Re: Has the IETF dropped the ball?
2005-03-10 13:00:14
No. It's not acceptable for any of these methods to use existing
protocol elements in a way that contradicts either their definitions
or their use in practice.
If a method abuses an existing protocol or practice, seems to me it
will suffer in the competition with other methods that don't.
Tell that to the folks at Microsoft who deliberately violated the MIME
specification's rules about presentation of unsafe content, and who
have cost the network community several billion dollars by increasing
their customers' vulnerabilities to viruses and worms.
Please give me an example of something the IETF needs to make a
*requirement* for every authentication method.
I've already given one.
IETF's job is to write a set of rules that, if followed, will result in
interoperation. If our rules are not sufficient to do that, it's a
flaw in our work that needs to be corrected. If an authentication
method causes legitimate use cases to break, it doesn't meet the
requirements for standard. However I do think that it's possible to
tweak most of the proposals that exist now so that they don't break
things.
Keith
|
|