That actually seems like a good idea to me. I wonder if there isn't already one? It'd be a good symbolic source of authority on issues like this.

There could also be other RFCs covering our usage of the internet, and our expectations of what our rights are as internet users. Or perhaps stick that all in one "definitive" RFC.

Instead of actual security why not have a spec for /humans.txt which can say things like "Please don't read anything in the /secret directory."

and what would that achieve? all it's going to do is force companies to add legal boilerplate (eg. those "this message is intended for the recipient only..." that you see in email signatures) to every imaginable place to cover their ass, meanwhile doing nothing to improve security.

Talk about no sense of humour.

As if the brilliant minds behind this website would even know what a RFC is.

The RFC would be more for future "legal" defense around this type of issue to use as evidence for support of enumerable urls = public api.