Harald, The below is an easy mis-construction to make - from discussion within the IETF, involving security experts. What I believe I've actually seen is along the lines of "we don't want <your favorite security/authentication> because it is likely to be mis-represented as having resolved security issues it has already been determined it does not resolve." One case where this has come up, is in discussions of the use of TCP/MD5 - where the problem is not so much that anyone "mis-represents" it as almost anybody can use it with little - or no - work to be done. There's certainly a degree of legitimacy in the concerns about possible misrepresentation. If it's "for free" - then it is really tempting to try to represent it as adequate (unless you're selling a product that does something better). From that, it is not hard to see how someone might get the idea that "ease of use" might be a "problem" with a security/authentication mechanism. It's certainly easy to see how this would be doubly true in any "easy to use" solution someone might wish to propose that is already known to be less than perfect... -- Eric --- [SNIP] --- --> The requirements needed to be "satisfactory" depend very much on your --> viewpoint; last week I talked to the guy who implemented Freenigma --> (PGP for web mailers, http://www.freenigma.com), and he commented that --> "this will never get past the security gurus in the IETF because it's --> so simple, people might actually use it". --> --> That says something frightening about the kind of impression we give --> to people who work on making usable security. "Usable" needs to be an --> important component of "satisfactory". --> --> (He's quite aware of the obvious security defects of his scheme, btw. --> It's a tradeoff.) --> --> Harald --- [SNIP] --- _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf