Thanks for your thoughtful feedback, Mark.
Mark wrote:
Section 8.1 makes it Mandatory to Implement the protocol without any
security ("NoSec"). This seems counter to best practice in the IETF,
but I'll defer to the Security Area review.
Carsten responded:
Since it is the implementers who will decide whether they implement this,
this co-author could live with making implementing NoSec
completely optional. (It will be anyway, in practice, at the level of what
is actually configured.) The important point(*) from the WG
perspective here is that TLS is mandatory to implement, with the specifics
depending on the security mode needed (cf. RFC 7925).
(Note also that there are other ways to provide security with CoAP.)
(*)
https://github.com/core-wg/coap-tcp-tls/commit/fe348f543fc45e981e38e9354242012afb28dc60
Some context - during the security discussions in the WG, there was a
recommendation to "mirror" the similar section in RFC7252.
https://tools.ietf.org/html/rfc7252#section-9 states:
The NoSec and RawPublicKey modes are mandatory to implement for this
specification.
which is why NoSec is MTI.
I agree with Carsten. I'd be happy to make this completely optional if it
results in less dissonance for reviewers and there are no objections in the WG.