Re: HTTP/2 has mandatory security with optional compliance; violates RFC 2119 from Martin Thomson on 2014-12-10 (ietf-http-wg@w3.org from October to December 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 10 Dec 2014 14:10:08 -0800
To: Dave Garrett <davemgarrett@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Mark Nottingham <mnot@mnot.net>
Message-ID: <CABkgnnUru-XcdUxN1dQdgmYQtxs2H1CaWAnOWr_ud1V_xURDdw@mail.gmail.com>

On 10 December 2014 at 13:57, Dave Garrett <davemgarrett@gmail.com> wrote:
> 1) It is contradictory to say a security policy MUST be in place, yet MAY be
> enforced. This allows for spec violation and resultant interop problems.

I don't believe that this is a problem at all.  There is a risk of
interoperability failure, but that risk is only conferred to
deployments that fail to comply with the MUST.

We could have avoided ALL of the MUST statements regarding feature use
and ONLY included the MAY regarding INADEQUATE_SECURITY.  That creates
an implicit MUST on all the things the MAY covered.  I don't think
that would be a good idea.

This isn't legislation.  Even there, there are plenty of examples of
legal mandates without a supporting system of enforcement.

I believe that the use of "MAY" is entirely appropriate here.

Received on Wednesday, 10 December 2014 22:10:34 UTC