Ben Campbell has entered the following ballot position for
draft-ietf-httpbis-expect-ct-07: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thanks for this work. I'm balloting "Yes", but I have a few minor comments.

Substantive:

§2.1, step 6: Is there no room for local policy here?

§2.1.3: The guidance for max-age in the security considerations section
suggests 30 days is a good value. But the directive is specified in seconds.
Does that make sense? Would a 1 second max-age ever be reasonable? Or even 30
days + 1 second?

Editorial:

- General: This uses a non-standard section order towards the end.
Conventionally the last 2 sections should be security considerations and IANA
considerations (although the order between those two varies.)

§2.2.2: The second sentence is about UA behavior. It seems like that belongs
somewhere under §2.3.

§2.3: "SHALL be canonicalized"
By the UA? (The use of passive voice here obscures the actor.)