On 2/18/15 5:07 AM, Leif Johansson wrote:
The idea of making best practice sorta-kinda normative makes me a bit queasy.
Let's not forget that a BCP *is* a community consensus document. It means that the IETF community has decided that we do things a particular way. A BCP *is* normative.
I think it's quite reasonable for the document to say, "MUST NOT negotiate SSLv2" because doing otherwise causes harm to implementations and to the net in general. There are no Internet police. If you violate that MUST NOT, you don't go to jail. We're simply saying that they way to do security properly on the Internet is that you MUST NOT use SSLv2.
So I don't have a problem with the document saying, "Existing protocols have tradeoffs to make between interoperability and security, so we (the IETF) expect those tradeoffs to be made. New protocols we (the IETF) expect to abide by the requirements and recommendations in this document unless they give some serious justification for not doing so." That's what we mean by a BCP.
pr -- Pete Resnick<http://www.qualcomm.com/~presnick/> Qualcomm Technologies, Inc. - +1 (858)651-4478 _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
