[rfc-i] RFC2119 requirements language in security considerations?

Paul Hoffman paul.hoffman at vpnc.org
Thu Apr 7 07:02:22 PDT 2016


On 29 Mar 2016, at 18:16, =JeffH wrote:

> AFAICT, there is no "offical" admonition against one using RFC2119 
> requirements language in security/privacy considerations sections, 
> e.g...
>
> ###
> 6.  Security Considerations
>
> 6.1.  Downgrade Attacks
>
>    ..blah..blah.. The signature algorithm and key length
>    used in the foobar of type "bazfratz" MUST match the parameters
>    negotiated via [foo] extension.
> ###
>
> ..however, it's been expressed in various places on-lists and verbally 
> that some reviewers will object to it, and I was just wondering 
> whether there's someplace this guidance and rationale is written down 
> where one can point others at it.

I don't think it is written down anywhere. This has been discussed 
occasionally in security WGs, with people noting that readers often only 
skim the Security Considerations section and thus might miss the 
requirements.

We can't prohibit giving requirements in the Security Consideration 
section, but we can suggest that all requirements there be copies of 
ones given earlier in the doc. That way, the skimmers won't miss 
something that was really required.

--Paul Hoffman


More information about the rfc-interest mailing list