+1.
I think it is important that we have communications tools for
documenting strong minimum protocol requirements and we only have
RFC2119 to make that possible.
Yet, we need to be careful where the lack of RFC2119 upper case
wordings can be used to leverage an argument for relaxation of
existing protocols where perhaps only lower case semantics were done.
IMO, where there are multiple protocol state choices or paths and
where common sense engineering and security functionality is clear,
upper vs lower should not matter.
I will like to use an example protocol logic I am currently concern
with that could be altered due to 2119 related debates:
For protocol state condition A, you may do action B or C.
If action B is taken, you MUST do D.
So action B has 2119 language to do D. Part of the 2219 debate is
that doing action B or C are both optional.
C is not defined, although it could be said it was implied via other
indirect protocol features:
You SHOULD do E.
and in a protocol change proposal, it is now:
You SHOULD do E1 instead of E.
Well, to do E or E1, you have to do C, not B.
Now the history of this is that original drafts/specs (ones some folks
want us to ignore) did have 2119 language on whether you MAY do B or
C, and in fact in an extended augmented RFC protocol, it only allowed
for a MUST action B for protocol condition A. C was not an option (or
at least it wasn't stated) in the extended RFC technology.
The problem was the lack of an upper case MAY has provided the notion
that none of this is normative thus making the action C more possible
and action B less attractive.
By making C more possible, this makes E more plausible and now that E1
is a new recommendation and preferred feature than E, the idea of
doing action B is now watered down.
The issue is sensitive and honestly, it got to a point where one says
"Who cares!?" If they want to watered down B, so be it. You don't
need to support it protocol changes nor the newer push to the E1
recommendation.
The problem for me?
Is why is the security aspects of this do not make it obvious of what
needs to be done? We got into anal debate of 2119 language and I even
recall a few years ago where another debate of the definition of
SHOULD got a number of people labeled as 2219 illiterates by an AD.
In the example I cited, politics comes into play because you have two
industry mindsets under protocol condition A:
1) Those that believe in action B as the more secured action, and
2) Those that DO NOT believe in action B and prefer C.
There is where a person like myself is left with the idea of waiting
for WGLC to appeal changes to the protocol that will watered down
action B.
This is all due because of the lack of 2119 language that many believe
were naturally in place with just using lower case wordings.
No upper case, therefore action B is weak and that was unfair to
current implementations that only do action B as its the most secured
implementation (and less costly) action to protect users. By
allowing RFC2119 or stated arguments the protocol lacked 2119
language, weakens the protocol and makes it more complex for
implementations to consider action C which can be more harmful if
certain forms of C making it functionality equivalent (security wise)
to action B is not done (this is the added complexity).
I'm sure this is a dime a dozen story, but to me it is common to see
WG chairs, AD and other key cogs throw the proverbial 2119 book at
developers to help push specs. IMO, we need it but we also need some
common sense engineering and consideration to be done when we review
current docs. Ignoring existing implementations SHOULD not be one of
them.
--
HLS
Lou Berger wrote:
On 1/4/2013 12:15 AM, Dean Willis wrote:
...
Are we deliberately evolving our language to use RFC 2119 terms as
the principle verbs of a formal specification language?
...
My view on this has evolved over time. I used to follow the practice of
using 2219 language only for emphasis. Over time, primarily motivated
by reviewers comments and reader questions, I've migrated to the
position that 2119 language should be used whenever and wherever a point
of conformance is being made. While this may be a bit of an extreme
position, it ensures that authors, reviewers, readers, implementors,
etc. are in sync as to what is expected from an interoperable
implementation that conforms to a standard. I think the importance of
such unambiguity has increased over time as the number of implementors
and non-native English speakers in our community have increased.
I also think it's important to follow section 6 of 2119, i.e., if it's
not a point of interoperability or harmful behavior, there's no need to
use 2119 conformance language.
So, my view is now:
a) lower case usage of 2119 key words *in RFCs* means the normal English
meaning of such words, but does not place any requirement on
implementations, i.e., is purely informative text.
b) upper case usage of 2119 key words *in RFCs*, as stated in [RFC2119],
places "requirements in the specification", i.e., is conformance
language with which an implementation must follow to ensure
interoperability (or harm). (And does not = shouting as would be the
case in other contexts).
I take this view when writing and reviewing PS drafts...
Lou