On Wed, Aug 27, 2014 at 01:40:13PM -0400, Michael Richardson wrote: > Paul Wouters <paul@xxxxxxxxx> wrote: > >> Subject: draft-dukhovni-opportunistic-security-04 > > > ExecSum: The document sits between a "generic advise" and "specific > > protocol recommendations" and accomplishes neither. The definition > > is unclear and the used language makes this document hard to read, > > especially for non-native English speakers. > > I agree, good summary of the problems. Thanks for putting that point so clearly. I've been giving this some thought. Here's my answer to this. Channel binding (CB) offers some interesting parallels. We published RFC5056 defining CB as a Proposed Standard, even though it's not a protocol: like OS it's just a design pattern. OS, meanwhile, is aiming for Informational status. I believe the above question translates as: how can we justify such a difference? Shouldn't OS be a Proposed Standard? CB was an old, obscure, and ill-defined concept when I wrote RFC5056. OS too isn't entirely a new concept. This makes CB and OS similar in this sense: they are both "new" concepts. That's where the similarities stop. CB has critical semantics: it could only have been published as a Standards-Track RFC! OS is more nebulous: because it applies where systems would have been willing to use cleartext instead. We should give guidance to future protocol designers, but we don't need to give them normative language exactingly defining OS' semantics -- partly because we can't (see below). > I decided to hold my nose: it's only going to be succesful in the > first case, but the author seems bent on doing the second. I would agree 100% with this if I thought Viktor was trying to offer normative language in an informational vehicle. I don't think he is. All specific details discussed in his draft are about an example protocol (SMTP) where OS has been implemented already. We've discussed HTTP a bit on these lists and... applying OS there is not quite as easy as in SMTP, and will require more discussion. Thus making it obvious that it is too soon to develop a normative definition of OS. For me OS is just a short-hand for a set of principles. CB is a short-hand for a set of requirements; OS is not. Therefore I think OS should be Informational. Now, is it worth publishing OS as Informational? IMO, yes, but if every FYI will be this difficult to get through going forward, then IMO we might as well stop publishing FYIs. Nico --