Although according to RFC 2119 RECOMMENDED
and SHOULD are supposed to by synonyms, I agree with Tony that in this case
RECOMMENDED sounds better.
=Drummond
From: Anthony Nadalin
[mailto:drsecure@us.ibm.com]
Sent: Wednesday, February 18, 2009
7:21 PM
To: John Bradley
Cc: imi@lists.oasis-open.org;
Michael McIntosh; Mike Jones
Subject: Re: [imi] Hopefully last
change to the IMI spec before producing a Committee Draft
I think it should be a RECOMMENDED and not a SHOULD
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
John Bradley
---02/18/2009 09:18:17 PM---Yes, Not disclosed to RPs, Cardholders or anyone
else.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Yes, Not disclosed to
RPs, Cardholders or anyone else.
The question is how much detail we
need in the spec itself for a SHOULD.
As long as the spec is clear I am
OK with the long form of the explanation of this being in the accompanying
document.
John B.
On 18-Feb-09, at 11:07 PM, Michael
McIntosh wrote:
John Bradley <jbradley@mac.com> wrote on
02/18/2009 08:51:08 PM:
> The important points are that it is card
specific entropy stored by
> the IdP and never disclosed to RPs in any
way.
Actually, this entropy needs to be treated as a
secret and it should be [pseudo]random. The danger is not from RPs but from
other cardholders from the same IdP.
Regards,
Mike