[Note that this file is a concatenation of more than one RFC.] Network Working Group R. Bush Request for Comments: 3967 IIJ BCP: 97 T. Narten Category: Best Current Practice IBM Corporation December 2004 Clarifying when Standards Track Documents may Refer Normatively to Documents at a Lower Level Status of this Memo This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2004). Abstract IETF procedures generally require that a standards track RFC may not have a normative reference to another standards track document at a lower maturity level or to a non standards track specification (other than specifications from other standards bodies). For example, a standards track document may not have a normative reference to an informational RFC. Exceptions to this rule are sometimes needed as the IETF uses informational RFCs to describe non-IETF standards or IETF-specific modes of use of such standards. This document clarifies and updates the procedure used in these circumstances. 1. Introduction The Internet Standards Process [RFC2026] Section 4.2.4 specifies the following: Standards track specifications normally must not depend on other standards track specifications which are at a lower maturity level or on non standards track specifications other than referenced specifications from other standards bodies. One intent is to avoid creating a perception that a standard is more mature than it actually is. Bush & Narten Best Current Practice [Page 1] RFC 3967 Document Down-Ref Clarifications December 2004 It should also be noted that Best Current Practice documents [RFC1818] have generally been considered similar to Standards Track documents in terms of what they can reference. For example, a normative reference to an Experimental RFC has been considered an improper reference per [RFC2026]. 1.1. Normative References Within an RFC, references to other documents fall into two general categories: "normative" and "informative". Broadly speaking, a normative reference specifies a document that must be read to fully understand or implement the subject matter in the new RFC, or whose contents are effectively part of the new RFC, as its omission would leave the new RFC incompletely specified. An informative reference is not normative; rather, it provides only additional background information. An exact and precise definition of what is (and is not) a normative reference has proven challenging in practice, as the details and implications can be subtle. Moreover, whether a reference needs to be normative can depend on the context in which a particular RFC is being published in the first place. For example, in the context of an IETF Standard, it is important that all dependent pieces be clearly specified and available in an archival form so that there is no disagreement over what constitutes a standard. This is not always the case for other documents. The rest of this section provides guidance on what might (and might not) be considered normative in the context of the IETF standards process. In the IETF, it is a basic assumption that implementors must have a clear understanding of what they need to implement in order to be fully compliant with a standard and to be able to interoperate with other implementations of that standard. For documents that are referenced, any document that includes key information an implementer needs would be normative. For example, if one needs to understand a packet format defined in another document in order to fully implement a specification, the reference to that format would be normative. Likewise, if a reference to a required algorithm is made, the reference would be normative. Some specific examples: - If a protocol relies on IPsec to provide security, one cannot fully implement the protocol unless the specification for IPsec is available; hence, the reference would be normative. Bush & Narten Best Current Practice [Page 2] RFC 3967 Document Down-Ref Clarifications December 2004 The referenced specification would likely include details about specific key management requirements, which transforms are required and which are optional, etc. - In MIB documents, an IMPORTS clause by definition is a normative reference. - When a reference to an example is made, such a reference need not be normative. For example, text such as "an algorithm such as the one specified in [RFCxxxx] would be acceptable" indicates an informative reference, since that cited algorithm is just one of several possible algorithms that could be used. 2. The Need for Downward References There are a number of circumstances in which an IETF document may need to make a normative reference to a document at a lower maturity level, but such a reference conflicts with Section 4.2.4 of [RFC2026]. For example: o A standards track document may need to refer to a protocol or algorithm developed by an external body but modified, adapted, or profiled by an IETF informational RFC, for example, MD5 [RFC1321] and HMAC [RFC2104]. Note that this does not override the IETF's duty to see that the specification is indeed sufficiently clear to enable creation of interoperable implementations. o A standards document may need to refer to a proprietary protocol, and the IETF normally documents proprietary protocols using informational RFCs. o A migration or co-existence document may need to define a standards track mechanism for migration from, and/or co-existence with, an historic protocol, a proprietary protocol, or possibly a non-standards track protocol. o There are exceptional procedural or legal reasons that force the target of the normative reference to be an informational or historical RFC or to be at a lower standards level than the referring document. o A BCP document may want to describe best current practices for experimental or informational