[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MUSTs
See if you think this rewording helps to clarify:
2.5.1 Comply With Relevant IETF RFCs on All Protocols Implemented
Requirement. The default configuration of the device MUST fully
comply with IETF RFCs for all protocols implemented. "Compliance"
is defined in terms of [RFC2119]. The device MUST conform to the
absolute requirements. Any optional or recommended functionality
implemented MUST be in conformance with the RFC. The device MAY
provide means by which it can be configured in ways that are not
compliant with the RFCs (for instance, if conformance is
determined to be insecure).
Justification. A device must first perform its primary function
correctly. Once it is proven to perform its primary function, it
makes sense to ask if it does/can perform securely. For Internet
connected devices, compliance with RFCs provides a minimum level
of assurance that the device will function as intended and
interoperate as part of an operational network. Failure to comply
with RFCs calls correct functioning into question and makes the
determination of secure functioning a secondary concern.