Stewart,
Remembering of course that some platforms which wish
to use the Internet simply do not have the capability for
other than a very tiny very basic stack.
I always use the PIC and the Arduino to remind myself what the
lower end of the franchise looks like.
You bring up a good point. And that is very important. The world of devices may
be more significant for Internet privacy than the world of browsers and
computers.
That being said, it is not always clear that small devises imply no security is
possible. My day job crypto team has worked on Arduinos, for instance. And many
of my friends who are in the devices business have been using 32 bit CPUs for a
while now because they are more easily available and/or cheaper. All this
reminds me also of my work fifteen years ago on optimising various protocols in
cellular devices, only to find out that couple of years later most devices were
capable of running 3D FPS games. Recently some of my colleagues did an analysis
of the energy consumption in today's small CPU platforms, and found that
wireless transmission/reception far outweighs any other activity, including
crypto. But there are indeed challenges in security of the device world. I'd
suggest they are mostly in the category of provisioning models (e.g.,
configuration) or architecture (e.g., transport vs. other types of security).
More work needed...
In any case, the document said "where possible", and I think it is important to
keep that distinction. Not all things are possible, and some possible things
are not possible in all platforms.
Jari