Hi, Steve's mail argues for the current IETF position that mandatory-to-implement (MTI) is the correct target IETF specifications.
Some folks (me included to be honest) wonder if the current situation argues for raising the bar there somewhat on the basis that MTI security features are frequently turned off or not sufficiently well tested to be usable. (Pick your favourite example, mine are usually rfc4744 or Diameter being run in clear.) And an upshot from that is that that helps those who want to pervasively monitor everything. Others argue that that'd be the IETF straying into the space of policy - all we should do is define how to use strong security features and make sure the code is there so they can be turned on and the rest is policy. I'm sure there are loads more arguments, and I do think it'd be useful to see those discussed here. Thanks, Stephen. PS: Our -00 privacy BCP doesn't go beyond MTI for now, but were there consensus for that, I think it'd be good if we could go further. _______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass
