On Nov 29, 2023, at 08:57, Michael Richardson <[email protected]> wrote: > > > Michael Jones <[email protected]> wrote: >> is only used to impose normative requirements in the main body of the >> specification and not in the Privacy Considerations or Security >> Considerations, which are just that: things to consider - not normative >> requirements. > > I also think it's bad form to make implementers find the MUSTs in the > considerations. They should be in the main body, and just referred to in the > Considerations. > "Because we do XYZ (Section ABC), we are therefore immune to attacks my > giant spiders"
I think MUSTs can be fine in the security considerations, eg “random MUST be from a secure source”, but a protocol document should be fully implementable without reading any Considerations section. These sections are additional advice to implementors. Paul _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
