> Also from the draft: > "At least for the strong security requirement of BCP 61 [RFC3365], the > Security Area, with the support of the IESG, has insisted that all > specifications include at least one mandatory-to-implement strong > security mechanism to guarantee universal interoperability." > > I do not think this is a factual statement, at least when it comes to > HTTP, which is where my interest lies. note that it is not necessary to have at least one mandatory-to-implement strong security mechanism to guarantee interoperability. consider, for example, a client-server protocol for which conforming servers are required to implement _two_ strong security methods and for which clients are required to implement _at least one_ of those two methods. this would ensure interoperability even though there were no single mandatory-to-implement for clients. depending on the circumstances, putting a greater burden on the server than the client, or vice versa, might make sense. Keith _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf