Hi, I am fine with Daniel's change to the DTLS profile (which wants to add motivation on why the DTLS profile is RECOMMENDED), and prefer Göran's formulation to the Ace framework.
I had to think about it and figured out where the different interpretations come from, and hence what needs to be clarified: "Profiles MUST specify a communication security protocol that provides the features required above." Russ reads this sentence as: one (and only one) protocol MUST be specified *and used* between Client and AS. I (and others) read this sentence as: (at least) one protocol fulfilling the security requirements MUST be specified in the profile. (and as a consequence: One and only one of these protocols specified in the profile MUST be used between client and AS) I think Göran's modification clarifies the above, but hopefully Russ can let us know how to make his even clearer. Francesca On 11/02/2021, 12:35, "Stefanie Gerdes" <ger...@tzi.de> wrote: On 02/11/2021 04:26 AM, Daniel Migault wrote: > > OLD: section 6.2 > "Profiles MUST specify how communication security according > to the requirements in Section 5 is provided." > NEW: > section 6.2 is focused on security but the security requirements are > provided in section 5. We may simply remove this sentence. > > OLD section 5. > "Profiles MUST specify a communication security protocol that provides > the features required above." > NEW: > Profiles MUST provide some recommendation on protocols used to establish > these communications. > These communications MUST meet these security requirements. As > communications meeting these requirements may be established in multiple > ways, profiles MUST provide some recommendations as to favor > interoperability. In most cases the recommendations aim at limiting the > number of libraries the client has to support. > The reason that this requirement on the profiles was included in the framework is that the framework itself does not specify how communication security is provided. For the security of the solution it is important that the profiles fill this gap. I think that it is important to emphasize this security requirement. I therefore prefer Goeran's proposals: Proposal 1 (Section 6.2): OLD "Profiles MUST specify how communication security according to the requirements in Section 5 is provided." NEW "The requirements for communication security of profiles are specified in Section 5." Proposal 2 (Section 5): OLD "Profiles MUST specify a communication security protocol that provides the features required above." NEW "Profiles MUST specify at least one communication security protocol that provides the features required above." Viele Grüße Steffi _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace