Tijl Houtbeckers wrote:
On Tue, 25 Oct 2005 21:18:44 +0200, Peter Saint-Andre <[EMAIL PROTECTED]> wrote:Tijl Houtbeckers wrote:Of course we can say: ah well, who cares wether you can call something XMPP compliant or not. But I think the fact this discussion was started after what ralphm said, shows how unreasonable this kind of language in the RFC is.Some of that stuff is in there to make the security mafia happy, which you have to do in order to get published as an RFC (it's called "cross-area review"). That was part of the trade-off of standardization through the IETF.They actually complained? Or was the inclusion of DIGEST-MD5 "pre-emptive"?
I don't remember the exact chronology -- it was a painful period in my life and I prefer to blank it out. :-)
Also, must-implement is different from must-deploy.And different from "Mandatory-to-Implement Technologies" as the RFC calls it? In that case, neither we nor they have to worry that Google Talk is "not fully compliant with RFC 3920." anymore. Still I think it's confusing right now, after all if even Ralph makes such a suggestion on the list.. might be something to think on for rfc3920bis.
Well, "mandatory-to-implement" means must-implement in software, but that doesn't mean that any particular deployment of that software must deploy any particular feature. My understanding is that RFCs talk about requirements for software implementation, not necessarily deployment.
And as noted, we can attempt to fix this stuff in rfc3920bis.I can hardly image anyone in the security maffia being happy with DIGEST-MD5 over the past 5 years. Maybe they're not as "maffia" as I thought ;)
We'll certainly bring that up when rfc3920bis is discussed. Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml
smime.p7s
Description: S/MIME Cryptographic Signature
