Section 4.2 states, "The service provider MUST keep a log of all requests
for OPES services".
Last I looked, the IETF is a protocol standards body, not a legislative
body. Unless the *protocol* REQUIRES the service provider to keep the log,
this is an unenforceable requirement. I agree that we need to state our
sentiment. A better place may be in the security section.
Likewise, "The trusted users must be authenticated before being allowed to
take actions" is a similar policy, not protocol statement. The good news is
"must" is not capitalized. However, this statement again does not belong in
this section, and should be a SHOULD.
The next paragraph is a place where we can have protocol machinery: "The
PEP's should be authenticated before they receive policy rules". If we
care, then I would propose, "Because of the sensitivity of user profiles,
the PEP Interface between the PEP and the PDP MUST use a secure transport
protocol."