We violently agree. However, the most cited reason I get for watering down security requirements are what I mentioned below.
On Aug 30, 2011, at 2:19 PM, Keith Moore wrote: > > On Aug 30, 2011, at 2:02 PM, Eric Burger wrote: > >> Note the language >>> "MUST implement, SHOULD use" is a common compromise. >> ^^^^^^^^^^^ >> >> This is my heartache. Why is it a compromise? Most use of SHOULD I run >> into in WG's is either this precise one: >> I don't want to make this a MUST use, because I will have deployments >> *THAT ARE NOT FOR THE INTERNET* but I want to market them as if they were. >> Example: instant messaging systems for enterprises where tapping is a legal >> requirement, not something to be avoided. >> Example: instant messaging systems deployed where governments want to do >> warrantless, undetectable tapping >> >> I would offer neither of these examples are Internet examples, and we should >> get some iron underpants on and say so. > > Mumble. I fundamentally don't buy the argument that things that are used on > both local networks and the Internet should not be subject to > Internet-strength security. > > And even where recording is a legal requirement, that's NOT an argument for > sending traffic in cleartext or with weak encryption. That might be an > argument for some kind of backdoor - e.g. a trusted proxy or key escrow or > whatever, but it's not an argument for making the traffic available for those > without a legal need to see it. > >> SHOULD should neither be a crutch for making a proprietary protocol look >> like an Internet protocol nor for making two proprietary protocols look like >> a single, Internet protocol. > > agree. > > Keith >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
