On 10/10/2013 04:11 PM, Richard Shockey wrote: > Tony .. Always wonderful to hear from you! > > The point we clearly agree on is that a productive discussion on this > subject would be the usability and deployability of security protocols. I > there has been a failure it lies there.
I think the above is somewhat fair. We have tended to have only the crap-or-no security version of protocols and the (ideally) highly-secure version, which makes a good bit of sense in many ways but perhaps less when one considers pervasive monitoring. But personally I don't buy that that exaplains everything. We are still faced with a bunch of cases where we have MTI security in specs and its just not deployed. For example, there are no user interface issues between SIP proxies, and deploying TLS just should not be hard for such server-server interactions - you'd nearly have to go out of your way as an implementer to make it hard I think. (Assuming you start implementing it:-) Maybe as Jon said the need just wasn't perceived for one reason or another, but I reckon today's new situation might change that somewhat. In any case, mandating strong MTI security just hasn't by itself worked well enough in some cases for whatever reason. So... what can we change to make it more likely that good security and privacy features are specified and deployed? S. _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
