On Jun 17, 2017, at 10:18, Petr Špaček <petr.spacek@xxxxxx> wrote: > > > This is exactly the point where our opinions differ. > My point of view is that specification should clearly define extension > points and implementations should: > a) Use Postel's principle within defined 'extension' points. > b) Treat any deviation from documented protocol (including non-defined > aspects of protocol outside of extension points) as an error. So abort all your HTML pages from loading? b) is an error that should be handled in a Postel way and the RFC should be updated to address the issue. Then maybe years down the line you can be more strict on the failure. Also the consequences of being strict can be worse. Should a TLS connection fail if the nonce size for the integrity algorithm is too weak? Will the result be a retry using plaintext offers greater risks? What if the connection is for a public webpage? What if it is for a nuclear control channel? if things were an easy black and white, we wouldn't have this discussion every couple of years. Paul