Last Call Review of draft-ietf-httpbis-http2-encryption-10
review-ietf-httpbis-http2-encryption-10-genart-lc-carpenter-2017-02-25-00

Gen-ART Last Call review of draft-ietf-httpbis-http2-encryption-10

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Document: draft-ietf-httpbis-http2-encryption-10.txt
Reviewer: Brian Carpenter
Review Date: 2017-02-26
IETF LC End Date: 2017-03-06
IESG Telechat date: 2017-03-16 

Summary: Ready with issues
--------

Comments:
---------

Note: Category is Experimental.

Quoting the writeup:

'The primary concern voiced by dissenters has been that widespread
deployment might provide a false sense of security, slowing the
adoption of "real" HTTPS or confusing users."'

FWIW, I share that concern, even with the tag 'Experimental.'

Major issue: 
------------

The Abstract should definitely state the above concern. At the moment,
it could easily mislead the reader about the value of the solution.
I'd like to see the phrase "it is vulnerable to active attacks" in
the Abstract.

Minor issue:
------------

> 4.4.  Confusion Regarding Request Scheme
...
> Therefore, servers need to carefully examine the use of such signals
> before deploying this specification.

What does "servers" really mean here? I think it means "implementers
of server code", or maybe "operators of servers"?

Nits:
-----

> 4.1.  Security Indicators
>
>   User Agents MUST NOT provide any special security indicia when an

'Indicia' is a real word, but I think it's unknown to at least 99% of
English speakers. Why not 'indicators' again?