I agree, The Security and Risk Analysis is major looks at how to redesign systems that are secure, how to measure risk, and how ensure that proper levels of privacy are maintained for individual users. Remember that security is a process, not a product. not all security and privacy are resolved technically, without forgeting that User is Weak node of chain.
HSTS , TLS ,HTTPS FTPS or NSS / GnuTLS / OpenSSL . can break the IETF web site old tools. but provide levels of privacy and security .
The delivery and maintenance team is responsible for on-going updating and monitoring, including security measures for access control and information confidentiality. when there are mechanisms in place to establish privacy and trust .
Serrhini Mohammed
Sun, 6 Apr 2014 23:30:11 +0000 от Christian Huitema <huitema@xxxxxxxxxxxxx>:
> I agree with those who've said a threat analysis is needed before
> deciding access is limited to TLS or other secure alternative.
But we have that threat analysis, and the recommended mitigation is precisely "encrypt everything." The "pervasive monitoring" threat is analyzed by a number of perpass drafts, and Stephen has merely followed the conclusions of that analysis. There is no need to repeat that analysis for each and every tool that the IETF produces, and there is indeed a need for the IETF as a whole to "lead by example."
-- Christian Huitema
С уважением,
mohammed serrhini
serrhini@xxxxxxx