Peter Gutmann wrote: > > Martin Rex <mrex@xxxxxxx> writes: > > >That implementors should ignore at least half of the MUSTs and SHOULDs > >in IETF documents, because they don't make any sense, create unnecessary > >interop problems or are otherwise harmful -- and should not be in the > >document in the first place? > > <aside>That's been the standard for PKIX RFCs for at least ten years > (actively acknowledged by WG mmembers), although perhaps its spread > to other groups should be discouraged.</aside> I fully agree. That may be attributed to the fact that a large part of PKIX is dealing with policy issues with the objective to prevent/prohibit interoperability. When providing software (updates) to an installed base, it is not exactly easy to "sell" them interoperability problems, which is one reason why the adoption speed for some PKIX features is poor. And then there are the serious security problems created by some of the PKIX features themselves, like AIA (Authority Identifier Access). But basically it applies to all URLs in certs that you can use to coerce a server in order to perform a network access of resources according to the desire of the presenter of the certificate. -Martin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf