> 1.2. Capabilities versus Requirements
>
> Capabilities may or may not be requirements. That is a local
> determination that must be made by each operator with reference to
> the policies that they must support. It is hoped that this
> document,
> together with [OSCP] will assist operators in identifying their
> security capability requirements and communicating them clearly to
> vendors.
>
> ...
> gmj> We need a standard text for this section to be used in all
> capability drafts.
> gmj> I will work on this.
> ...
Ok, waiting for your normative description.
It turns out that we don't need this at all in the capabilty drafts.
Section 1.7 of the framework covers it.
---George