> 18 feb 2015 kl. 19:54 skrev Pete Resnick <presn...@qti.qualcomm.com>:
>
>> On 2/18/15 5:07 AM, Leif Johansson wrote:
>> The idea of making best practice sorta-kinda normative makes me a bit
>> queasy.
>
> Let's not forget that a BCP *is* a community consensus document. It means
> that the IETF community has decided that we do things a particular way. A BCP
> *is* normative.
>
> I think it's quite reasonable for the document to say, "MUST NOT negotiate
> SSLv2" because doing otherwise causes harm to implementations and to the net
> in general. There are no Internet police. If you violate that MUST NOT, you
> don't go to jail. We're simply saying that they way to do security properly
> on the Internet is that you MUST NOT use SSLv2.
>
> So I don't have a problem with the document saying, "Existing protocols have
> tradeoffs to make between interoperability and security, so we (the IETF)
> expect those tradeoffs to be made. New protocols we (the IETF) expect to
> abide by the requirements and recommendations in this document unless they
> give some serious justification for not doing so." That's what we mean by a
> BCP
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
