--On Monday, April 07, 2014 09:03 -0400 Ted Lemon <ted.lemon@xxxxxxxxxxx> wrote: > On Apr 7, 2014, at 7:01 AM, Stephen Farrell > <stephen.farrell@xxxxxxxxx> wrote: >> Yes, we ought move away from passwords if/when we ever find an >> acceptably better solution, and yes, people ought manage their >> passwords well, but neither are today's reality more's the >> pity. > > Perhaps it would be worth setting up support for client certs > as a way to log in to IETF services. If we won't start, why > would someone else? If we are really serious about promoting/ encouraging security, I'd really like to see this as an option. Not only would it be responsive to Ted's question, but, if we made it available and almost no one used it, it would give us a lot of information about the course we are on. As to the core proposal, unlike SM, I would like to see each new application that someone proposes to be accessible through "secure" means only discussed one at a time. My fear of the whole Prepass effort was that it would be used in "we approved that, therefore we can and should do this without further discussion" arguments. I just thought it would take a few years to get to that point. Finally, if the IETF effectively declares HTTP obsolete for anything but legacy applications, I think it is logically necessary that we create an applicability statement deprecating HTTP and approve it. Anyone really, seriously, want to go there or think that would could without losing all credibility in the vendor and user communities? john