On 07/04/2014 00:30, Christian Huitema wrote:
I agree with those who've said a threat analysis is needed before
deciding access is limited to TLS or other secure alternative.
But we have that threat analysis, and the recommended mitigation is precisely "encrypt everything." The "pervasive monitoring" threat is analyzed by a number of perpass drafts, and Stephen has merely followed the conclusions of that analysis. There is no need to repeat that analysis for each and every tool that the IETF produces,
A (justified) reference to a base RFC is surely allowed, and the degree
of commonality will surely determine whether it passes on the nod, or
the covers get taken off for a closer investigation.
and there is indeed a need for the IETF as a whole to "lead by example."
I am concerned that statement makes too broad an assumption about what
an application is let alone what a threat mitigation is.
Stewart