> 18 feb 2015 kl. 21:40 skrev Alissa Cooper <ali...@cooperw.in>:
>
>
>> On Feb 18, 2015, at 11:16 AM, Peter Saint-Andre - &yet <pe...@andyet.net>
>> wrote:
>>
>>> On 2/18/15 11:53 AM, Pete Resnick wrote:
>>>> On 2/18/15 5:07 AM, Leif Johansson wrote:
>>>> The idea of making best practice sorta-kinda normative makes me a bit
>>>> queasy.
>>>
>>> Let's not forget that a BCP *is* a community consensus document. It
>>> means that the IETF community has decided that we do things a particular
>>> way. A BCP *is* normative.
>>>
>>> I think it's quite reasonable for the document to say, "MUST NOT
>>> negotiate SSLv2" because doing otherwise causes harm to implementations
>>> and to the net in general. There are no Internet police. If you violate
>>> that MUST NOT, you don't go to jail. We're simply saying that they way
>>> to do security properly on the Internet is that you MUST NOT use SSLv2.
>>>
>>> So I don't have a problem with the document saying, "Existing protocols
>>> have tradeoffs to make between interoperability and security, so we (the
>>> IETF) expect those tradeoffs to be made. New protocols we (the IETF)
>>> expect to abide by the requirements and recommendations in this document
>>> unless they give some serious justification for not doing so." That's
>>> what we mean by a BCP.
>>
>> Exactly. Yesterday I proposed the following text for the section on
>> applicability:
>>
>> This document does not modify the implementation and deployment
>> recommendations (e.g., mandatory-to-implement cipher suites)
>> prescribed by existing application protocols that employ TLS or DTLS.
>> If the community that uses such an application protocol wishes to
>> modernize its usage of TLS or DTLS to be consistent with the best
>> practices recommended here, it needs to publish a document that
>> explicitly updates the existing application protocol definition (one
>> example of such a document is [I-D.ietf-uta-xmpp]).
>>
>> Designers of new application protocols developed through the Internet
>> Standards Process are expected to conform to the best practices
>> recommended here, unless they provide documentation of compelling
>> reasons that would prevent such conformance (e.g., widespread
>> deployment on constrained devices that lack support for the necessary
>> algorithms).
>>
>> Does that meet our needs?
>
> WFM. I will clear when the rev comes through.
thx!
>
> Thanks,
> Alissa
>
>>
>> Peter
>
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
