Gen-ART Last Call review of draft-ietf-httpbis-http2-encryption-10 I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at . Document: draft-ietf-httpbis-http2-encryption-10.txt Reviewer: Brian Carpenter Review Date: 2017-02-26 IETF LC End Date: 2017-03-06 IESG Telechat date: 2017-03-16 Summary: Ready with issues -------- Comments: --------- Note: Category is Experimental. Quoting the writeup: 'The primary concern voiced by dissenters has been that widespread deployment might provide a false sense of security, slowing the adoption of "real" HTTPS or confusing users."' FWIW, I share that concern, even with the tag 'Experimental.' Major issue: ------------ The Abstract should definitely state the above concern. At the moment, it could easily mislead the reader about the value of the solution. I'd like to see the phrase "it is vulnerable to active attacks" in the Abstract. Minor issue: ------------ > 4.4. Confusion Regarding Request Scheme ... > Therefore, servers need to carefully examine the use of such signals > before deploying this specification. What does "servers" really mean here? I think it means "implementers of server code", or maybe "operators of servers"? Nits: ----- > 4.1. Security Indicators > > User Agents MUST NOT provide any special security indicia when an 'Indicia' is a real word, but I think it's unknown to at least 99% of English speakers. Why not 'indicators' again?