On Wed, Nov 20, 2019 at 10:59:32PM -0800, Rob Sayre wrote: > On Wed, Nov 20, 2019 at 10:54 PM Benjamin Kaduk <bka...@akamai.com> wrote: > > > On Wed, Nov 20, 2019 at 10:35:09PM -0800, Rob Sayre wrote: > > > On Wed, Nov 20, 2019 at 10:25 PM David Schinazi < > > dschinazi.i...@gmail.com> > > > wrote: > > > > > > > The SHOULD from (2) is indeed not required for interoperability, but > > > > important > > > > to ensure servers put this protection in place. > > > > > > > > > > In that case, this issue belongs in the Security Considerations section. > > I > > > understand that the concern is valid, but a "SHOULD" in this part of the > > > document is not the right way to communicate it. > > > > Is it more of a security consideration or an operational one? > > > > Since it was referred to as a "protection", I thought it was a DoS concern. > > If it's only implementation advice, that's also valid, but it doesn't call > for 2119 SHOULD language. The document should explain the operational > concern without using "SHOULD".
I disagree with your premise on when BCP 14 keyword usage is appropriate. Which is to say, I think the "SHOULD" is fine for operational concerns. -Ben _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
