Advanced Reading #rfc2119 #normative #standards #compliance

📜 MUST, SHOULD, MAY (RFC 2119)

5 exercises — read real normative passages from TLS, HTTP, cookie and caching RFCs and decide the exact obligation level each requirement keyword imposes.

The RFC 2119 keyword hierarchy
  • MUST / REQUIRED / SHALL → absolute requirement, no deviation
  • MUST NOT / SHALL NOT → absolute prohibition
  • SHOULD / RECOMMENDED → do it unless you weigh the implications and have a reason not to
  • SHOULD NOT / NOT RECOMMENDED → avoid it unless you have strong justification
  • MAY / OPTIONAL → truly optional, no preference implied
0 / 5 completed
1 / 5
📜 RFC 8446 — TLS 1.3 Mandatory Cipher Suites
RFC 8446 — The Transport Layer Security (TLS) Protocol Version 1.3
Section 9.1. Mandatory-to-Implement Cipher Suites

   A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256
   [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384
   [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see
   Appendix B.4).

   A TLS-compliant application MUST support digital signatures with
   rsa_pkcs1_sha256 (for certificates), rsa_pss_rsae_sha256 (for
   CertificateVerify and certificates), and ecdsa_secp256r1_sha256.  A
   TLS-compliant application MUST support key exchange with secp256r1
   (NIST P-256) and SHOULD support key exchange with X25519 [RFC7748].
The spec says an application MUST implement TLS_AES_128_GCM_SHA256 but SHOULD implement TLS_AES_256_GCM_SHA384. What is the obligation difference for an implementer?