental.'
> 
> Major issue: 
> ------------
> 
> The Abstract should definitely state the above concern. At the
> moment,
> it could easily mislead the reader about the value of the solution.
> I'd like to see the phrase "it is vulnerable to active attacks" in
> the Abstract.
> 
> Minor issue:
> ------------
> 
>> 4.4.  Confusion Regarding Request Scheme
> ...
>> Therefore, servers need to carefully examine the use of such
> signals
>> before deploying this specification.
> 
> What does "servers" really mean here? I think it means "implementers
> of server code", or maybe "operators of servers"?
> 
> Nits:
> -----
> 
>> 4.1.  Security Indicators
>> 
>>  User Agents MUST NOT provide any special security indicia when an
> 
> 'Indicia' is a real word, but I think it's unknown to at least 99% of
> English speakers. Why not 'indicators' again?
> 
> 
> 
> 

--
Mark Nottingham   https://www.mnot.net/

Received on Monday, 27 February 2017 01:23:15 UTC