I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is Ready (with one question below)

The only question I have is on this paragraph in the Security 
Considerations section:

"In the case that a zone identifier contains the hexadecimal MAC
address of a network interface, it will be revealed to the HTTP
recipient and to any observer on the link.  Since the MAC address
will also be visible in the underlying layer 2 frame, this is not a
new exposure.  Nevertheless, this method of naming interfaces might
be considered to be a privacy issue."

Modern operating systems have the ability to randomize MAC addresses 
for privacy reasons. The Security considerations section doesn't mention
this practice and I'm wondering if it should and in particular if the
section above is impacted by this practice.

Other than that I find the document well written and a good attempt to
describe the various challenges in this space. Well done!