specifications. Bush & Narten Best Current Practice [Page 3] RFC 3967 Document Down-Ref Clarifications December 2004 3. The Procedure to Be Used For Standards Track or BCP documents requiring normative reference to documents of lower maturity, the normal IETF Last Call procedure will be issued, with the need for the downward reference explicitly documented in the Last Call itself. Any community comments on the appropriateness of downward references will be considered by the IESG as part of its deliberations. Once a specific down reference to a particular document has been accepted by the community (e.g., has been mentioned in several Last Calls), an Area Director may waive subsequent notices in the Last Call of down references to it. This should only occur when the same document (and version) are being referenced and when the AD believes that the document's use is an accepted part of the community's understanding of the relevant technical area. For example, the use of MD5 [RFC1321] and HMAC [RFC2104] is well known among cryptographers. This procedure should not be used if the proper step is to move the document to which the reference is being made into the appropriate category. It is not intended as an easy way out of normal process. Rather, the procedure is intended for dealing with specific cases where putting particular documents into the required category is problematic and unlikely ever to happen. 4. Security Considerations This document is not known to create any new vulnerabilities for the Internet. On the other hand, inappropriate or excessive use of the process might be considered a downgrade attack on the quality of IETF standards or, worse, on the rigorous review of security aspects of standards. 5. Acknowledgments This document is the result of discussion within the IESG, with particular contribution by Harald Alvestrand, Steve Bellovin, Scott Bradner, Ned Freed, Allison Mankin, Jeff Schiller, and Bert Wijnen. Bush & Narten Best Current Practice [Page 4] RFC 3967 Document Down-Ref Clarifications December 2004 6. References 6.1. Normative References [RFC2026] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. 6.2. Informative References [RFC1818] Postel, J., Li, T., and Y. Rekhter, "Best Current Practices", BCP 1, RFC 1818, August 1995. [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992. [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997. 7. Authors' Addresses Randy Bush IIJ 5147 Crystal Springs Bainbridge Island, WA 98110 US Phone: +1 206 780 0431 EMail: randy@psg.com URI: http://psg.com/~randy/ Thomas Narten IBM Corporation P.O. Box 12195 Research Triangle Park, NC 27709-2195 US Phone: +1 919 254 7798 EMail: narten@us.ibm.com Bush & Narten Best Current Practice [Page 5] RFC 3967 Document Down-Ref Clarifications December 2004 8. Full Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and at www.rfc-editor.org, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the ISOC's procedures with respect to rights in ISOC Documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Bush & Narten Best Current Practice [Page 6] ========================================================================= Network Working Group J. Klensin Request for Comments: 4897 BCP: 97 S. Hartman Updates: 3967 MIT Category: Best Current Practice June 2007 Handling Normative References to Standards-Track Documents Status of This Memo This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract The Internet Engineering Task Force (IETF) and Request for Comments (RFC) Editor have a long-standing rule that a document at a given maturity level cannot be published until all of the documents that it references as normative are at that maturity level or higher. This rule has sometimes resulted in very long publication delays for documents and some claims that it was a major obstruction to advancing documents in maturity level. The IETF agreed on a way to bypass this rule with RFC 3967. This document describes a simpler procedure for downward references to Standards-Track and Best Current Practice (BCP) documents, namely "note and move on". The procedure in RFC 3967 still applies for downward references to other classes of documents. In both cases, annotations should be added to such References. Klensin & Hartman Best Current Practice [Page 1] RFC 4897 Normative References June 2007 Table of Contents 1. Introduction ....................................................2 2. Terminology .....................................................3 3. Normative Reference Rule ........................................3 3.1. Source Documents Not Yet Processed by the IESG .............3 3.2. Documents Already in the RFC Editor Queue ..................4 4. Target Documents Not on the Standards Track .....................4 5. Target Documents that Can Be Referenced This Way ................4 6. Security Considerations .........................................5 7. Acknowledgements ................................................5 8. Normative References ............................................5 1. Introduction The IETF and RFC Editor have a long-standing rule (see, e.g., RFC 2026, Section 4.2.4 [RFC2026] and the extended discussion in RFC 3967 [RFC3967]) that a document at a given maturity level cannot be published until all of the documents to which it makes a normative reference are at that maturity level or higher. This rule has sometimes resulted in very long publication delays for documents and some claims that it was a major obstruction to advancing documents in maturity level. Recognizing the problems that this rule sometimes caused, RFC 3967 established an exception procedure for normative downward references under some specific circumstances. Perhaps because of its fairly stringent requirements, RFC 3967 has not proven adequate either to clear the backlog of documents awaiting upgraded documents or to prevent additional documents from joining that queue. This document replaces the long-standing rule for downward references to Standards-Track documents (including BCPs) that are already published. For normative references to Standards-Track and BCP documents, that rule was to hold the newer, referencing, document until the referenced ones could be brought to the appropriate maturity level. It is now possible, following procedures described below, to simply note the downward normative reference and move on. This document also updates RFC 3967. When downward references from a source document are approved under the procedure specified in that specification, we recommend that the references in the approved (source) document be annotated in the same way as references approved under this rule. Klensin & Hartman Best Current Practice [Page 2] RFC 4897 Normative References June 2007 2. Terminology A reference involves two documents, the one in which the reference is embedded and the document referenced. Where needed for clarity, these documents are referred to as the "source document" and "target document", respectively. The term "Standards-Track document", as used in this specification, is assumed to include BCPs but not Informational or Experimental documents of any variety or origin. 3. Normative Reference Rule This document specifies an alternative to holding source documents until all target documents referenced normatively are upgraded or by applying the procedure of RFC 3967. 3.1. Source Documents Not Yet Processed by the IESG An author or editor who requires a normative downward reference to a Standards-Track RFC uses the following very simple procedure: o The reference text (i.e., in the "Normative References" section of the source document) is written as usual. o A note is included in the reference text that indicates that the reference is to a target document of a lower maturity level, that some caution should be used since it may be less stable than the document from which it is being referenced, and, optionally, explaining why the downward reference is appropriate. The Internet Engineering Steering Group (IESG) may, at its discretion, specify the exact text to be used, establish procedures regarding the text to use, or give guidance on this text. When establishing procedures, the IESG should seek appropriate community review. These annotations are part of the source document. If members of the community consider either the downward reference or the annotation text to be inappropriate, those issues can be raised at any time during the document life cycle, just as with any other text in the document. There is no separate review of these references. With appropriate community review, the IESG may establish procedures for when normative downward references should delay a document and when downward references should be noted. Absent specific guidance, authors and reviewers should use their best judgment. It is assumed that, in a significant majority of cases, noting a downward reference is preferable to delaying publication. Klensin & Hartman Best Current Practice [Page 3] RFC 4897 Normative References June 2007 At the option of the author, similar notes may be attached to non- normative references. 3.2. Documents Already in the RFC Editor Queue The IESG may, at its discretion, specify a procedure to be applied to source documents that are already in the RFC Editor queue, awaiting target referenced documents. The IESG should encourage authors with documents in the RFC Editor queue awaiting downward references to Standards-Track RFCs to evaluate whether this new rule is appropriate for their documents. If authors believe that adding an annotation and releasing the document is the best way forward, then the IESG should ensure that appropriate review is conducted and, if that review agrees with that of the authors' evaluation, allow the annotations to be added. The IESG will announce its decision via the normal Protocol-Action or Document-Action mechanisms. 4. Target Documents Not on the Standards Track In the case of a normative reference to a document not on the standards track that is approved under the procedures defined in RFC 3967, the annotation described in Section 3.1 or the retrospective annotation described in Section 3.2, SHOULD be added to the reference unless the IESG, after consideration of Last Call input, concludes it is inappropriate. 5. Target Documents that Can Be Referenced This Way The "downward reference by annotation" model specified here is applicable only to published Standards-Track RFCs at lower maturity levels. Obviously, such downward references are part of the relevant source document at IETF Last Call and subject to comments from the community. Advancing documents, when appropriate, is still considered preferable to the use of either this procedure or the one specified in RFC 3967. This specification does not impose a specific test or requirement to determine appropriateness. This is partially because it would be impossible to do so for the general case, but more so because the intention is to permit the IESG and the community to balance the importance of getting a source document published against the time and difficulty associated with upgrading a target document. That requirement is intended to be less stringent than the one of RFC 3967. Klensin & Hartman Best Current Practice [Page 4] RFC 4897 Normative References June 2007 6. Security Considerations This document specifies an IETF procedure. It is not believed to raise any security issues although, in principle, relaxing the normative downward reference rules for references associated with security mechanisms could make a specification less stable and hence less secure. 7. Acknowledgements This proposal was suggested by a comment by Spencer Dawkins and many complaints about the negative impact of the current rules. The author is unsure about the validity of some of those complaints; the proposal is, in part, a way to test the validity question. Spencer also provided helpful comments on a preliminary version. It was revised in response to extensive discussion in the IESG and benefited significantly by comments from Brian Carpenter. 8. Normative References [RFC2026] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. [RFC3967] Bush, R. and T. Narten, "Clarifying when Standards Track Documents may Refer Normatively to Documents at a Lower Level", BCP 97, RFC 3967, December 2004. Authors' Addresses John C Klensin 1770 Massachusetts Ave, #322 Cambridge, MA 02140 USA Phone: +1 617 491 5735 EMail: john-ietf@jck.com Sam Hartman Massachusetts Institute of Technology 77 Massachusetts Ave Cambridge, MA 02139 USA EMail: hartmans-ietf@mit.edu Klensin & Hartman Best Current Practice [Page 5] RFC 4897 Normative References June 2007 Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Klensin & Hartman Best Current Practice [Page 6] ========================================================================= Internet Engineering Task Force (IETF) B. Leiba Request for Comments: 8067 Huawei Technologies BCP: 97 January 2017 Updates: 3967 Category: Best Current Practice ISSN: 2070-1721 Updating When Standards Track Documents May Refer Normatively to Documents at a Lower Level Abstract RFC 3967 specifies a process for allowing normative references to documents at lower maturity levels ("downrefs"), which involves calling out the downref explicitly in the Last Call notice. That requirement has proven to be unnecessarily strict, and this document updates RFC 3967, allowing the IESG more flexibility in accepting downrefs in Standards Track documents. Status of This Memo This memo documents an Internet Best Current Practice. This document is a product of the Internet Engineering Task Force (IETF). It has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8067. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Leiba Best Current Practice [Page 1] RFC 8067 Document Downref Update January 2017 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. The IESG's Responsibility with Respect to Downrefs . . . . . 2 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 4. Normative References . . . . . . . . . . . . . . . . . . . . 3 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction [RFC3967] notes the importance of assuring that normative references from Standards Track and Best Current Practice (BCP) documents are appropriately mature, and specifies a process for allowing normative references to documents at lower maturity levels ("downrefs"). That process starts at IETF Last Call (see Section 3 of [RFC3967]): For Standards Track or BCP documents requiring normative reference to documents of lower maturity, the normal IETF Last Call procedure will be issued, with the need for the downward reference explicitly documented in the Last Call itself. Any community comments on the appropriateness of downward references will be considered by the IESG as part of its deliberations. Section 2 of [RFC3967] lists some conditions under which downrefs may make sense. In addition to those, it has become common for working groups to produce foundational documents (which contain important information such as terminology definitions and architectural design and considerations) at Informational status, and those documents are often needed as normative references in the Standards Track protocol documents that follow. The requirement to explicitly mention the downrefs and the need for them in the Last Call message has proven to be unnecessarily restrictive and has often resulted in unnecessary repetitions of Last Call, with the corresponding delay and with no real benefit. 2. The IESG's Responsibility with Respect to Downrefs The process in RFC 3967 is hereby updated to specify that explicitly documenting the downward references in the Last Call message is strongly recommended but not required. The responsible AD should still check for downrefs before sending out the Last Call notice, but if an undetected downref is noticed during Last Call or IESG review, any need to repeat the Last Call is at the discretion of the IESG. However, the process in RFC 3967 is not fundamentally altered: If the IESG decides not to repeat the Last Call, the status of the affected downrefs is not changed, and the process in RFC 3967 will still apply if those downrefs are used in the future. Leiba Best Current Practice [Page 2] RFC 8067 Document Downref Update January 2017 This gives the IESG the responsibility to determine the actual maturity level of the downward reference with respect to the document at hand, and to decide whether or not it is necessary to explicitly ask the IETF community for comments on the downref on a case-by-case basis. In making that decision, the IESG should take into account the general discussion in RFC 3967. The responsible AD should make sure that the omission is recorded as a comment in the datatracker. 3. Security Considerations Referencing immature protocols can have security and stability implications, and the IESG should take that into account when deciding whether re-consulting the community is useful. 4. Normative References [RFC3967] Bush, R. and T. Narten, "Clarifying when Standards Track Documents may Refer Normatively to Documents at a Lower Level", BCP 97, RFC 3967, DOI 10.17487/RFC3967, December 2004, . Author's Address Barry Leiba Huawei Technologies Phone: +1 646 827 0648 Email: barryleiba@computer.org URI: http://internetmessagingtechnology.org/ Leiba Best Current Practice [Page 3]