I think the problem is that many protocols are at the wrong level of abstraction to mandate use of any security controls.
For example, consider IPSEC which at one time was mandatory to implement in IPv6 but isn't any more because most protocols use SSL rather than IPSEC in any case. Should TLS be mandatory for SMTP? Well probably but what if an implementation uses IPSEC? The same problem comes up with SSL and HTTP. We can mandate the use of SSL but not a mechanism to validate the certs and without that SSL has little value. We can mandate the use of DNSSEC but that would be counterproductive at this point as DNSSEC is still a protocol with real deployment problems and issues that have to be fixed before it is ready. They might have been addressed earlier if the people involved were not so confident that deployment was inevitable, making use mandatory would further discourage fixing issues such as how clients get access to the DNSSEC signatures so they can do validation.
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
