On Jan 1, 2014, at 6:07 PM, Melinda Shore <melinda.shore@xxxxxxxxx> wrote: > I'm sorry, but when we get to the point where we need to point to an > RFC to stop progress on a document that has obvious vulnerabilities, > our brains have fallen out. This is counterfactual. We used to routinely handwave about security. We've gotten better about that. RFC3552 is why. RFC3552 does not discuss the threat of pervasive monitoring. So we need a document that does. This is that document. RFC3552 is a BCP. It makes sense that this document would also be a BCP. The fact that we needed RFC3552, and that we need this document, is not evidence that our brains have fallen out. It is simply evidence that it is good to state expectations formally rather than hoping that everybody is on the same page but not making any attempt to actually get them there.