Thanks for this. And thanks, too, to members of the TC (Jim, particularly) who have kept a strong focus on security in the SARIF design process. Michael From:
sarif@lists.oasis-open.org [mailto:
sarif@lists.oasis-open.org] On Behalf Of Larry Golding (Comcast) Sent: Monday, January 15, 2018 1:42 PM To:
sarif@lists.oasis-open.org Subject: [sarif] Security: Words of wisdom from RFC 2119 In the course of researching our approach to normative keywords, I re-read RFC 2119 and noticed this, which I’d previously overlooked, and which I thought you’d all appreciate: 7 . Security Considerations These terms are frequently used to specify behavior with security implications. The effects on security of not implementing a MUST or SHOULD, or doing something the specification says MUST NOT or SHOULD NOT be done may be very subtle. Document authors should take the time to elaborate the security implications of not following recommendations or requirements as most implementors will not have had the benefit of the experience and discussion that produced the specification. We did this to some extent when we wrote the spec language to prohibit the use of HTML in rich messages, but Michael has asked me to add some stronger language there. Look for an editorial change in the next few days. Larry