Hi Stephen, thank you for this review. On Sep 6, 2019, at 19:55, Stephen Kent via Datatracker <noreply@xxxxxxxx> wrote: > > The second paragraph of the Security Considerations section reminds the > reader that decoders (parsers) ought to be designed with the understanding that > inputs are untrusted – good advice. I’d be happier if the final sentence > changed “must” to “MUST” to reinforce this admonition. Here I have a question: It seemed to me that we generally try to avoid putting BCP14 keywords into security considerations sections — after all, the interoperability requirements should be handled in the actual protocol definition, not in the security considerations after the fact. This MUST would be an implementation requirement. Is this something we want to do in a security considerations section? RFC 3552 appears to be silent about this. (I’m also asking this because we are in the process of revising RFC 7049, which would then raise the same question in its security considerations section.) Grüße, Carsten
