W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2021

Re: Re-WGLC for BCP65bis

From: Roy T. Fielding <fielding@gbiv.com>
Date: Tue, 6 Apr 2021 16:14:38 -0700
Cc: ietf-http-wg@w3.org
Message-Id: <5EEB40B1-B969-44D0-8153-EB56363B24FD@gbiv.com>
To: Martin Thomson <mt@lowentropy.net>
> On Apr 5, 2021, at 7:47 PM, Martin Thomson <mt@lowentropy.net> wrote:
> 
> Looks good to me.
> 
> A request:
> 
> Section 4.4.2 says " "https" is RECOMMENDED".  I think that we can make this mandatory.  I am not aware of any case today where unsecured HTTP would be appropriate.  If non-compliance is necessary, I'm sure that a specification can make that case and directly address this point.

I don't see any reason to do that, unless it has become IETF practice
to lie to people about how their systems work. HTTP over localhost
does not use TLS certificates, nor does HTTP over VPN, HTTP between
internal datacenter hosts (most of the time), HTTP over IPsec,
HTTP over third-party secured hardware, HTTP to your pre-configured
local router, HTTP to your local network printer, HTTP to your smart bulbs, etc.

How do you expect people to refer to their existing network equipment
that is deliberately blocking TLS? As a non-compliant option? The
Internet is a weird place, and part of keeping it weird is allowing
people to make their own decisions about when end-to-end security
is the function being requested by an application.

I don't have any use for BSP advice. We are better off with RFCs that
recommend on the basis of actual deployment.

....Roy
Received on Tuesday, 6 April 2021 23:15:00 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 6 April 2021 23:15:01 UTC