At 16:08 06-04-2014, David Morris wrote:
I don't object to making TLS/et al access available when it can be
done at a moderate cost. But that is different than the implied
statement that the intent is to require TLS for future service
access.
I read the statement as being about not having recurring discussions
about whether access to a future service will require secure
access. That's worthwhile.
https://datatracker.ietf.org has links to http://tools.ietf.org/ and
http://www.ietf.org. The "Search" link is to
"www.google.com". jabber.ietf.org is listed as having the following issues:
- Certificate is not trusted
- Server allows SSLv2, which is obsolete and insecure.
- Server does not support the newest version, TLS 1.2.
The mail service does not support STARTTLS.
The current guideline for services is "server security based on
best-practices and data sensitivity level". There isn't any
information about the best-practices for information which will be
publicly available. Some people have been accessing (IETF) publicly
available information using clear-text protocols for many years. The
people do not consider "X is spying on you" as a reason to stop using
those protocols.
A few months ago, a person (not in the IETF) posted the following comment:
"I'd really like to know how secure this offer is before considering it...."
Regards,
S. Moonesamy