[httpapi] AD Review: <draft-ietf-httpapi-privacy-03.txt> targeting publication as a BCP
Gorry Fairhurst <gorry@erg.abdn.ac.uk> Mon, 16 February 2026 15:09 UTC
Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: httpapi@mail2.ietf.org
Delivered-To: httpapi@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id AEFA4B858999; Mon, 16 Feb 2026 07:09:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=erg.abdn.ac.uk
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id somXNPWCouzk; Mon, 16 Feb 2026 07:09:08 -0800 (PST)
Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [137.50.19.135]) by mail2.ietf.org (Postfix) with ESMTP id 39BA7B85898B; Mon, 16 Feb 2026 07:09:05 -0800 (PST)
Received: from [192.168.1.130] (fgrpf.plus.com [212.159.18.54]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPSA id B7DC11B00193; Mon, 16 Feb 2026 15:08:59 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=erg.abdn.ac.uk; s=default; t=1771254544; bh=hYmc7k7IF4NAfgmY4jlQNBhu+6zYhZoGqmdz3OKnlLo=; h=Date:Subject:To:References:From:Cc:In-Reply-To:From; b=FKeXzRzl8yH/OmPUNdHeDQrt351y2ha8Idkkj7qykX69MjjP428YmPmWJEeh8zItd M/SNtS/1GNgK9sWcb6bgyxc0IDmtBVLLoyy67rcFYCZB6e7tJ7aQNOlAllculNge0O uGYl2mH2u4/0U+A2ftNFqDgsDVfqExMk0F6rChjyPjzMFTWAwiOXN04xAKzqxUbTe2 oTML+HOlC4CQGdnE8qx6D1aHBnXAgKEeQ+dXBJ7FM4FO6nW5w7Akht73UIoshS36Ee TZOaFUuqdFE1YR/CZtAmGaOnsP3QHncoLYMyjNyfyuWJpGU1ab4nqfamhdI1baXPP8 AB4BO+klw+ZMw==
Message-ID: <ed19cd82-8f4d-48e2-a9d7-30dcf73537db@erg.abdn.ac.uk>
Date: Mon, 16 Feb 2026 15:08:58 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-GB
To: "draft-ietf-httpapi-privacy@ietf.org" <draft-ietf-httpapi-privacy@ietf.org>, httpapi@ietf.org
References: <177124149211.768852.17881327968130278163@dt-datatracker-6ff7c68975-7k42g> <MN2PR17MB4031671396D18831FE571E3FCD6CA@MN2PR17MB4031.namprd17.prod.outlook.com>
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Organization: UNIVERSITY OF ABERDEEN
In-Reply-To: <MN2PR17MB4031671396D18831FE571E3FCD6CA@MN2PR17MB4031.namprd17.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: 5XN2DA2VULJTH6PLQKMZ6XKH455YAIQZ
X-Message-ID-Hash: 5XN2DA2VULJTH6PLQKMZ6XKH455YAIQZ
X-MailFrom: gorry@erg.abdn.ac.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-httpbis-safe-method-w-body.chairs@ietf.org, Gorry Fairhurst <gorry@erg.abdn.ac.uk>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [httpapi] AD Review: <draft-ietf-httpapi-privacy-03.txt> targeting publication as a BCP
List-Id: Building Blocks for HTTP APIs <httpapi.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/httpapi/nAOwPmgNBIvIOBmDcBT1qAs631g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/httpapi>
List-Help: <mailto:httpapi-request@ietf.org?subject=help>
List-Owner: <mailto:httpapi-owner@ietf.org>
List-Post: <mailto:httpapi@ietf.org>
List-Subscribe: <mailto:httpapi-join@ietf.org>
List-Unsubscribe: <mailto:httpapi-leave@ietf.org>
I have reviewed draft-ietf-httpapi-privacy with a view to publication as a BCP. My AD comments primarilly relate to the use of RFC-2119 keywords and seeking only clarifcation. I do not expect this will be difficult and look forward to a new revision: (1) NiT: "Some deployments may not find it feasible to completely block unencrypted connections". - This is obvioulsy lower case, but since there is a very similar later sentence that specifies a RFC2119 keyword to explain something else, I'd suggest to chnage /may not/might not/ ... especially since "may not" can be misread easily across the wider English-speaking community. (2) RFC-2119: The recommendations in 3.1 provide two clauses that use "SHOULD", and do clarify what is intended, thanks. However, they do not currently describe the sort of risk(s) when the recommendation is not followed - which I'd expect in a BCP. Please provide a sentence that explains this for each clause. (3) REF: Please could you a reference for the "Authorization header". --- Best wishes, Gorry (Responsible AD for this draft since M Bishop has recused)
- [httpapi] AD Review: <draft-ietf-httpapi-privacy-… Gorry Fairhurst
- [httpapi] Re: AD Review: <draft-ietf-httpapi-priv… Salz, Rich
- [httpapi] Re: AD Review: <draft-ietf-httpapi-priv… Gorry Fairhurst
- [httpapi] Re: AD Review: <draft-ietf-httpapi-priv… Salz, Rich