On Dec 21, 2012, at 10:45 AM, Ben Campbell <ben(_at_)nostrum(_dot_)com> wrote:
As I responded separately to Ramakrishna, is the SHOULD use 4030 language a
new requirement specific to this draft? Or is it just describing requirements
in 3046 or elsewhere?
I suppose the authors should really answer this, but I was curious as well, and
went looking. I think RFC4030 should have updated RFC3046 to add this as a
security consideration, but it did not. However, e.g. RFC4243, RFC5010 and
RFC5107 do add a similar requirement to their security considerations section,
so it's probably fair to say that this has been informally adopted as
appropriate practice for security considerations sections.
Perhaps we should adopt the practice more formally... :)