From 8c58a3a83d30508e5093966ec72603dd0f7d6275 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Tue, 1 Feb 2022 20:33:00 +0100
Subject: another case where I think SHOULD is enough

---
 draft-schanzen-gns.xml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index acc5b55..36c6999 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -1168,9 +1168,12 @@ h[31] &= 7  // Implies h mod L == h
 zk' := h * zk
            ]]></artwork>
          <t>
-           We note that implementers must employ a constant time scalar
-           multiplication for the constructions above. Also, implementers
-           must ensure that the private key a is an ed25519 private key
+           We note that implementers SHOULD employ a constant time scalar
+           multiplication for the constructions above to protect against
+           timing attacks. Otherwise, timing attacks may leak private key
+           material if an attacker can predict when a system starts the
+           publication process. Also, implementers
+           MUST ensure that the private key a is an ed25519 private key
            and specifically that "a[0] &#38; 7 == 0" holds.
          </t>
          <t>
-- 
cgit v1.2.3