W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2021

Re: BCP56bis - remaining work

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 26 Apr 2021 19:01:13 +1000
Cc: Willy Tarreau <w@1wt.eu>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <3227252D-5CB9-44DF-A87C-1667A628B12B@mnot.net>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
This isn't a set of recommendations for FOSS project package updates, PHK. 

Perhaps we should take this question to the security directorate; ultimately they're going to weigh in during IETF LC anyway, and this type of policy is more in their bailiwick. 


> On 26 Apr 2021, at 6:59 pm, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> --------
> Willy Tarreau writes:
>> Imagine a service used to retrieve signatures of package updates, it's
>> possible that such signatures are implicitly controllable (e.g. PGP),
> This is actually a very on-point use-case:  Most FOSS projects cannot
> afford CDN's and release-day traffic can be brutal.
> Using HTTP and allowing sensible client-side caching is a good solution
> since it allows end-user sites to loft a Squid for just that.
> However, I'm not sure to what extent this really comes under BCP56bis,
> since it is usually just "dumb file download".
>> I really think that a strong recommendation is better, or even a SHOULD
>> (i.e. it's the expected way of doing it, unless there is a good reason
>> not to). MUST forces violations when there is a good reason that a spec
>> authors couldn't imagine, and I don't like encouraging violations.
> Agreed.
> Mandating HTTPS where it does not belong is not good policy.
> -- 
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe    
> Never attribute to malice what can adequately be explained by incompetence.

Mark Nottingham   https://www.mnot.net/
Received on Monday, 26 April 2021 09:01:38 UTC

This archive was generated by hypermail 2.4.0 : Monday, 26 April 2021 09:01:38 UTC