[rfc-i] RFC2119 requirements language in security considerations?
paul.hoffman at vpnc.org
Thu Apr 7 07:02:22 PDT 2016
On 29 Mar 2016, at 18:16, =JeffH wrote:
> AFAICT, there is no "offical" admonition against one using RFC2119
> requirements language in security/privacy considerations sections,
> 6. Security Considerations
> 6.1. Downgrade Attacks
> ..blah..blah.. The signature algorithm and key length
> used in the foobar of type "bazfratz" MUST match the parameters
> negotiated via [foo] extension.
> ..however, it's been expressed in various places on-lists and verbally
> that some reviewers will object to it, and I was just wondering
> whether there's someplace this guidance and rationale is written down
> where one can point others at it.
I don't think it is written down anywhere. This has been discussed
occasionally in security WGs, with people noting that readers often only
skim the Security Considerations section and thus might miss the
We can't prohibit giving requirements in the Security Consideration
section, but we can suggest that all requirements there be copies of
ones given earlier in the doc. That way, the skimmers won't miss
something that was really required.
More information about the rfc-interest