On Feb 18, 2015, at 11:16 AM, Peter Saint-Andre - &yet <pe...@andyet.net> wrote:
> On 2/18/15 11:53 AM, Pete Resnick wrote: >> On 2/18/15 5:07 AM, Leif Johansson wrote: >>> The idea of making best practice sorta-kinda normative makes me a bit >>> queasy. >> >> Let's not forget that a BCP *is* a community consensus document. It >> means that the IETF community has decided that we do things a particular >> way. A BCP *is* normative. >> >> I think it's quite reasonable for the document to say, "MUST NOT >> negotiate SSLv2" because doing otherwise causes harm to implementations >> and to the net in general. There are no Internet police. If you violate >> that MUST NOT, you don't go to jail. We're simply saying that they way >> to do security properly on the Internet is that you MUST NOT use SSLv2. >> >> So I don't have a problem with the document saying, "Existing protocols >> have tradeoffs to make between interoperability and security, so we (the >> IETF) expect those tradeoffs to be made. New protocols we (the IETF) >> expect to abide by the requirements and recommendations in this document >> unless they give some serious justification for not doing so." That's >> what we mean by a BCP. > > Exactly. Yesterday I proposed the following text for the section on > applicability: > > This document does not modify the implementation and deployment > recommendations (e.g., mandatory-to-implement cipher suites) > prescribed by existing application protocols that employ TLS or DTLS. > If the community that uses such an application protocol wishes to > modernize its usage of TLS or DTLS to be consistent with the best > practices recommended here, it needs to publish a document that > explicitly updates the existing application protocol definition (one > example of such a document is [I-D.ietf-uta-xmpp]). > > Designers of new application protocols developed through the Internet > Standards Process are expected to conform to the best practices > recommended here, unless they provide documentation of compelling > reasons that would prevent such conformance (e.g., widespread > deployment on constrained devices that lack support for the necessary > algorithms). > > Does that meet our needs? WFM. I will clear when the rev comes through. Thanks, Alissa > > Peter > > _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
