[httpapi] Re: AD Review: <draft-ietf-httpapi-privacy-03.txt> targeting publication as a BCP
"Salz, Rich" <rsalz@akamai.com> Mon, 16 February 2026 15:55 UTC
Return-Path: <rsalz@akamai.com>
X-Original-To: httpapi@mail2.ietf.org
Delivered-To: httpapi@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id AF3F5B85EC73; Mon, 16 Feb 2026 07:55:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N_ETVkfmfnVO; Mon, 16 Feb 2026 07:55:43 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [67.231.149.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 784EFB85EC6B; Mon, 16 Feb 2026 07:55:41 -0800 (PST)
Received: from pps.filterd (m0409409.ppops.net [127.0.0.1]) by m0409409.ppops.net-00190b01. (8.18.1.11/8.18.1.11) with ESMTP id 61G4BFrT3504274; Mon, 16 Feb 2026 15:55:37 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=jan2016.eng; bh=D19Bz/mMPq+SBUyYWXKiMw Op0eCPeIpqfZJD9MGMY3E=; b=odNHZvUPfCJtZeY5bD2mqkibgBwR/jVUZ4Z7FX qAUYMfnvHF+0mYBWi0TOz10YcCPW/lYLbEzYdEjuJM76j9XEvDAQpMc2IKr+Xn2u 8tjncVDZ5v/f7LG2s5iRGb2/o01bigeuHcrq8kQuSFYgXUs2pDOB32EAxJn4YNIz Vzrw17w3/b1OFd8noAAqnYl6EAJe+CDlVhr7FbXrABPJCUOrunPpGy2ZpK3Nqm0x YFVZf92YhW25iIukNfo64utNcNeYmMlWmszFdcJcEia+KOanfkEkMqW3FPzROh/D 106uPun7PWHdDOQjJveTcbMH7G6iwRb5siZkxKo7PsS9TmYw==
Received: from prod-mail-ppoint8 (a72-247-45-34.deploy.static.akamaitechnologies.com [72.247.45.34] (may be forged)) by m0409409.ppops.net-00190b01. (PPS) with ESMTPS id 4cb38ryx7d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 16 Feb 2026 15:55:37 +0000 (GMT)
Received: from pps.filterd (prod-mail-ppoint8.akamai.com [127.0.0.1]) by prod-mail-ppoint8.akamai.com (8.18.1.2/8.18.1.2) with ESMTP id 61GD5YfX013401; Mon, 16 Feb 2026 10:55:36 -0500
Received: from email.msg.corp.akamai.com ([172.27.50.221]) by prod-mail-ppoint8.akamai.com (PPS) with ESMTPS id 4can936mxb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 16 Feb 2026 10:55:36 -0500
Received: from ustx2ex-exedge3.msg.corp.akamai.com (172.27.50.214) by ustx2ex-dag5mb4.msg.corp.akamai.com (172.27.50.221) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.29; Mon, 16 Feb 2026 07:55:35 -0800
Received: from ustx2ex-exedge4.msg.corp.akamai.com (172.27.50.215) by ustx2ex-exedge3.msg.corp.akamai.com (172.27.50.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.27; Mon, 16 Feb 2026 09:55:35 -0600
Received: from PH0PR07CU006.outbound.protection.outlook.com (72.247.45.132) by ustx2ex-exedge4.msg.corp.akamai.com (172.27.50.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.27 via Frontend Transport; Mon, 16 Feb 2026 07:55:35 -0800
Received: from MN2PR17MB4031.namprd17.prod.outlook.com (2603:10b6:208:200::22) by PH0PR17MB4488.namprd17.prod.outlook.com (2603:10b6:510:d::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9611.16; Mon, 16 Feb 2026 15:55:33 +0000
Received: from MN2PR17MB4031.namprd17.prod.outlook.com ([fe80::4b85:d514:5021:bba7]) by MN2PR17MB4031.namprd17.prod.outlook.com ([fe80::4b85:d514:5021:bba7%3]) with mapi id 15.20.9611.013; Mon, 16 Feb 2026 15:55:32 +0000
From: "Salz, Rich" <rsalz@akamai.com>
To: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, "draft-ietf-httpapi-privacy@ietf.org" <draft-ietf-httpapi-privacy@ietf.org>, "httpapi@ietf.org" <httpapi@ietf.org>
Thread-Topic: [httpapi] AD Review: <draft-ietf-httpapi-privacy-03.txt> targeting publication as a BCP
Thread-Index: AQHcn1Y4T49FfTC+dEaXYk3C1uy5Y7WFelA+
Date: Mon, 16 Feb 2026 15:55:32 +0000
Message-ID: <MN2PR17MB403153EBE3B80E49A4596291CD6CA@MN2PR17MB4031.namprd17.prod.outlook.com>
References: <177124149211.768852.17881327968130278163@dt-datatracker-6ff7c68975-7k42g> <MN2PR17MB4031671396D18831FE571E3FCD6CA@MN2PR17MB4031.namprd17.prod.outlook.com> <ed19cd82-8f4d-48e2-a9d7-30dcf73537db@erg.abdn.ac.uk>
In-Reply-To: <ed19cd82-8f4d-48e2-a9d7-30dcf73537db@erg.abdn.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR17MB4031:EE_|PH0PR17MB4488:EE_
x-ms-office365-filtering-correlation-id: 9f9f3157-fd23-4d70-6bd7-08de6d73d10d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|10070799003|1800799024|7142099003|38070700021|13003099007|8096899003;
x-microsoft-antispam-message-info: f2Qs7QqauAltMIBRncCTjYXGNHlxyD395ZXQsqYBOFAUrKxdTVY19zuem7oGpEMyM2vy7n/iCkrVlVF27AHPCVusl3T5ym/5tCIMztjqMwL7X9XKd5AKXl9YzDLPELqRRl6OWDZU7C4bv1XDFSu2p4gL1phbBHOxRQ3sdOsFpickPQSxyW/ltTflHxObNWoHi19RbjWLSttdSPyCyo4g832HgFTOmCarVKZ1xgGjobCbw0FK5Bo+RApnNrhyk4e4oEUL1HmdEZoy1Gl4hCKpnrGkd4hZvz1wDTWmJ3+3243BBcu34FHS3GE7oauwNnCM8hkXxjwfwgyYk3sXDXpkgrZwCOOJI3Y+jaoJXnFeAyWMtaGYlvypF+RzKDvGnG7a/oae7ZkcQY2FGZOc5EOYEU1Oa3l+GYDHyoUEO6VHHwmIoTytvirzfPxot5yUiJ/J9odwG7yv6LjEN3kRr2vWBD4cybfzqC9eS1wGr6f2/L0fpg13uWAkQw3z5rJJt/0iflShEsMmpqy0aXfOpY4ckefNBB8eQQlrDkBoky60qPU7104xaxmz44+sUkRmH5IO88yybu2zv+59VndwYVHfucjslgo5KqwuIw7v7Eqj/1NpS9hHxso14LhUPXcH6Zr9A+7dgOdy0GjR0Usd+MoakomnjFxMQBCJeAmk2sARHUw/arnhuvH2fSlz18JXfuUOQfEDA/0ZTbOSQRcNvlBfikNN4SRR7I8RDBeKn61xNeo3irp1qVRT5yNL5JMxldGcruOzs6q8aE1vFYGU+wEpFr4spEf37b1t1V2HpOG2hRSLKaf80piYVX1iXs716sK2mbetDfgIUDDtfMikjNK8PDtEq3ovRo0xTDputR5/ziAlzTEPbKVMf92Ng7UAnXPk3h+Mr6a0B9w9EydBecQ9BcnLscUsdFR+YC9si4B73iHVU9vk2zjXIQ2NwLyb2/gR6AhNznxAo75JWKmHsW9p7VZYMXY80++ofkFQEnsD5CPPEfAABbyRjAN0QX41UMMuV47PuYPgzDpiX50cPnM0Y5IvtyEPHmrEr8DW0UF2ylcLHKtYzPPRD39FYOjJ5d5IwyhJegK9yC+8LzirMgWpGZ+NmjC9iS5gQ9Zcm58uo9+P0kc0TV8Ka8HU7Tbfh/Cj4mFPpvvUX0tBkVWhfURcS+saNM2CIfI5Q8+v6f/nBLvg+6Koj9To7SCpUrb27ysbrodqvN8s4EHKMPmDUZebYM6Od+NzUn+GBLSHahZ7UPR6kwomIDjKuLdYcRZaml8HV6lNspsEb21GQTG0OOd1T9E6HOpyeKXuoHFDgZUAoN/T16VC5DXeC/bybB1jYXjYdMdAhQJql4xMhTMUbTb2kDUXJvhh2IuL9QWO+bJAwjrptGEguRWL39fCwveGCwa322Ho7k0b3QcHWj2GZlLdHXRMx4DTyXon12IMJDq+e3H2EmO+fz2n4xX6IaFXPdoGtFQWfKhfeljDM6/jxpHrMBuFZxXQn41lGRjGngju79ynb7/SkUXYqRL6sGXj6JqKqd3MhkHgipjl4EZHYLiYtQuS/0evsWMR4UPnmT6Ix0EuofcyBhyfzp9X6MPZ1aEOMOYMOG+vtpDDS3oyrPD/Jq9WkjokBUBw9/7Fnwo6NTI=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR17MB4031.namprd17.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(10070799003)(1800799024)(7142099003)(38070700021)(13003099007)(8096899003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 2
x-ms-exchange-antispam-messagedata-0: TCiTa6lpcjRj9AwfXwX9D5HUysCyyY72QlsSJUWvxg4wedeaJ/4wewRaEhixTsI89lVLIgarA4/NFZjHOEq6TEs93tk8U7RyoNdfZ/TIVD8JsgKr3avG4p69/9fzwr0PU8zkX5w/Cc5Zpv7WxXjNeDkaV/Iy3bNx15/xsNZOW3gBK8am6+iqOPTCDbPJ3OrmJVPGPFPUUz3ScpYRs975oQSPK4kPHg23FNNNpDeIyfKAcRN8szZUPea4Ns3cEwg/ZSlBuNgyxAptDBwBP1o6xvGdQ3Tj/wo5F1KFsg0OgmdSJF/tIh4cLNykiJdxpj8DZuG3JBZaxEU1pEFAXb+mvLc659i1iBD6V+zLErgsKZgtMoXGLTXAYV5aIxC0NhLNs+bgnfpYreOmARouMsFsYrGUkHioyIJCkPgw0UqCKOVZ+p7mihaS2qL9H0oqHDg8acnUsUfUnBCRIIKyvUXbYZYkRzu7/osEv61URhqZpRyhKxomm9UmK6HEdy/h2qY2A9gIPU6FfSJR5Ep+8tNL+5eKBvskaeLeVoFB9qDKEry1FuVFobSIbtTZerWojQoo5i6XLLSjUTMMf8cgM7hSaLK8nE6b+CDLTIZl2CtKCPWtX/cGOWVNYGtGL/AXLaoAuxOlEWXf5OUUowJCHgY/Xr0e02Yb8cfpKF6ucycd9Pq1lLBFft2CAzH3w/ko4lypIVh5pJIFDldrbHJoBXtqdQNiE5O/EhcFtLxQwEQQXs5D/DAH+ez4VBwi+4CUFZQRpZkJyUuqfpDqdDSM9QypfdMy09E8VeGWgS8Xmvm0ddkS3oWfVjs3aPc95ux4741Y33+Zm7VlK5Q/Sz8Iw/6Gg1HkXv7LeThCo7VRZjXnb5ndObs3PcdfURQT7NU3yuyzW4LzdXddxbLRF0/5pFtB+G8hs+yj25rTvwOzfCaOy8txfB9LyBWTErrpLVLG0yli9fx/DEGfBAS429i+JMWCGrYTTp5ue4uaQW5lPOu6YJLdVJIMoRKs4H0yJFo5ZY+cbsB7Dp6ILVLA+dqoRZ1e3jn+hegK8b5TaVh5HeO7DsXhgxBBcPYir8a8dT/zIMv84x9MFnkkx54HrjhzLdbEANWwtMcZC0RvNzrctbyxp4QXOwyz84EuJWinesenjuB2UJH/eoThBethgSO3BCraySrP/MwB5JYdvz8dXmsGM944rdGoVJi7MumBmKmQ3yk4v2EuFC/9dPd9tB4osa+zMxSejQHCq71MahB2DyIqd5Sotb+OwVkoRvXDWPMx1YQRNm7YcD2IbYhZ4O98AUQ8hMaRRAzqlcwEhNwZWQLrA+eD4Zp6/7RZczDsgRJqgEitbQZv8ZI97PAnDOaixJB3+GOmVeLQaI/eqoy6VQAErR9UUI4xkpCne4+rgEZMkXqJ0eYoSW1CuSdJ4bExX3Olgmvbn1h7aEQ+RAgnyWQczhvhDXKFJ30dDVINYs1+TlW12Dn6zW1iWR2F3C/oPZtFrsgDvdHOL2Vj3PxO3jvTtONODjpqMMHO7BwAR4j5juvPqGWN2hRIcYJG27faL/t/mlaVWwYCchF1SeMqsiZ7DeBnIjLyfYe7M4uFcAYv4Huilk0v6AUa8068WmF99wGYrQ4Tt2tKXjVM5OgXLFu888LUoKl+BDw7uXaJNJggSfUJI+0qpkL6LmYylbebH6MC0w9EKG5HoVgEQIKZWE4NnHcG5Az4S1e3KPLwG01MK/N7Szjc1N+1WLaR0SWwE0yU5uIUJRBw5tbKs+7HTd0eykntVW+fUpga6yy2+dtJXeXXx61Elqcd
x-ms-exchange-antispam-messagedata-1: LRMmrKMCVvLxyg==
arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=KCOhssKAEvZjSivDN34d9WyARpi8PMXiAQR4hU2DzbOoDUWbp21hZ4A7MGMgVJyQFD1bk8LxckKaMoxUhqN1pcIIZ45GJ5VK1rJ4vhPvfDdkPtSlEVxHsAoPlL7a4hVhYxIBD92A77/aKXUIYYlnGgNsZjM3bHXhy+NvAvY1YIw0/+R8nJMA0tC1ilavOKh4LpptOiw+mLE+sLTfdeQkHpvtfVNPQzKzPDUkDjsjxfDrjMp6AJPCIeP/EvPRx4wL5ygKAdEkokVdgv7kkCI8Yk181TGt3jQaixanCa6rTi89QRTayc7y7rh/01L3GlZm3V5hhdwW9ksceMWBu1N2Kw==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KI7k41FdP5NVwxrzsA83cqX2+6M6FQ/6nv1lmQe8jyc=; b=FY81G6VMc8uoRvQcgIJzjZjs3oIPHv7t+MJOqRlvPsNkNPeSHn0/QytN6FTALc7OCQLZaplSlVWdxerWvLxOhwyDiu/6q47AbeAbYi/HP4S01At+VzHx3qlmmPcCn6bzKQf8udlEhgNiKy9sYlF4UzS88gBI3J8d5GP5Ctk476SH+1JwCzHLyHVmyIK/fH8f3ZS5fyfTuFIerJKBLuzzWMAP4lGUPP7vOyXGYQFVRjW/RLNbXMJndh5rfya0Wn1MaphaEkjzHoZJK9Gcu6vCaMr2qcY3NTEpK9xq+gK303JWpF+0ryk9PQiokJSGjJA2ALvp+oNNTl2hM1vS4vVJ5Q==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=akamai.com; dmarc=pass action=none header.from=akamai.com; dkim=pass header.d=akamai.com; arc=none
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: MN2PR17MB4031.namprd17.prod.outlook.com
x-ms-exchange-crosstenant-network-message-id: 9f9f3157-fd23-4d70-6bd7-08de6d73d10d
x-ms-exchange-crosstenant-originalarrivaltime: 16 Feb 2026 15:55:32.8817 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 514876bd-5965-4b40-b0c8-e336cf72c743
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: Zp0MF35TUd6ijyRNF5VZguGEqzgXZJJCORbbq1q4KEeC5QWNq5A74HYnmNNByLag2tdMEc18CBxz+c/CWQWUxg==
x-ms-exchange-transport-crosstenantheadersstamped: PH0PR17MB4488
Content-Type: multipart/alternative; boundary="_000_MN2PR17MB403153EBE3B80E49A4596291CD6CAMN2PR17MB4031namp_"
MIME-Version: 1.0
X-OriginatorOrg: akamai.com
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-02-16_05,2026-02-16_03,2025-10-01_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 spamscore=0 suspectscore=0 malwarescore=0 mlxscore=0 adultscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2601150000 definitions=main-2602160135
X-Proofpoint-GUID: QYIWph003Z6ktHd6fhJWl1sqwdjqOIVE
X-Authority-Analysis: v=2.4 cv=F+9at6hN c=1 sm=1 tr=0 ts=69933df9 cx=c_pps a=YfDTZII5gR69fLX6qI1EXA==:117 a=YfDTZII5gR69fLX6qI1EXA==:17 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=HzLeVaNsDn8A:10 a=VkNPw1HP01LnGYTKEx00:22 a=Mpw57Om8IfrbqaoTuvik:22 a=GgsMoib0sEa3-_RKJdDe:22 a=NEAV23lmAAAA:8 a=P-pYCztNR0fhskD1ufYA:9 a=CjuIK1q_8ugA:10 a=uv-5R0tyZqQzdFJCbM8A:9 a=SunL26tFu7UFvD3q:21 a=_W_S_7VecoQA:10
X-Proofpoint-ORIG-GUID: QYIWph003Z6ktHd6fhJWl1sqwdjqOIVE
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjE2MDEzMyBTYWx0ZWRfX5zDgukapGuc0 dWGUER4jWKCae2+QtSd30zbts6bR2a4stOS0WPIke3u9T2a3/9llIIX5BjISaXN75CB7GBxg1/U UULRNwaWBGB5Ax9WSOtmaxORGEzH78Rg9YMZ3SfliAkBCBuvS704zKhfUpohtx474KWvOL3qR3e A0Lcf/v0VYn2FIz/s0Z1UORhbgHduimg0q3043qkERGLErG0O97WuuCSF1aQxJEIuWf3fcSllCS t6j+fxzFztsI2UqQO4tLYbYNMaGud9rLaghxxDYh7FNRpO/X5vRi5dnKelcroSTKAZJmYjYqhu4 pYhDGRKBChFqujVkzP90O0W7YOr1Krzk3po3wqVkVxAjmGk8ikDByLTIAyZedrxa+wEXhlJQtnO qPB5jT7kyM9Mu+RoCeuuhnbDWkXHw7JjDUOE5qCEVbXvb82aVGzpEgoiKcVzmoUyQjBWM0wZMk6 0mS+hn4Q0Mda4nVTiYQ==
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-02-16_05,2026-02-16_03,2025-10-01_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 impostorscore=0 phishscore=0 lowpriorityscore=0 malwarescore=0 spamscore=0 priorityscore=1501 suspectscore=0 bulkscore=0 clxscore=1011 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2601150000 definitions=main-2602160133
Message-ID-Hash: YKM6HI7PIVDEKVJA2PP3UJBSTIXCRJQR
X-Message-ID-Hash: YKM6HI7PIVDEKVJA2PP3UJBSTIXCRJQR
