OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

openc2-imple message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: FWD: Security: Words of wisdom from RFC 2119


I received this on the OASIS sarif TC mailing list and thought it worth sharing with the OpenC2 Implementation SC. In the IA considerations we may want to not only show the benefit but also "elaborate the security implications of not following".

Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize


-------- Original Message --------
Subject: [sarif] Security: Words of wisdom from RFC 2119
From: "Larry Golding \(Comcast\)" <larrygolding@comcast.net>
Date: Mon, January 15, 2018 4:42 pm
To: <sarif@lists.oasis-open.org>

In the course of researching our approach to normative keywords, I re-read RFC 2119 and noticed this, which I’d previously overlooked, and which I thought you’d all appreciate:

   7. Security Considerations

   These terms are frequently used to specify behavior with security
   implications.  The effects on security of not implementing a MUST or
   SHOULD, or doing something the specification says MUST NOT or SHOULD
   NOT be done may be very subtle. Document authors should take the time
   to elaborate the security implications of not following
   recommendations or requirements as most implementors will not have
   had the benefit of the experience and discussion that produced the
   specification.
 
We did this to some extent when we wrote the spec language to prohibit the use of HTML in rich messages, but Michael has asked me to add some stronger language there. Look for an editorial change in the next few days.
 
Larry


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]