> On Aug 11, 2015, at 4:52 AM, Stephen Farrell <stephen.farrell@xxxxxxxxx> wrote: > On 10/08/15 23:53, Roy T. Fielding wrote: >> That doesn't change the content of the text, which is not expressing >> a BCP in any shape or form. > > RFC1984 says: > > "Security mechanisms being developed in the Internet Engineering Task > Force to meet these needs require and depend on the international use > of adequate cryptographic technology." > > I read that use of "require... adequate" (and the rest of the text) as > defining a class of crypto that we do not accept for use with IETF > protocols so I think there is real BCP here even if there are no MUST > statements. That's a great example of selectively misreading a poorly written text that would not have passed through a normal last call period, let alone the IESG review, if it were not for the fact that everyone was reviewing it as an opinion piece instead of a formal spec. I read it as "That international commercialization of the Internet stuff we are doing is based on the premise of strong cryptography being generally available to provide confidentiality both within and across national borders." The reason I read it that way is because, in fact, none of the protocols we developed at that time actually required strong cryptography. They just assumed you would layer the right amount of cryptography underneath, using one of the (at that time) non-IETF security protocols with appropriate patent and export licensing. ....Roy