W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: [webappsec] POLL: Getting CSP 1.1 to LCWD

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sat, 05 Oct 2013 20:24:10 +0200
To: Glenn Adams <glenn@skynav.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <usk05952gsg7s08p1n016hiska0kcgmd6r@hive.bjoern.hoehrmann.de>
* Glenn Adams wrote:
>On Sat, Oct 5, 2013 at 3:33 AM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
>> The text in question is a normative requirement. Doing otherwise has
>> a potential for causing harm and so it has to be a requirement, too.
>
>It is a normative recommendation (SHOULD NOT), not a normative requirement
>(SHALL NOT).

That is a common misconception among novices. The draft does not use the
phrase informally with its ordinary english meaning, but rather uses the
terms as defined in RFC 2119, which formally defines various keywords to
indicate requirement levels. A RFC2119 "SHOULD" signifies a SHOULD-level
requirement, and failing to meet a SHOULD-level requirement means an im-
plementation is not unconditionally conforming even if it meets all the
absolute requirements of a protocol; failing to heed a "recommendation"
in an informal sense has no implications on conformance. Accordingly, I
call them requirements, as is customary in organisations using RFC 2119:

  https://www.google.com/search?q=%22should-level+requirement%22+site%3Aietf.org
  https://www.google.com/search?q=%22should-level+requirement%22+site%3Aw3.org

I hope this clears up your confusion.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Saturday, 5 October 2013 18:24:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC