Hi Donald,
At 21:09 27-05-2013, Donald Eastlake wrote:
While the RFC should not be materially misleading, I don't think there
is a requirement for Informational RFCs to guarantee any particular
level or security or privacy.
Yes. In my opinion a best effort is preferable or else the Security
Considerations section in RFCs is useless.
In theory the IETF does not publish RFCs to suit the regulations of
one country (see use-case in
draft-jabley-dnsext-eui48-eui64-rrtypes-04). In practice, the IETF
has published a RFC to suit the requirements (it was a voluntary
measure instead of a formal requirement) of one country.
draft-jabley-dnsext-eui48-eui64-rrtypes-04 is an odd case. My guess
is that the requirements were set because of a problem of
monopoly. I have not looked into whether the transfer of data
violates the expectations of the user. I understand that the draft
is about standardizing [1] a data format and not the transfer of
data. Section 8 of the draft says everything correctly except that
it doesn't provide adequate security guidance.
I believe that Joe tried to do the "right thing". I am not
comfortable objecting to publication as I don't know the "path
forward". I personally would not support publication. That can
easily be overcome and I won't do anything about it.
Regards,
-sm
1. I did read Section 2 carefully.