[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Re: Review of draft-wahl-ldap-adminaddr

To: Mark Wahl <Mark.Wahl@informed-control.com>
Subject: Re: [ldapext] Re: Review of draft-wahl-ldap-adminaddr
From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
Date: Wed, 30 May 2007 12:39:37 -0700
Cc: Chris Newman <Chris.Newman@Sun.COM>, Ldapext <ldapext@ietf.org>, ldap-dir@ietf.org, apps-review@ietf.org
In-reply-to: <465DA809.9020306@informed-control.com>
References: <4B4F28FA-F4FE-4B63-BD59-4966B83BE478@Isode.com> <465DA809.9020306@informed-control.com>


On May 30, 2007, at 9:36 AM, Mark Wahl wrote:

Kurt Zeilenga wrote:
I reviewed this draft on behalf of the Apps Area Review team and the LDAP Directorate.
Thanks for your comments on these drafts! I'll be reviewing your
emails and will respond shortly with more details.
I do find the uses of SHOULD in the Security Consideration section kind of odd. Use of RFC 2119 keywords should be limited to specification of implementation requirements.
If so, then RFC 2119 should be revised to incorporate that limitation, as I don't see that stated in 2119, and I observe in recently published proposed standard RFCs the use of RFC 2119 terminology in the security considerations sections to make statements beyond implementation requirements, e.g., RFC 4875 "Specifications of applications within the IETF MUST specify this mechanism" or RFC 4872 "RSVP signaling MUST be able to provide authentication and integrity".

There are plenty of examples of RFC 2119 keywords being oddly used... (including RFC 2119 itself). As I wasn't intending to start a debate on use of RFC 2119 keywords, I suggest you can take my RFC 2119 comments as indicating a concern that the document may not be clear as whom its requirements are placed upon. For instance, "The server's access control policy SHOULD allow this information to be visible to a suitable administrator in the same organization.

can be taken to mean: The server SHOULD restricted allowable access control policies to those which cause this information to be visible to suitable administrators in the same organization.

Which, if implemented in a server, would be quite bad.

To avoid such confusion, I recommend you only use RFC 2119 keywords to impart requirements upon implementations of the specification and to word recommendations to server administrators as guidance.

-- Kurt


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] Review of draft-wahl-ldap-adminaddr
  - From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
- [ldapext] Re: Review of draft-wahl-ldap-adminaddr
  - From: Mark Wahl <Mark.Wahl@informed-control.com>

Prev by Date: [ldapext] Re: Review of draft-wahl-ldap-adminaddr
Index(es):
- Chronological
- Thread