W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2021

Re: BCP56bis - remaining work

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Mon, 26 Apr 2021 08:59:00 +0000
To: Willy Tarreau <w@1wt.eu>
cc: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <59082.1619427540@critter.freebsd.dk>
--------
Willy Tarreau writes:

> Imagine a service used to retrieve signatures of package updates, it's
> possible that such signatures are implicitly controllable (e.g. PGP),

This is actually a very on-point use-case:  Most FOSS projects cannot
afford CDN's and release-day traffic can be brutal.

Using HTTP and allowing sensible client-side caching is a good solution
since it allows end-user sites to loft a Squid for just that.

However, I'm not sure to what extent this really comes under BCP56bis,
since it is usually just "dumb file download".

> I really think that a strong recommendation is better, or even a SHOULD
> (i.e. it's the expected way of doing it, unless there is a good reason
> not to). MUST forces violations when there is a good reason that a spec
> authors couldn't imagine, and I don't like encouraging violations.

Agreed.

Mandating HTTPS where it does not belong is not good policy.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Monday, 26 April 2021 08:59:17 UTC

This archive was generated by hypermail 2.4.0 : Monday, 26 April 2021 08:59:18 UTC