On 1/19/12 9:02 AM, [email protected] wrote: > > Hi Gabor, > > Peter's comment : "I think it would be better to consider the various > threat levels and then decide how to provide reasonable protection against > them in a comprehensive way." makes sense. > It is unnecessary to specify requirements such as the need for OCSP in > case certificate based authentication is used etc. > Rather, lets specify a broader set of security requirements based on the > threat model and let the solution(s) decide what would be the best > approach for dealing with such security needs.
Typically, IETF protocols specify a baseline (e.g., minimum TLS version, rules for cert checking) so that we can ensure basic interoperability. Is there a reason why we would not do the same here? Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ paws mailing list [email protected] https://www.ietf.org/mailman/listinfo/paws
