IETF Logo Mail Archive

[httpapi] Re: AD Review: <draft-ietf-httpapi-privacy-03.txt> targeting publication as a BCP

Gorry Fairhurst <gorry@erg.abdn.ac.uk> Mon, 16 February 2026 16:01 UTC

Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: httpapi@mail2.ietf.org
Delivered-To: httpapi@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 06131B85F5EE; Mon, 16 Feb 2026 08:01:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=erg.abdn.ac.uk
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m1z4bUwD2eL3; Mon, 16 Feb 2026 08:01:13 -0800 (PST)
Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [IPv6:2001:630:42:150::2]) by mail2.ietf.org (Postfix) with ESMTP id EC176B85F5E1; Mon, 16 Feb 2026 08:01:12 -0800 (PST)
Received: from [192.168.1.130] (fgrpf.plus.com [212.159.18.54]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPSA id AB05B1B0013D; Mon, 16 Feb 2026 16:01:06 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=erg.abdn.ac.uk; s=default; t=1771257671; bh=FOqEoMedVYz3kdCWNYg5b/YBVDB8LNw6rrnac/gHjzc=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=LvFWEmE/pknjd9ZPVxloSGMGOiDFyCtQVESQNNwxhw58vxbohNo8G9qo9soCg/9Bi 7gznDcovy4/mq3o3PiuzGsKoX+vn73VbFGesgJoMg5n6jWtfQExGok5QFwJNTuZ/mM PflDVCVae/bjAR8s4UGEH5zCj7m6bwBZKw9H8hRYnthmZFEcDe3i7T59QxMHxBxSWs 4UIqxECeMzj+oY2UQh31w8ZHbosx0TRWpwI3SNBg5C+e/roUuIILWzXimMyazJ9aqw pwicUw8Un31b+VtJ6JxhRzUcDYNOuiI7tDzjgemYvoDOllEUcHwvsC2uqmOKvAdS4m YmtpGIz15ydFw==
Content-Type: multipart/alternative; boundary="------------dnszUOn7mZDzvRLD7cLT0Ag8"
Message-ID: <13e6fe4a-e2ec-46a6-9a3d-869dfe6360bf@erg.abdn.ac.uk>
Date: Mon, 16 Feb 2026 16:01:05 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-GB
To: "Salz, Rich" <rsalz@akamai.com>, "draft-ietf-httpapi-privacy@ietf.org" <draft-ietf-httpapi-privacy@ietf.org>, "httpapi@ietf.org" <httpapi@ietf.org>
References: <177124149211.768852.17881327968130278163@dt-datatracker-6ff7c68975-7k42g> <MN2PR17MB4031671396D18831FE571E3FCD6CA@MN2PR17MB4031.namprd17.prod.outlook.com> <ed19cd82-8f4d-48e2-a9d7-30dcf73537db@erg.abdn.ac.uk> <MN2PR17MB403153EBE3B80E49A4596291CD6CA@MN2PR17MB4031.namprd17.prod.outlook.com>
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Organization: UNIVERSITY OF ABERDEEN
In-Reply-To: <MN2PR17MB403153EBE3B80E49A4596291CD6CA@MN2PR17MB4031.namprd17.prod.outlook.com>
Message-ID-Hash: DPWOD4RS5C3PZKKDGLWWVP5G5HUJPMLQ
X-Message-ID-Hash: DPWOD4RS5C3PZKKDGLWWVP5G5HUJPMLQ
X-MailFrom: gorry@erg.abdn.ac.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-httpbis-safe-method-w-body.chairs@ietf.org" <draft-ietf-httpbis-safe-method-w-body.chairs@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [httpapi] Re: AD Review: <draft-ietf-httpapi-privacy-03.txt> targeting publication as a BCP
List-Id: Building Blocks for HTTP APIs <httpapi.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/httpapi/REuViV-U-FO6lp8q4sTr4f0r_ME>
List-Archive: <https://mailarchive.ietf.org/arch/browse/httpapi>
List-Help: <mailto:httpapi-request@ietf.org?subject=help>
List-Owner: <mailto:httpapi-owner@ietf.org>
List-Post: <mailto:httpapi@ietf.org>
List-Subscribe: <mailto:httpapi-join@ietf.org>
List-Unsubscribe: <mailto:httpapi-leave@ietf.org>

On 16/02/2026 15:55, Salz, Rich wrote:
> Please take a look at 
> https://github.com/ietf-wg-httpapi/httpapi-privacy/pull/16 which 
> addresses your feedback.
>
> Diff also here:
>
> ; g diff main
> diff --git a/draft-ietf-httpapi-privacy.md b/draft-ietf-httpapi-privacy.md
> index 482097c..378675d 100644
> --- a/draft-ietf-httpapi-privacy.md
> +++ b/draft-ietf-httpapi-privacy.md
> @@ -152,7 +152,7 @@ to indicate the expected usage to the client.
>  ## Disclosure Response
> -Some deployments may not find it feasible to completely block unencrypted
> +Some deployments might not find it feasible to completely block 
> unencrypted
>  connections, whether because the hostname is shared with unauthenticated
>  endpoints or for infrastructure reasons. Therefore, HTTP API servers need
>  a response for
> @@ -202,15 +202,22 @@ establishing a connection. This gives HTTP API 
> servers an opportunity
>  to provide more
>  complete information about capabilities, some of which are 
> security-relevant.
> -Clients SHOULD respect HSTS headers {{!RFC6797}} received
> +Clients SHOULD respect HSTS header fields {{!RFC6797}} received
>  from a server. This includes implementing persistent storage of HSTS 
> indications
>  received from the server.
> +Clients that do not follow either, or both, of these recommendations 
> might not
> +understand the requirements of the server and mya have their traffic 
> denied
> +upon receipt, perhaps after having exposed authentication material in
> +cleartext on the Internet.
> +
>  ## Respect Credential Restrictions
>  Clients MUST NOT send a Cookie with the Secure attribute {{RFC6265}} 
> over an
> -insecure channel. Clients MUST NOT send an Authorization header 
> containing a
> -token whose value begins with "secret-token:" over an insecure channel.
> +insecure channel.
> +
> +Clients MUST NOT send an Authorization {{?RFC7617}}, or any other
> +header field, that contains a secret token over an insecure channel.
>  ## Disallow Insecure by Default
>
Looks like a good direction, thanks - see comment on typo.

If Mike and Marius agree, then please submit an updated I-D.

Best wishes,

Gorry

v2.39.1 | Report a Bug | By Email | System Status