Thanks for your thoughtful feedback, Mark.
Mark wrote:
>> Section 8.1 makes it Mandatory to Implement the protocol without any
>> security ("NoSec"). This seems counter to best practice in the IETF,
>> but I'll defer to the Security Area review.
Carsten responded:
> Since it is the implementers who will decide whether they implement this, this co-author could live with making implementing NoSec
> completely optional. (It will be anyway, in practice, at the level of what is actually configured.) The important point(*) from the WG
> perspective here is that TLS is mandatory to implement, with the specifics depending on the security mode needed (cf. RFC 7925).
> (Note also that there are other ways to provide security with CoAP.)
> (*) https://github.com/core-wg/coap-tcp-tls/commit/fe348f543fc45e981e38e9354242012afb28dc60
Some context - during the security discussions in the WG, there was a recommendation to "mirror" the similar section in RFC7252.
https://tools.ietf.org/html/rfc7252#section-9 states:
The NoSec and RawPublicKey modes are mandatory to implement for this specification.
which is why NoSec is MTI.
I agree with Carsten. I'd be happy to make this completely optional if it results in less dissonance for reviewers and there are no objections in the WG.