Currently, inherited from RFC3530, we have the requirement that a v4.1 server
MUST support v4.0 and similarly that a v4.1 client MUST support v4.0.
There are some good reasons to consider weakening these, to SHOULD perhaps. The
basic reason is that we have eliminated a whole bunch of complexity with regard
to management of sequence state for owners and the associated replay
protection. With the implementation of sessions, none of that complexity is
required but a MUST would make it required, so you would wind up having to
implement both sessions and the old-style replay protection.
A large part of the purpose of simplifying the protocol is to simplify the task
of impementation, but a requirement to implement both would mean that it was
more complicated. Until v4.1 is ubiquitous, clients and servers are going to
have to support v4.0 anyway so the mandate has no purpose at that point. But
once v4.1 is ubiquitous, why should we force people to do this extra
implementation? The other thing here is that we may force people to implement
this but we can't force them to implement it well. If we are in the v4.1 world
and everybody has to say that they support v4.0 then they will, even if the
testing is quite sketchy. It would be far better if people could distinguish
between those that really supported v4.0 and those that didn't and that would be
easier without the requirement.
I think this issue is tied to the fact that we have made sessions mandatory. If
v4.1 simply consisted of optional additions then the MUST for supporting
previous versions would be quite viable.
I had considered addressing this issue in v4.2 by which time v4.1-ubiquity
would be on the horizon. However, we really can't be sure there will be a v4.2
so I think we should address this now.
|