ietf
[Top] [All Lists]

Re: Last Call: <draft-housley-implementer-obligations-01.txt> (Expectations of Implementers of IETF Protocols) to Informational RFC

2014-05-11 15:23:46
Nikos,

On 12/05/2014 07:55, Nikos Mavrogiannopoulos wrote:
On Sun, 2014-05-11 at 08:31 +1200, Brian E Carpenter wrote:

...
I like to think of somebody else: a young programmer working far,
far away, who will probably never attend an IETF meeting or join
an IETF mailing list. For this person, we need to state things that
are obvious to us. For example:
"It is not sufficient to do an initial implementation of the protocol.
 Maintenance is needed to apply changes as the come out in the future,
 especially to fix security issues that are found after the initial
 publication of a protocol specification."

This document doesn't fill this purpose as it is written as a what-to-do
document rather than a document with advice to implementers. If somebody
has specific expectations from implementers then that should be
reflected in a contract with them.

That's a straw man. You know very well that (precisely because IETF
standards are voluntary) there will never be such a contract between
the IETF and the implementer.


If on the other hand this is written in purpose to introduce
IETF-certified or IETF-approved implementations it must be even more
precise than this document. As it is, it doesn't fill any obvious
purpose.

The document is aspirational, not contractual. It seems perfectly reasonable
to ask implementers (whether a profit-making company, an open-source
community, or an individual) to accept ongoing responsibility for their
code. Isn't that exactly what GnuTLS does, for example?

I'm not sure the IETF has ever said this before, however, and the only
way we have to say things permanently is by publishing an RFC.

   Brian

<Prev in Thread] Current Thread [Next in Thread>