📜 MUST, SHOULD, MAY (RFC 2119)
5 exercises — read real normative passages from TLS, HTTP, cookie and caching RFCs and decide the exact obligation level each requirement keyword imposes.
The RFC 2119 keyword hierarchy
- MUST / REQUIRED / SHALL → absolute requirement, no deviation
- MUST NOT / SHALL NOT → absolute prohibition
- SHOULD / RECOMMENDED → do it unless you weigh the implications and have a reason not to
- SHOULD NOT / NOT RECOMMENDED → avoid it unless you have strong justification
- MAY / OPTIONAL → truly optional, no preference implied
0 / 5 completed
1 / 5
RFC 8446 — TLS 1.3 Mandatory Cipher Suites
RFC 8446 — The Transport Layer Security (TLS) Protocol Version 1.3
Section 9.1. Mandatory-to-Implement Cipher Suites
A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256
[GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384
[GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see
Appendix B.4).
A TLS-compliant application MUST support digital signatures with
rsa_pkcs1_sha256 (for certificates), rsa_pss_rsae_sha256 (for
CertificateVerify and certificates), and ecdsa_secp256r1_sha256. A
TLS-compliant application MUST support key exchange with secp256r1
(NIST P-256) and SHOULD support key exchange with X25519 [RFC7748]. The spec says an application MUST implement
TLS_AES_128_GCM_SHA256 but SHOULD implement TLS_AES_256_GCM_SHA384. What is the obligation difference for an implementer?MUST = absolute requirement; SHOULD = strong recommendation:
Per RFC 2119, MUST means "an absolute requirement of the specification." So to call your application TLS-compliant you have no choice —
SHOULD means "there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed." So
Per RFC 2119, MUST means "an absolute requirement of the specification." So to call your application TLS-compliant you have no choice —
TLS_AES_128_GCM_SHA256 must be implemented.SHOULD means "there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed." So
TLS_AES_256_GCM_SHA384 is expected by default, but you can legitimately skip it if you have a documented reason (e.g. a constrained embedded target).- MUST / REQUIRED / SHALL → no deviation permitted
- SHOULD / RECOMMENDED → deviation allowed only after weighing the consequences
Next up: Reading HTTP Specs →