On Jul 2, 2021, at 9:16 PM, Tim Cappalli <[email protected]> wrote: > > >> The current specs define the base protocols, but leave pretty much > >> everything else undefined. > > That’s the job of a spec isn’t it? As far as I understand, deploying in the > real world / best practices should go in a BCP.
We have specs with Security Considerations, and implementation guidelines. They're a lot more than just what bits go on the wire. In general, a BCP is too late in the process. Vendors have already implemented the base spec, so what's "current" is a random grab-bag of stuff decided on by product managers, or by junior engineers. I've seen many, many, sites unable to deploy the security they want, due to a wide range of limitations in products. IMHO, these are security issues, and should be treated as such in the base specification. There should be clear guidance given on a wide range of issues, such as security, implementation, UI, workflow, etc. Not having those guidelines is a large source of income for me. But it is endlessly frustrating for everyone involved. I would prefer to help people build useful systems, instead of having them pay me to paper over issues in multiple products. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
