Hi Ned, On 10/26/13 4:48 PM, [email protected] wrote: >> Networking standards are promoted by consensus and by network effects. In >> the absence of some forcing function, "fallback to clear text" gets promoted >> by network effects, because it is de facto forced by the sites that don't >> bother deploying the more secure options. The best way to break that is to >> provide "air cover" for security, e.g. a text in the protocol description >> RFC that says "nodes requiring a modicum of security SHOULD refuse to use >> clear text connections." That would effectively turn the tables. > Exactly! The only thing I would add is that "cover" should include a > clear presentation of the tradeoffs and consequences. > > Unfortunately this is surprisingly hard to do well. It's much easier to start > throwing MUSTs around. > > This also is effectively what happened in the IMAP case: Large sites like > gmail > and Apple only deployed imaps, with the result that a fully > standards-compliant > client actually won't work with their service!
And maybe that's a good thing, by the way. But my main point is that the IAB is reviewing this exact topic at a workshop that will take place in December on Internet Tecnology Adoption and Transition. It's not the first time it's been considered, mind you. See RFC 5218 by Dave Thaler and Bernard Aboba. Eliot _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
