On Dec 21, 2012, at 10:45 AM, Ben Campbell <ben@xxxxxxxxxxx> wrote: > As I responded separately to Ramakrishna, is the SHOULD use 4030 language a new requirement specific to this draft? Or is it just describing requirements in 3046 or elsewhere? I suppose the authors should really answer this, but I was curious as well, and went looking. I think RFC4030 should have updated RFC3046 to add this as a security consideration, but it did not. However, e.g. RFC4243, RFC5010 and RFC5107 do add a similar requirement to their security considerations section, so it's probably fair to say that this has been informally adopted as appropriate practice for security considerations sections. Perhaps we should adopt the practice more formally... :)