what it means for work moving through the IETF process is that any work becomes subject to security veto. if security types don't like your work - tough. it's going nowhere. draft-farrell really widens that scope. and this is going to mean arguments about much more than the tradeoffs of using MD5. for a self-described technical organisation that does not make policy pronouncements (which is itself a very political position, but never mind) this draft is awfully political. Lloyd Wood http://about.me/lloydwood ________________________________________ From: ietf [ietf-bounces@xxxxxxxx] On Behalf Of Melinda Shore [melinda.shore@xxxxxxxxx] Sent: 01 January 2014 05:38 To: ietf@xxxxxxxx Subject: Re: Last Call: <draft-farrell-perpass-attack-02.txt> (Pervasive Monitoring is an Attack) to Best Current Practice On 12/31/13 3:23 PM, Dave Crocker wrote: > We should not approve an IETF policy statement > until we have a good idea of the way we will use it. I think this is a critical point and I agree quite strongly with it. I've mostly been baffled by the IETF response to revelations about internet eavesdropping, to be honest, and it's struck me that work on some of the problems that need to be solved to provide better privacy guarantees (for example, fixing PKI and providing better keying) have been pushed to a back burner in a scramble to make grandiose pronouncements. It's not that draft-farrell is a bad document on its own merits, it's just that I cannot for the life of me understand what it specifically means for work moving through the IETF process. Melinda