On Thu, 25 Aug 2005, Bill Sommerfeld wrote:
[normative specification is in the RFC series, vs. somewhere else and
just copied or described in an info/exp RFC]
At least to me, these two categories should be treated differently.
Can you explain why?
Cryptographic algorithms are, in general, hard to use correctly.
Security review of cryptographic protocols involves an assessment of
whether the specific algorithms used actually meet the requirements of
that protocol.
If the normative specification is done in the RFC series, I would
expect that the specification should undergo adequate review.
Informational/Experimental do not include wider IETF review (though
whether the IETF can really review these specifications is a good
question in any case), and to a degree, not necessarily even IESG
review.
The reason for "downref" rules is to prevent depending on lower
stability/quality specifications. The metric is very coarse. There
are probably good Informational/Experimental documents out there. On
the other hand, referencing the works of other SDOs normatively is
fine -- thus getting back to the point "is the normative specification
in the RFC series or somewhere else?". The "other SDO Specification"
allows value judgment on the quality of the normative specification
(e.g., a simple web page might or might no qualify).
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf