W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2021

BCP56bis - remaining work

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 21 Apr 2021 12:03:01 +1000
Message-Id: <7C06B601-D7C8-4EE6-86C2-AE4CBCB5769B@mnot.net>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
<editor hat on>

I think we're done processing BCP56bis WGLC feedback, except for two interrelated suggestion/issues and a heads-up about editorial work.

## Requirements for Security

In <https://www.w3.org/mid/c88944cd-cd75-4050-b95d-4c689ba51106@www.fastmail.com>, Martin asks whether we can make HTTPS a MUST, rather than RECOMMENDED. 

Then, in <https://www.w3.org/mid/77ff1d27-7e06-46db-87ff-6b7d70890f26@www.fastmail.com>, Martin suggests we disallow use of *all* HTTP authentication unless the connection is secured.

There hasn't been much feedback on the second suggestion, but the first resulted in a few people objecting that it was too general. However, this BCP is for IETF standards-based HTTP APIs, not all HTTP APIs or all uses of HTTP. Given that the IETF is focused on internetworking, the examples of localhost APIs don't seem very applicable here.

Therefore, I think the best path forward is to change the RECOMMENDED to a MUST, rewording the language about client authentication to account for that. If you don't agree, please respond and state why, taking the above into account.

## Editorial improvements

I did an editorial pass in:
I believe that this doesn't make any normative changes; if anyone sees an issue, please point it out to me.


Mark Nottingham   https://www.mnot.net/
Received on Wednesday, 21 April 2021 02:03:24 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 21 April 2021 02:03:25 UTC