Dave Dolson asked me a question, and (with permission) I wanted to respond on the public list, since the topic is probably interesting for others as well. > I'm reflecting on this statement: > > "At the very least, I think it would be beneficial for the IETF community to continue to call attention to folks that the minimum bar when introducing a large number of devices (or any device) to the Internet includes things like automatic software updates and avoiding default passwords. " > > I'm probably showing my ignorance, but is there any kind of standard for automatic software updates? > As far as I know, this is an area reinvented by every development team. > And It is also an area of pitfalls and land mines. > > I did find this: https://tools.ietf.org/html/draft-iab-iotsu-workshop-00 , but it is unclear to me if more work will be done. > > Should the IETF specify protocols and design patterns for software updates? > > I see this as relevant to everything from routers to browsers, video games and automobiles, not just IOT devices. > > Thanks for any thoughts you might provide, Yes, it is relevant for many things. We do have RFC 4108, but I don’t know how widely it is used. And of course many of the other generic tools that the IETF has worked on can be applied to the software update case. I think additional software components, standards, and industry consolidation on their usage would be helpful. But like so many other things, the need and the will to use some of the existing or new things needs to come from the those build the stuff. Software updates are also somewhere between systems engineering and communications; the IETF hasn’t done that much work on systems engineering. Nevertheless, the push for work has to come from the community. Do we have people who believe there are unmet needs, and would be willing to work to address those? What specific things would you like to work on? Should we have a working group? And as noted before, January would be a perfect time to start talking about that :-) Jari P.S. I should also say that my original statement — specifying a minimum bar, broader than software updates — is potentially controversial. The IETF is primary about producing stuff that people want to use; we’ve had limited success in commanding people to use <important technology> by merely listing it as a requirement. People will use what they will use. One might classify the suggested minimum bar as wishful thinking, and that IETF resources would be better spent on building those missing software update standards or other pieces of tech. The reason why I had a different opinion in this case was not so much the direct ability to influence, but rather the indirect effect that we might have for instance if people affected by attacks, insurers, governments, etc. would be able to point to an IETF document and say that not even the minimum bar was met :-) But opinions will certainly differ on this. There’s also a category between issuing requirements and working on new tech, documenting state of the art and missing pieces/challenges; that is always useful. The IAB workshop on software updates was in that category. The document from the workshop is out: https://tools.ietf.org/html/draft-iab-iotsu-workshop-00