X-MailFrom: rsalz@akamai.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-httpbis-safe-method-w-body.chairs@ietf.org" <draft-ietf-httpbis-safe-method-w-body.chairs@ietf.org>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [httpapi] Re: AD Review: <draft-ietf-httpapi-privacy-03.txt> targeting publication as a BCP
List-Id: Building Blocks for HTTP APIs <httpapi.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/httpapi/-EfSymGDvWGlZdn6ZTATCA6_q-k>
List-Archive: <https://mailarchive.ietf.org/arch/browse/httpapi>
List-Help: <mailto:httpapi-request@ietf.org?subject=help>
List-Owner: <mailto:httpapi-owner@ietf.org>
List-Post: <mailto:httpapi@ietf.org>
List-Subscribe: <mailto:httpapi-join@ietf.org>
List-Unsubscribe: <mailto:httpapi-leave@ietf.org>
Please take a look at https://github.com/ietf-wg-httpapi/httpapi-privacy/pull/16 which addresses your feedback. Diff also here: ; g diff main diff --git a/draft-ietf-httpapi-privacy.md b/draft-ietf-httpapi-privacy.md index 482097c..378675d 100644 --- a/draft-ietf-httpapi-privacy.md +++ b/draft-ietf-httpapi-privacy.md @@ -152,7 +152,7 @@ to indicate the expected usage to the client. ## Disclosure Response -Some deployments may not find it feasible to completely block unencrypted +Some deployments might not find it feasible to completely block unencrypted connections, whether because the hostname is shared with unauthenticated endpoints or for infrastructure reasons. Therefore, HTTP API servers need a response for @@ -202,15 +202,22 @@ establishing a connection. This gives HTTP API servers an opportunity to provide more complete information about capabilities, some of which are security-relevant. -Clients SHOULD respect HSTS headers {{!RFC6797}} received +Clients SHOULD respect HSTS header fields {{!RFC6797}} received from a server. This includes implementing persistent storage of HSTS indications received from the server. +Clients that do not follow either, or both, of these recommendations might not +understand the requirements of the server and mya have their traffic denied +upon receipt, perhaps after having exposed authentication material in +cleartext on the Internet. + ## Respect Credential Restrictions Clients MUST NOT send a Cookie with the Secure attribute {{RFC6265}} over an -insecure channel. Clients MUST NOT send an Authorization header containing a -token whose value begins with "secret-token:" over an insecure channel. +insecure channel. + +Clients MUST NOT send an Authorization {{?RFC7617}}, or any other +header field, that contains a secret token over an insecure channel. ## Disallow Insecure by Default
- [httpapi] AD Review: <draft-ietf-httpapi-privacy-… Gorry Fairhurst
- [httpapi] Re: AD Review: <draft-ietf-httpapi-priv… Salz, Rich
- [httpapi] Re: AD Review: <draft-ietf-httpapi-priv… Gorry Fairhurst
- [httpapi] Re: AD Review: <draft-ietf-httpapi-priv… Salz, Rich