Also, I deeply regret the fact that my earlier mail came across as
personal assertion.
To the likely extent that you think that because my response sounded as if
that's what I thought, let me a) apologize for that, and b) emphasize that my
irritation is with the amorphous security community, not with individuals, and
particularly not with the substance of your statements.
It is the nature of things that those who make the effort to dive into the
discussion attract the reaction. I actually greatly appreciate that you are
doing the diving, even as I express frustrations.
Those developing functional protocols are universally interested in having good
security. There often is a legitimate debate about what is necessary and
sufficient for a particular function, since usages vary enormously in terms of
real-world threats. (By the way, the recent trend to have security folks
pressure functional folks to first elucidate expected threats strikes me as an
aid big enough to be paradigmatic.)
The problem is that a) of course the security folks cannot do all the security
development, but b) they have almost entirely failed to provide the rest of us
with the tools and guidance we need. Pure "education" about security issues is
not enough. We need things that are much more applied.
So we are left flailing on our own, and then get late-stage criticisms after we
have put in considerable effort.
Perhaps the single biggest benefit of having the Security Area produce some BCPs
is to for the security community to formulate community consensus explicitly.
d/
---
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
WE'VE MOVED to: www.bbiw.net
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf