- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Tue, 6 Apr 2021 16:14:38 -0700
- To: Martin Thomson <mt@lowentropy.net>
- Cc: ietf-http-wg@w3.org
> On Apr 5, 2021, at 7:47 PM, Martin Thomson <mt@lowentropy.net> wrote: > > Looks good to me. > > A request: > > Section 4.4.2 says " "https" is RECOMMENDED". I think that we can make this mandatory. I am not aware of any case today where unsecured HTTP would be appropriate. If non-compliance is necessary, I'm sure that a specification can make that case and directly address this point. I don't see any reason to do that, unless it has become IETF practice to lie to people about how their systems work. HTTP over localhost does not use TLS certificates, nor does HTTP over VPN, HTTP between internal datacenter hosts (most of the time), HTTP over IPsec, HTTP over third-party secured hardware, HTTP to your pre-configured local router, HTTP to your local network printer, HTTP to your smart bulbs, etc. How do you expect people to refer to their existing network equipment that is deliberately blocking TLS? As a non-compliant option? The Internet is a weird place, and part of keeping it weird is allowing people to make their own decisions about when end-to-end security is the function being requested by an application. I don't have any use for BSP advice. We are better off with RFCs that recommend on the basis of actual deployment. ....Roy
Received on Tuesday, 6 April 2021 23:15:00 UTC