Hi Carsten, On Wed, Sep 25, 2019, at 2:04 PM, Carsten Bormann wrote: > Hi Stephen, > > thank you for this review. > > On Sep 6, 2019, at 19:55, Stephen Kent via Datatracker <noreply@xxxxxxxx> wrote: > > > > The second paragraph of the Security Considerations section reminds the > > reader that decoders (parsers) ought to be designed with the understanding that > > inputs are untrusted – good advice. I’d be happier if the final sentence > > changed “must” to “MUST” to reinforce this admonition. > > Here I have a question: It seemed to me that we generally try to avoid > putting BCP14 keywords into security considerations sections — after > all, the interoperability requirements should be handled in the actual > protocol definition, not in the security considerations after the fact.. I think use of RFC 2119 keywords in the Security Considerations is fine, as implementors should read the whole document. If a particular requirement is really important, it can be moved to a separate section and referenced in the Security Considerations. > This MUST would be an implementation requirement. Is this something we > want to do in a security considerations section? RFC 3552 appears to > be silent about this. > > (I’m also asking this because we are in the process of revising RFC > 7049, which would then raise the same question in its security > considerations section.) Best Regards, Alexey
