It looks like a statement of direction that's blanket
mandatory-to-implement is too much, since so many services need to be able
to run in an open mode. If there are any services that are only useful when
secured, we can trust the deployers to know that.