RE: opsec and 2119 keywords

[Pekka Savola <pekkas@netcore.fi>]

On Mon, 8 Mar 2004, George Jones wrote:
> From my reading of 2119, the usage of the keywords in the draft is
> consistent and should not introduce confusion.   If you think that's
> not true, let me know where....in general or in particular places
> in the draft.

IMHO, there is no conflict with *RFC2119* on this.  It's fully OK to 
use the keywords in this document, even if it were Informational.

On the other hand, the different question is whether we WANT to do
that.  AFAICS, this was a reason for pushback in the meeting and in
some reviews.  That is, we don't want to try to come to consensus
what's the "blessed by the IETF"  security/operational minimal feature
set.  Even further than that, if the document says "SHOULD do Foo" --
does the operator know whether the vendor does Foo or not -- it's not
a strict requirement, and the vendor could be complying with the
document, even though leaving out Foo?  In that light, just saying "we
implement [this document]" would not be sufficient for the operator to
decide whether sufficient functionality has been implemented -- and
the document would not fulfill its (current) role.

Therefore it might be better to just describe features on their own,
and use MUST/SHOULD/whatever keywords as appropriate to describe how
the specific feature should/must be implemented _if_ it is
implemented.

Then we leave it to the exercise of the operator/reader to decide
which specific features they want.

Personally, I don't have strong feelings about how this is handled, 
but I think that was a feeling of a couple of persons, at least, who 
had contributed to the effort.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings