Is there something wrong with the spec? Does it force weak
cryptography?
Paul,
I realize you're trying to keep the flames down, but let me suggest
that these two questions are not equivalent. Furthermore, the latter
question is not terribly relevant, and addressing that question
diverts attention from more important issues.
The interesting question is not "Does the spec force weak cryptography?"
The questions to ask are more on the order of:
a. Will the protocol do what it claims to do?
(e.g. does it really provide assurances of authentication and/or
privacy?)
b. Will it provide adequate security for general-purpose use?
(and if not, what is the intended scope of use, and is that
scope sufficiently broad to warrant Internet standards-track
approval?)
Keith