Hi Cigdem, On Thu, Mar 10, 2022 at 12:54 AM Cigdem Sengul <[email protected]> wrote:
> Thank you for your review. Our thinking was as Ben explained. > In the draft, we used MUST/MUST NOT for the behaviour that affected > security, and SHOULD for desired behaviour. > This doesn't match my understanding of how BCP 14 is supposed to be used. MUST describes something obligatory for either interoperability, security, or operational reasons, and SHOULD is something where the implementer has limited discretion; when using SHOULD (or SHOULD NOT), it's desirable to include text describing when one might legitimately do something other than what's being stated. In this particular case, what I'm reading is paraphrased as: "In this situation, there's exactly one thing you can legitimately do within this protocol, and you SHOULD do that." This doesn't make sense to me. What Ben is saying is that there is a second option, which is to simply close the connection. If you want to leave this as a SHOULD, I suggest adding text saying exactly that. Would the following revision make it more clear: > "The Broker MUST NOT forward messages to unauthorized subscribers and > SHOULD inform them of authorisation failure. > The only way to inform the client, in this case, would be sending a > DISCONNECT packet. > Therefore, the Broker SHOULD send a DISCONNECT packet with the reason > code '0x87 (Not authorized)'. " > That's also less dissonant, yes. This was just discussed with Ben on the IESG call and I'll let him guide you on which change is more aligned with what you're trying to do. -MSK
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
