> Just a reminder that a PGP key will be published as part of this policy and referenced in the policy as the means for securing email. This is again in line with common practice. Of course. I'm not sure how universal or easy-to-use PGP email is as compared to just hitting a web page with TLS though... > The well known address is security@ but in the IETF context there are concerns about using mailto:security@xxxxxxxx as that might be misinterpreted as referring to the SEC area or the general subject of security in the IETF and so the alternative of mailto:security@xxxxxxxxxxxx has been suggested. In my personal view (*no LLC hat*) it seems odd that this would mean the creation of a new email sub-domain, which seems unnecessarily complicated & unique (having had to deal with mail at a sub-domain for many years at work until we simplified things). So I suppose address@xxxxxxxx rather than address@xxxxxxxxxxxxxxxxxx if my personal preference. As to what the address is, security@, bugreports@ or vulnerabiltyreports@ all seem worth considering. Jason (sharing personal views)