Re: [webappsec] POLL: Getting CSP 1.1 to LCWD

On Sat, Oct 5, 2013 at 12:24 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:

> * Glenn Adams wrote:
> >On Sat, Oct 5, 2013 at 3:33 AM, Bjoern Hoehrmann <derhoermi@gmx.net>
> wrote:
> >> The text in question is a normative requirement. Doing otherwise has
> >> a potential for causing harm and so it has to be a requirement, too.
> >
> >It is a normative recommendation (SHOULD NOT), not a normative requirement
> >(SHALL NOT).
>
> That is a common misconception among novices.


Surely you are not calling me a Novice Bjoern. I reviewed 2119 for Scott
Bradner when he was drafting it.

In any case, I was using requirement in the conventional sense, as meaning
necessary. While you are using it in a specific technical sense. We are
both correct. And I am not confused.


> The draft does not use the
> phrase informally with its ordinary english meaning, but rather uses the
> terms as defined in RFC 2119, which formally defines various keywords to
> indicate requirement levels. A RFC2119 "SHOULD" signifies a SHOULD-level
> requirement, and failing to meet a SHOULD-level requirement means an im-
> plementation is not unconditionally conforming even if it meets all the
> absolute requirements of a protocol; failing to heed a "recommendation"
> in an informal sense has no implications on conformance. Accordingly, I
> call them requirements, as is customary in organisations using RFC 2119:
>
>
> https://www.google.com/search?q=%22should-level+requirement%22+site%3Aietf.org
>
> https://www.google.com/search?q=%22should-level+requirement%22+site%3Aw3.org
>
> I hope this clears up your confusion.
> --
> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
> Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
> 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
>