Re: [secdir] secdir review of draft-ietf-appsawg-rrvs-header-field

Alexey Melnikov <> Thu, 20 March 2014 11:05 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 14C701A08C5; Thu, 20 Mar 2014 04:05:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VKTj--dECAZE; Thu, 20 Mar 2014 04:05:04 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9DFFF1A08BE; Thu, 20 Mar 2014 04:05:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1395313492;; s=selector;; bh=bEGSu7rqBuC56EU6AUm1Q2Qej2NXXZ4Cq+9DJnQlPiY=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=xJz9DXdY8ALrBGBs4PxE2/TAOgXFbPAxkARvlKp7q8Isn8ZkCA/tPUbHUShUVc7Jz+qog3 3RCnGm29m9FA1MXf04em6UpP9aMveXdRlGRHHetWkrPBQrmmANXcFCFEDd+ekKpnBDT2tK 47AW41VKWHCcGtZzYorrDsoBqMlxZhM=;
Received: from [] ( []) by (submission channel) via TCP with ESMTPA id <>; Thu, 20 Mar 2014 11:04:52 +0000
Message-ID: <>
Date: Thu, 20 Mar 2014 11:05:58 +0000
From: Alexey Melnikov <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
To: Stephen Farrell <>, "Murray S. Kucherawy" <>, "Shaun Cooley (shcooley)" <>
References: <> <> <> <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "" <>, "" <>, "" <>
Subject: Re: [secdir] secdir review of draft-ietf-appsawg-rrvs-header-field
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Mar 2014 11:05:08 -0000

On 20/03/2014 10:58, Stephen Farrell wrote:
> On 03/20/2014 08:36 AM, Murray S. Kucherawy wrote:
>> I can't recall the exact reason why it's been said that RFC2119 language
>> ought not be used in Security Considerations (or similar) prose, or which
>> document's development cycle brought it up, but my general recollection is
>> that those words were intended to convey aspects of interoperability having
>> to do with protocol elements, and not otherwise.  It would appear this
>> opinion has formed since RFC3552 was published, since obviously there's a
>> conflict between them.  But like I said, it does seem to vary depending on
>> who and when one is asking.  Could also be the person(s) who told me this
>> are actually plain wrong.
>> I'm happy to take direction from the sponsoring AD on this one.
> I'm sure you'll get that.
> FWIW, from my POV there should be no magical interactions between
> RFC section headings and RFC 2119. You should do what makes sense
> and is more clear for the reader. That can and often does include
> using e.g. a 2119 MUST in the security considerations section.
> In other words, I figure the folklore you describe above ought be
> ignored and/or corrected.
> I do not believe that's written down
> anywhere in an RFC or IESG statement,
I don't think so either.

I think the main argument against RFC 2119 language in Security 
Considerations sections is that people are not going to read them while 
implementing specs (and they might only read them later when considering 
security aspects). But I think this is nonsense.
> if you find it is, please let me know and I'll try get it fixed.