So, BCP 61's claim that MUST is for implementers and SHOULD is for users is always something I've interpreted as non-normative and additional explanation of RFC 2199. Well, I' guess it is normative in that we do not for security reasons require that security be used. I certainly think reviewing the musts and shoulds in this case is fine, but if the authors believe they used the right word, then leave the text. If there is a problem we can clean it up during iesg evaluation. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf