On 1/1/14 6:11 PM, Ted Lemon wrote: > On Jan 1, 2014, at 6:07 PM, Melinda Shore <melinda.shore@xxxxxxxxx> > wrote: >> I'm sorry, but when we get to the point where we need to point to >> an RFC to stop progress on a document that has obvious >> vulnerabilities, our brains have fallen out. > > This is counterfactual. We used to routinely handwave about > security. We still routinely handwave about security. It's an afterthought in entirely too many cases. Drafts are adopted by working groups while still having security considerations sections that consist in their entirety of "TBD." 3552's impacts have been, I think, on how documents are reviewed more than on how documents are developed. One of the reasons I'm somewhat annoyed about the wave of gasbaggery and pontification that has followed truly disturbing revelations about the extent to which the US government has undermined privacy and compromised security technologies is that work which might have helped provide tools to mitigate some of the soft spots in IETF work has been backburnered in favor of no small amount of unfocused grandiosity that doesn't actually change much. At any rate this draft is not RFC3552. 3552 provides very specific guidelines for what needs to be considered in writing^H^H^H^H^H^H^H^Hreviewing security considerations. It is tempting to just let this through last call in hopes that once it's done we can come back around to prioritizing work like fixing PKI but I'd be very sorry indeed to see this published as a BCP. Melinda