Although it’s always tempting to scatter the word “must” (or for RFC-compliance “MUST”) throughout our documents, Rod Widdowson pointed out at the REFEDs meeting on Sunday the risks of doing so. If you write a specification, agreement, etc. that says a system, organisation or person MUST do something then you are committed never to work with anyone who doesn’t. If you decide afterwards that you do actually work with them, despite the MUST, then you undermine the credibility of your document since others will see that you don’t actually do yourself what you expect of others.
The RFC has several alternatives to MUST, which will often be preferable, for example “SHOULD” for things where a person can behave differently if they have good reason, and “MAY” to document things that are a good idea. “MUST” must be kept for those requirements that will make technical or organisational interworking impossible if they aren’t done.
It struck me that documents that are more prescriptive than they need to be, and thus risk their own credibility, are a much wider problem. Professor Chris Reed gave a keynote at the BILETA conference recently on why cybercrime legislation fails, highlighting the number of such laws that claim jurisdiction over parts of the Internet where it will be impossible in practice to enforce them. Not only are such laws likely to be less effective than their drafters hope, but the fact of making claims that are clearly impractical can actually damage the credibility of the legislation itself, making it hard for even those who *are* within the scope of enforcement to respect it.
In the world of authentication, which was what the meeting was actually talking about, it seems to me that there may be a similar problem around levels of assurance. If a service provider has been treating IP addresses as sufficient proof of authorisation for years, but then decides that they will only use individual authentication if the user has been verified against a photo-id, then I think there is a credibility problem! “Do you really mean MUST?” could be a key question to ask during the conference…