[Top] [All Lists]

Re: Has the IETF dropped the ball?

2005-03-10 13:00:14

No. It's not acceptable for any of these methods to use existing protocol elements in a way that contradicts either their definitions or their use in practice.

If a method abuses an existing protocol or practice, seems to me it will suffer in the competition with other methods that don't.

Tell that to the folks at Microsoft who deliberately violated the MIME specification's rules about presentation of unsafe content, and who have cost the network community several billion dollars by increasing their customers' vulnerabilities to viruses and worms.

Please give me an example of something the IETF needs to make a *requirement* for every authentication method.

I've already given one.

IETF's job is to write a set of rules that, if followed, will result in interoperation. If our rules are not sufficient to do that, it's a flaw in our work that needs to be corrected. If an authentication method causes legitimate use cases to break, it doesn't meet the requirements for standard. However I do think that it's possible to tweak most of the proposals that exist now so that they don't break things.