On Jul 9, 2019, at 2:32 PM, John Bambenek <jcb=40bambenekconsulting....@dmarc.ietf.org> wrote: > Then why do we allow them to have social media accounts, email accounts, etc? > We don’t. > How many RFCs involve using passwords somewhere in them? We know users pick > bad passwords. We know users reuse passwords. And we know credential theft > and misuse is a big problem. Were these same considerations given to those > proposals? If not, why is THIS proposal that involves basically phone numbers > and email addresses getting this scrutiny? > If someone were to propose using passwords in a new specification, I think it would see fairly significant pushback. > If this is the hangup, then why isn't there a PIA (or related) process for > every I-D and RFC? What formal process should I undergo to have this > evaluated? Or should there be one created? > There is. There are several RFCs that you should read that talk about the problem. You are expected to know about them.
e.g.: https://tools.ietf.org/html/rfc6973 <https://tools.ietf.org/html/rfc6973> e.g.: https://tools.ietf.org/html/rfc8280 <https://tools.ietf.org/html/rfc8280> e.g.: https://tools.ietf.org/html/rfc2804 <https://tools.ietf.org/html/rfc2804> e.g.: https://tools.ietf.org/html/rfc7258 <https://tools.ietf.org/html/rfc7258> I could go on, but these are the low-hanging fruit.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop