ietf-nntp LIST EXTENSIONS caching

Charles Lindsey chl at clerew.man.ac.uk
Mon Oct 13 17:47:47 PDT 2003


In <87d6d3kust.fsf at windlord.stanford.edu> Russ Allbery <rra at stanford.edu> writes:

>Charles Lindsey <chl at clerew.man.ac.uk> writes:

>> Actually, what you should be saying is that people who design security
>> extensions SHOULD include requirements to check the security state of the
>> link.

>This isn't the business of the base NNTP standard, I think.  That's a
>policy statement about security protocols, and is somewhat outside the
>scope of what we're writing here.

Yes, I also said I did not like normative wording in a Security
Considerations section, and therefore that SHOULD is too strong. Something
more akin to "Ought".

>It's more the sort of thing that one would put into a BCP for writing
>security RFCs.  You're not saying anything specific about NNTP; you're
>just making a general statement like "when writing security protocols,
>don't do something stupid."

Well it is usually the case that the "Security Considerations" section of
a standard is less formal than the protocol definitions. It is sort of
saying "Here are some problems that we were not able to fix by defining
protocol. But the IETF requires us to draw attention to such things, so
here they are, and here are some suggestions as to how to cope". That is
really BCP material of a sort.

So you say that security protocols potentially have some problems in this
area, and the suggestion made is for those writing security extensions to
take those problems on board.

OK, it is passing the buck, but at least you can sleep soundly at night
knowing that the buck has moved on.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5



More information about the ietf-nntp mailing list