Do we want to include rationale behind the statements or should it just be general guidance?
For example:
Strings and arbitrary length data structures SHOULD be avoided,
whenever possible.
makes sense, but doesn't cite to anything or explain why its should be avoided just that it should be.
Similarly we do not have any statements explaining why they should not support polymorphic types.
Policy writers SHOULD describe the allowed data types for the
expression of information, and SHOULD NOT support polymorphic types.
On another note for clarity we should add a secondary example to the JSON example in section 4:
That can also be expressed in different data structures, while
preserving the information:
in section 6:
Although schema or data definition languages can help address some
common security issues such as validation as described in [RFC4949],
there are still problematic expressions of information which should
generally be avoided even when fully specifying data.
I'm not sure if i'm misreading it but I can't find the validation issue described in RFC4949
General Question:
Do we want to include rationale behind the statements or should it just be general guidance? For example:
makes sense, but doesn't cite to anything or explain why its should be avoided just that it should be.
Similarly we do not have any statements explaining why they should not support polymorphic types.
On another note for clarity we should add a secondary example to the JSON example in section 4:
in section 6:
I'm not sure if i'm misreading it but I can't find the validation issue described in RFC4949