Agreed on all points. This is rapidly turning into the IETF's own version of "if we can, we must" thinking. Ned > >> > >> "The IETF are committed to providing secure and privacy > >> friendly access to information via the web, mail, jabber > >> and other services. > Please confirm that "friendly" implies that the user gets to > choose the degree of security privacy that they consider > appropriate, and that their applications and devices are not > encumbered with the overheads unless they choose to invoke > the privacy and security mechanisms. > >> While most (but not all) data on IETF > >> services is public, nonetheless access to that data > >> should use best practices for security and privacy. > I agree, but please can you clarify your interpretation > of "best practise" so that we can understand how > liberal or prescriptive this is? > >> However, as there are numerous legacy tools that have been > >> built that require access via cleartext, the IETF will > >> continue to allow such access so as not to break such > >> tooling. New services will however generally only be made > >> available in ways that use security protocols such as > >> TLS." > >> > That is worrying, because it seems that you are intent on > encumbering transactions, without requiring a case by > case study of the threat model, and applying a security > and privacy model that is appropriate to the specific > transaction. > Stewart.