Re: draft-ietf-httpapi-privacy-02 early Httpdir review from Salz, Rich on 2025-08-14 (ietf-http-wg@w3.org from July to September 2025)

From: Salz, Rich <rsalz@akamai.com>
Date: Thu, 14 Aug 2025 16:15:27 +0000
To: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
CC: "httpapi@ietf.org" <httpapi@ietf.org>
Message-ID: <MN2PR17MB403157CC63BDF97FE5DC093CCD35A@MN2PR17MB4031.namprd17.prod.outlook.com>

Thanks for the review.


  *
 It's hard to see why
  *
this document doesn't have a stronger requirement for encryption in general,

I don’t think we should expand the scope to become a general explanation of why encryption is good for you.  As it stands now, even parties that are unenthusiastic about an IETF goal to “encrypt the world” have to recognize that the rationale here — not doing so enables identity theft — is inarguable.


  *
  "This pattern is so well established that many HTTP server and

   intermediary implementations have a prominently displayed option to
   enable it automatically.”


  *
It might be good to add that it's so advantageous that browsers are considering
switching to HTTPS by default, and extensions like HTTPS Everywhere exist.

Again this seems like broadening the scope.


  *
- In the Introduction, s/API/HTTP API/

Fixed


  *
- "Servers with authenticated endpoints SHOULD employ both mechanisms.” ->

"HTTP API servers with..." (probably elsewhere too)

Yeah, fixed about a half-dozen other instances.

> - "The
   client's initial request may include a Bearer token or other
   credential" - Probably good to list Cookies in there too.

done.

Received on Thursday, 14 August 2025 16:16:38 UTC