I think we should seize this opportunity to take a hard look at what we can do better. Yes, it is completely correct that this is only partially a technical problem, and that there is a lot of technology that, if used, would help. And that technical issues outside IETF space, like endpoint security, or the properties of specific products or implements affects the end result in major ways. And that no amount of communication security helps you if you do not the guy at the other end. But it is also obvious to me that we do not have a situation where everything that could be done has been done. I think we can do more. Some examples: * we're having a discussion in http 2.0 work whether encryption should be mandatory * the perpass list has talked about understanding better where fingerprinting is an issue with IETF protocols * maybe it would be time to start having specs say that implementations must refuse older, weak algorithms * we could do more analysis and review to understand where the weak points and development opportunities are -- too early to say there are none And please do not think about all this just in terms of the recent revelations. The security in the Internet is still a challenge, and if there are improvements they will be generally useful for many reasons and for many years to come. Perhaps this year's discussions are our ticket to motivate the world to move from "by default insecure" communications to "by default secure". Publicity and motivation are important, too. So I for one would like to see work to determine what we could do, and some meeting time in the Vancouver agenda to talk about it. Jari