Hi Lloyd, On 12/04/2013 10:55 PM, l.wood@xxxxxxxxxxxx wrote: > I see you ignore the DRM point. I don't understand your DRM point to be honest. It also does not seem to be relevant to this conversation. DRM standards have not been been developed in the IETF either. draft-farrell-perpass-attack-00 does not specific solutions (which it states in the document). If your argument is that security adds complexity to protocols then that's certainly true. The other option would be not to have security in protocols at all to make them "more lightweight". Do you seriously think that this is useful option (even before the NSA revelations)? If your argument is that security problems on the Internet should be solved via legal / regulatory ways then please go ahead an make these proposals. Obviously, the IETF would be the wrong forum to do that. I am sure the European Commission, for example, is interested to listen to your proposals and will immediately issue new proposals for regulation. It would be great if those you think that there are regulatory solutions would in fact then work on those rather than just having technically minded people who push problems around. If your argument is aging cryptographic algorithms require software to be updated then let me tell you that software gets updated even for functionality reasons. Do you think that all the software updates you get for you smart phone apps are only security fixes? There are, however, many software updates that relate to security vulnerabilities. My approach would, however, be to incorporate software update mechanisms into products (which is what pretty everyone in the industry seems to be doing) instead. While this is largely a non-IETF issue it would still be interesting to hear whether you have other suggestions. Your suggestions to do more interoperability testing sounds reasonable to me. I have been involved in interoperability tests myself (and even organized a few). Those tend to have a different focus, namely to provide feedback about whether the implementations interpreted the specs correctly. Penetration testing is what you would typically do to discover security vulnerabilities. We typically don't do those (at least not that I have heard). As such, I would rather seen them as a orthogonal effort (which many in the IETF are involved in already anyway). Are you suggesting that we should also do penetration testing? Please also note that "security" is not a monolithic block, as you can see from RFC 3552. In various discussions with you I got the impression that you dislike security in general. That can hardly be true since I am sure you like some of the security features in there as well. For example, you might find authentication a pretty cool concept to avoid others accessing your email account. Ciao Hannes