Re: Has the IETF dropped the ball?

> > No.  It's not acceptable for any of these methods to use existing 
> > protocol elements in a way that contradicts either their definitions 
> > or their use in practice.
> If a method abuses an existing protocol or practice, seems to me it 
> will suffer in the competition with other methods that don't.
Tell that to the folks at Microsoft who deliberately violated the MIME 
specification's rules about presentation of unsafe content, and who 
have cost the network community several billion dollars by increasing 
their customers' vulnerabilities to viruses and worms.
> Please give me an example of something the IETF needs to make a 
> *requirement* for every authentication method.
I've already given one.

IETF's job is to write a set of rules that, if followed, will result in 
interoperation.  If our rules are not sufficient to do that, it's a 
flaw in our work that needs to be corrected.  If an authentication 
method causes legitimate use cases to break, it doesn't meet the 
requirements for standard.  However I do think that it's possible to 
tweak most of the proposals that exist now so that they don't break 
things.
Keith