>> >> "The IETF are committed to providing secure and privacy >> friendly access to information via the web, mail, jabber >> and other services. Please confirm that "friendly" implies that the user gets to choose the degree of security privacy that they consider appropriate, and that their applications and devices are not encumbered with the overheads unless they choose to invoke the privacy and security mechanisms. >> While most (but not all) data on IETF >> services is public, nonetheless access to that data >> should use best practices for security and privacy. I agree, but please can you clarify your interpretation of "best practise" so that we can understand how liberal or prescriptive this is? >> However, as there are numerous legacy tools that have been >> built that require access via cleartext, the IETF will >> continue to allow such access so as not to break such >> tooling. New services will however generally only be made >> available in ways that use security protocols such as >> TLS." >> That is worrying, because it seems that you are intent on encumbering transactions, without requiring a case by case study of the threat model, and applying a security and privacy model that is appropriate to the specific transaction. Stewart.