Re: MUST vs. SHOULD audit

[ho@earth.hpc.org (Hilarie Orman)]

I'm not taking much of a stand on the issue of whether or not auditing
should be required, it's more the form of the debate that is at issue.

>  > Of course interoperability is the main point of the spec, but is the
>  > discussion so far well-founded?  I'm a little confused by the
>  > responses --- most seem comfortable having the audit requirement
>  > mentioned, as long as it's "should", but a "must" is declared out of
>  > scope for a protocol specification.  That doesn't seem logical; if
>  > you're in for a "should", then you're in for a "must".

>  Well, no. There's language in the drafts for "MUST", "SHOULD", and "MAY"
>  for a reason. They're not all the same and being in for "SHOULD" does not
>  make you in for "MUST".

No, I'm just saying that if a sentence containing "should" is in scope
then "must" also would be in scope.

>  > I can appreciate the reasons for the "should" preference on grounds of
>  > scope, but maybe the requirements for security protocol
>  > implementations "should" be more stringent.  Not so stringent as to
>  > constitute denial of solution, but something more than an SEP* nod to
>  > security technology that is not evident on-the-wire.

>  I'm confused now. Are you saying that an implementation that implements
>  all the mandatory transforms and the mandatory key management and 
>  interoperates with every other "IPsec compliant" implementation is itself
>  not "IPsec compliant" because it doesn't do auditing?

I'm saying that it is an allowable outcome of group discussion.

Hilarie

---

References:

• Re: MUST vs. SHOULD audit
• From: Daniel Harkins <dharkins@cisco.com>

---

• Prev by Date: Re: MUST vs. SHOULD audit
• Next by Date: Re: auditing
• Prev by thread: Re: MUST vs. SHOULD audit
• Next by thread: Re: MUST vs. SHOULD audit
• Index(es):
  • Main
  • Thread