- From: The IESG <iesg-secretary@ietf.org>
- Date: Thu, 18 Sep 2025 13:31:57 -0700
- To: "IETF-Announce" <ietf-announce@ietf.org>
- Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-optimistic-upgrade@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, mbishop@evequefou.be, rfc-editor@rfc-editor.org, tpauly@apple.com
The IESG has approved the following document: - 'Security Considerations for Optimistic Protocol Transitions in HTTP/1.1' (draft-ietf-httpbis-optimistic-upgrade-06.txt) as Proposed Standard This document is the product of the HTTP Working Group. The IESG contact persons are Gorry Fairhurst and Mike Bishop. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-httpbis-optimistic-upgrade/ Technical Summary In HTTP/1.1, the client can request a change to a new protocol on the existing connection. This document discusses the security considerations that apply to data sent by the client before this request is confirmed, and updates RFC 9112 and RFC 9298 to avoid related security issues. Working Group Summary The working group discussed the document at several meetings and had a few thorough reviews. The main point of tension is that one of the recommended mitigations has the potential to significantly impact performance in some scenarios; the best-performing mitigation, of course, is to move to modern HTTP versions. Document Quality This is not an implementable protocol in itself, but expanded Security Considerations based on learnings from using HTTP in the real world. The recommended mitigations are based on what many implementations already do. Personnel The Document Shepherd for this document is Tommy Pauly. The Responsible Area Director is Mike Bishop.
Received on Thursday, 18 September 2025 20:32:01 UTC