Göran Selander wrote:
we should
not ignore these security issues in new standards.
Definitely, we shouldn't ignore these security issues when defining new
standards.
Now why is this a comment on the IETF last-call for an existing
specification? It's not like Block was invented yesterday and people
are still figuring out how to implement it. For years, it has actually
been part of a number of specifications that were derived from the CoAP
specifications. It isn't very likely that spending another year or two
on finding out what specific mandates on proxies might possibly make
life a bit easier for a new object security specification would have any
influence on today's CoAP implementations.
When you have found out what is needed, write what you need into that
object security specification. Document the level of backwards
compatibility achieved (hint: You may want to carefully define your
objectives here). (And don't forget that you should be solving the
problem for cross-protocol proxies as well.)
Grüße, Carsten <not wearing chair hat today because I happen to be the
author of that specification>