Skip to main content

Last Call Review of draft-ietf-httpbis-http2-encryption-10

Request Review of draft-ietf-httpbis-http2-encryption
Requested revision No specific revision (document currently at 11)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2017-03-06
Requested 2017-02-20
Authors Mark Nottingham , Martin Thomson
I-D last updated 2017-02-25
Completed reviews Secdir Last Call review of -10 by Charlie Kaufman (diff)
Genart Last Call review of -10 by Brian E. Carpenter (diff)
Assignment Reviewer Brian E. Carpenter
State Completed
Request Last Call review on draft-ietf-httpbis-http2-encryption by General Area Review Team (Gen-ART) Assigned
Reviewed revision 10 (document currently at 11)
Result Ready w/issues
Completed 2017-02-25
Gen-ART Last Call review of draft-ietf-httpbis-http2-encryption-10

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

Document: draft-ietf-httpbis-http2-encryption-10.txt
Reviewer: Brian Carpenter
Review Date: 2017-02-26
IETF LC End Date: 2017-03-06
IESG Telechat date: 2017-03-16 

Summary: Ready with issues


Note: Category is Experimental.

Quoting the writeup:

'The primary concern voiced by dissenters has been that widespread
deployment might provide a false sense of security, slowing the
adoption of "real" HTTPS or confusing users."'

FWIW, I share that concern, even with the tag 'Experimental.'

Major issue: 

The Abstract should definitely state the above concern. At the moment,
it could easily mislead the reader about the value of the solution.
I'd like to see the phrase "it is vulnerable to active attacks" in
the Abstract.

Minor issue:

> 4.4.  Confusion Regarding Request Scheme
> Therefore, servers need to carefully examine the use of such signals
> before deploying this specification.

What does "servers" really mean here? I think it means "implementers
of server code", or maybe "operators of servers"?


> 4.1.  Security Indicators
>   User Agents MUST NOT provide any special security indicia when an

'Indicia' is a real word, but I think it's unknown to at least 99% of
English speakers. Why not 'indicators' again?