We violently agree. However, the most cited reason I get for watering down security requirements are what I mentioned below. On Aug 30, 2011, at 2:19 PM, Keith Moore wrote: > > On Aug 30, 2011, at 2:02 PM, Eric Burger wrote: > >> Note the language >>> "MUST implement, SHOULD use" is a common compromise. >> ^^^^^^^^^^^ >> >> This is my heartache. Why is it a compromise? Most use of SHOULD I run into in WG's is either this precise one: >> I don't want to make this a MUST use, because I will have deployments *THAT ARE NOT FOR THE INTERNET* but I want to market them as if they were. >> Example: instant messaging systems for enterprises where tapping is a legal requirement, not something to be avoided. >> Example: instant messaging systems deployed where governments want to do warrantless, undetectable tapping >> >> I would offer neither of these examples are Internet examples, and we should get some iron underpants on and say so. > > Mumble. I fundamentally don't buy the argument that things that are used on both local networks and the Internet should not be subject to Internet-strength security. > > And even where recording is a legal requirement, that's NOT an argument for sending traffic in cleartext or with weak encryption. That might be an argument for some kind of backdoor - e.g. a trusted proxy or key escrow or whatever, but it's not an argument for making the traffic available for those without a legal need to see it. > >> SHOULD should neither be a crutch for making a proprietary protocol look like an Internet protocol nor for making two proprietary protocols look like a single, Internet protocol. > > agree. > > Keith >
<<attachment: smime.p7s>>
_______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf