Last Call Review of draft-ietf-httpbis-http2-encryption-10
review-ietf-httpbis-http2-encryption-10-genart-lc-carpenter-2017-02-25-00

Request Review of draft-ietf-httpbis-http2-encryption
Requested rev. no specific revision (document currently at 11)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2017-03-06
Requested 2017-02-20
Authors Mark Nottingham, Martin Thomson
Draft last updated 2017-02-25
Completed reviews Secdir Last Call review of -10 by Charlie Kaufman (diff)
Genart Last Call review of -10 by Brian Carpenter (diff)
Assignment Reviewer Brian Carpenter
State Completed
Review review-ietf-httpbis-http2-encryption-10-genart-lc-carpenter-2017-02-25
Reviewed rev. 10 (document currently at 11)
Review result Ready with Issues
Review completed: 2017-02-25

Review
review-ietf-httpbis-http2-encryption-10-genart-lc-carpenter-2017-02-25

Gen-ART Last Call review of draft-ietf-httpbis-http2-encryption-10

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Document: draft-ietf-httpbis-http2-encryption-10.txt
Reviewer: Brian Carpenter
Review Date: 2017-02-26
IETF LC End Date: 2017-03-06
IESG Telechat date: 2017-03-16 

Summary: Ready with issues
--------

Comments:
---------

Note: Category is Experimental.

Quoting the writeup:

'The primary concern voiced by dissenters has been that widespread
deployment might provide a false sense of security, slowing the
adoption of "real" HTTPS or confusing users."'

FWIW, I share that concern, even with the tag 'Experimental.'

Major issue: 
------------

The Abstract should definitely state the above concern. At the moment,
it could easily mislead the reader about the value of the solution.
I'd like to see the phrase "it is vulnerable to active attacks" in
the Abstract.

Minor issue:
------------

> 4.4.  Confusion Regarding Request Scheme
...
> Therefore, servers need to carefully examine the use of such signals
> before deploying this specification.

What does "servers" really mean here? I think it means "implementers
of server code", or maybe "operators of servers"?

Nits:
-----

> 4.1.  Security Indicators
>
>   User Agents MUST NOT provide any special security indicia when an

'Indicia' is a real word, but I think it's unknown to at least 99% of
English speakers. Why not 'indicators' again?