Technical Summary:
This document updates advice to applications on how to use HTTP as a substrate for defining APIs. The previous guidance was from 2002, so this document does a lot to incorporate our learnings over the past 20 years.
Working Group Summary:
This document has been in the working group for quite a while now, as it was held for submission alongside the new HTTP core document revision. In general, there is good consensus. The one discussion point that arose in the WGLC which had a bit rougher consensus was about the level of normative requirement required for two issues: specifically, if use of HTTPS (HTTP with TLS) is RECOMMENDED or a MUST; and whether the use of HTTPS is a MUST for all authentication types. Some WG members do not want to make this more strict, since not all use cases for HTTP need or can use TLS; others believe that the use case addressed by this document (HTTP APIs over the Internet) is specific enough that the security requirement is appropriate.
Document Quality:
The document is well-written and carefully reviewed.
Personnel:
Shepherd: Tommy Pauly
Responsible AD: Francesca Palombini