> Also, I deeply regret the fact that my earlier mail came across as > personal assertion. To the likely extent that you think that because my response sounded as if that's what I thought, let me a) apologize for that, and b) emphasize that my irritation is with the amorphous security community, not with individuals, and particularly not with the substance of your statements. It is the nature of things that those who make the effort to dive into the discussion attract the reaction. I actually greatly appreciate that you are doing the diving, even as I express frustrations. Those developing functional protocols are universally interested in having good security. There often is a legitimate debate about what is necessary and sufficient for a particular function, since usages vary enormously in terms of real-world threats. (By the way, the recent trend to have security folks pressure functional folks to first elucidate expected threats strikes me as an aid big enough to be paradigmatic.) The problem is that a) of course the security folks cannot do all the security development, but b) they have almost entirely failed to provide the rest of us with the tools and guidance we need. Pure "education" about security issues is not enough. We need things that are much more applied. So we are left flailing on our own, and then get late-stage criticisms after we have put in considerable effort. Perhaps the single biggest benefit of having the Security Area produce some BCPs is to for the security community to formulate community consensus explicitly. d/ --- Dave Crocker Brandenburg InternetWorking +1.408.246.8253 dcrocker a t ... WE'VE MOVED to: www.bbiw.net _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf