> From: "Cullen Jennings (fluffy)" <fluffy@xxxxxxxxx> > So lets be blunt here - this document is about justifying that RTP > will not have any MTI security. I will note that > rtp-security-options also does not add any MTI security requirements > to RTP. I believe that people are confusing two similar questions: 1. Is there a single mandatory-to-implement security system for *all* RTP uses? 2. Are all RTP uses required to specify mandatory-to-implement security (although different RTP use situations may mandate different security systems)? As far as I can see, draft-ietf-avt-srtp-not-mandatory-14.txt says that the answer to question 1 is "No". As far as I can see, Cullen is arguing that the answer to question 2 is "Yes". These are not contradictory positions. There is, of course, an implementation cost if we do not mandate the same security solution for all RTP uses. Dale