- From: Chris Weber <chris@lookout.net>
- Date: Sat, 10 Dec 2011 12:20:56 -0800
- To: Peter Saint-Andre <stpeter@stpeter.im>
- CC: public-iri@w3.org, dthaler@microsoft.com
On 12/9/2011 10:41 AM, Peter Saint-Andre wrote: > <hat type='individual'/> > > On 11/16/11 7:15 PM, iri issue tracker wrote: >> #107: Clarify requirement for security considerations >> >> Section 4 (Guidelines for Provisional URI/IRI Scheme Registration) allows >> registration by third parties (even if not >> on behalf of those who created the scheme). While many of the required >> pieces of information are "SHOULD"s, it says: >> "A valid Security Considerations section, as required by Section 6 >> of [RFC5226]." >> >> If the third party does not have access to the spec (e.g., because it's >> owned by an SDO or company without an open spec), the third party may not >> be able to write a "valid" security considerations section. I ran into >> this personally. >> >> Need to either make it a SHOULD, or else clarify what is needed in a >> "valid" section. > As I recall from the meeting in Taipei, we decided that it was valid to > say "unknown, use at your own risk". > > Peter So the consensus here would be to keep this REQUIRED, and add language to Section 4 of 4395 that says something along the lines of: When a valid Security Considerations section may not written, e.g. because the specification is private and not open, then this section should document that reason along with the advice - "security considerations are unknown, use at your own risk." Best regards, Chris Weber
Received on Saturday, 10 December 2011 20:23:35 UTC