- From: Ben Schwartz <bemasc@meta.com>
- Date: Thu, 11 Jul 2024 15:02:21 +0000
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <SA1PR15MB4370490422595A884B57EED3B3A52@SA1PR15MB4370.namprd15.prod.outlook.com>
The draft "Security Considerations for Optimistic Use of HTTP Upgrade" was recently adopted by the working group. I've published a clean rename of the draft, and written Pull Requests for three changes based on feedback from the working group before and during the adoption call [1]. #2821 - Extend the draft to cover HTTP CONNECT As Mike Bishop pointed out to me, most of the concerns in this draft, which was originally motivated by "connect-tcp", also apply to regular CONNECT in HTTP/1.1. This change would expand the draft to cover Upgrade and CONNECT, changing the title of the draft to "Security Considerations for Optimistic Protocol Transitions in HTTP/1.1". #2818 - Deprecate the "HTTP" and "TLS" upgrade tokens From discussion on the list, it seems like we have consensus that "Upgrade: HTTP/2.0" is not a standards-compliant header field. This PR amends the IANA registry [2] to make that clearer. It also deprecates "Upgrade: TLS/1.2" and marks the corresponding RFC as Historic. #2827 - Recommend GET for future Upgrade Tokens This PR depends on #2818. With those deprecations in place, all remaining Upgrade Tokens use the GET method. This PR makes that a formal recommendation (SHOULD). If these changes are of interest, please review them on Github or in this thread. I'll also be discussing them in the Wednesday session of HTTPBIS at IETF 120. --Ben Schwartz [1] https://github.com/httpwg/http-extensions/pulls?q=is%3Apr+is%3Aopen+label%3Aoptimistic-upgrade [2] https://www.iana.org/assignments/http-upgrade-tokens/http-upgrade-tokens.xhtml#:~:text=any%20DIGIT.DIGIT%20(-,e.g.%2C%20%222.0%22,-)
Received on Thursday, 11 July 2024 15:02:30 UTC