Ben,
O...
How about a distinction in compliance? That is, you can say you comply
to RFC xyzw if you implement it, but to say you _securely_ comply, you
have to switch on the MTUFS (mandatory to use for security) and switch
off MTNUFS (mandatory to not use for security) features in the RFC.
Some RFCs could only have a secure compliance mode, of course.
That way, those who argue that the security is too expensive/not
needed for their use case can disable it, but then can't claim that
they're secure (regardless of the name of the RFC :-).
So, in TLS, for example, secure compliance might consist of TLS 1.2 +
AEAD modes only (note: really an example, not an actual proposal).
That's a novel suggestion, a clever way to try to thread the needle!
But, for many, many years we've had trouble getting the broader community to
recognize than not all RFCs are standards. I doubt that the distinction
you suggest would be better understood.
Steve
_______________________________________________
perpass mailing list
perpass@ietf.org
https://www.ietf.org/mailman/listinfo/perpass
