[Spec] Spec (un)freezes and the spec's future

[Petite Abeille]

> On Dec 21, 2020, at 22:30, Simon <gemini at g-n.site> wrote:
> 
> As I wrote to Solderpunk before I subscribed to this mailing list, specs should add something about input logging :

Two points:

- Usually, a spec is not meant to mandate implementation details.. i.e. do that, don't do that... as it has no mean to enforce any of it... its role is rather to describe a normative interaction (the protocol) or format (text/gemini). 

- The gemini protocol is not well tailored to handle anything sensitive. Perhaps best to avoid creating such situation in the first place. 

That said, Gemini could sport a set of recommendation and/or "best practices" in a companion document, such as "be mindful of what you log as it may contain sensitive information" and "consider using the underlying TLS mechanism for strong authentication". 

Also, it is quite common for a RFC to sport a "security consideration" section:

Guidelines for Writing RFC Text on Security Considerations
https://tools.ietf.org/html/rfc3552

Actually, it's mandatory.

Hopefully, Gemini will mature into a proper set of RFCs, with syntax grammar, security considerations, and all. Until then, the FAQ may be another place to park such consideration.

Finally, The National Institute of Standards and Technology has a rather comprehensive document on the matter:

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf

Perhaps a bit overwhelming at first sight, but then again, nothing is as trivial as it seems.