Longer or more meetings?

[Marshall Rose]

> You mean like the requirement that it actually provide security?

and if someone could every provide a definition of "security", then the world
would be a better place.

 
> I'm sorry but I don't agree with this assessment. I wasn't that
> close to the situation, but as I understand it the security flaws
> in WEP came as a surprise to the WEP designers--certainly the
> Shamir RC4 key schedule attack was a surprise to everyone.
> 
> I don't want to get too deep into the discussion of WEP, but 
> I think it actually illustrates an important point. There
> are two sorts of complaints about WEP
> 
> (1) It doesn't solve the right problems.
> (2) It solves the problems it attempts to solve badly.
> 
> In general, I have some sympathy for the argument that the WEP guys
> saw the requirements differently. There is certainly room for
> differing opinions. What I don't have sympathy for is failing to
> achieve even those limited goals because the specific mechanisms they
> chose were insecure. A little consulting with someone with expertise
> would have alleviated this problem. 

well, i agree that dissecting WEP isn't a good topic for this list. but here's
one last datapoint: i recall reading a paper by one of the WEP guys which
basically confessed surprise at all the bad press they were getting since they
weren't interested in solving the problem that they were getting hammered on.
now maybe this is spinning after the fact, i don't know.

regardless, i don't think that the WEP folks are the only ones who have an
unfortunate history with respect to (2). clearly we have some recent examples of
that in the IETF.

but that reminds me, what were we arguing about again?  (-:

/mtr