I will do my best to respond as we have not yet heard from any of the
Area Directors:
Jay's assumption that both clients and servers have to support
everything is false, only the clients have to support both servers that
use "HTTP security" and "TLS security". This was the compromise from
Washington DC.
The reason why the IETF is so stringent about security features is that
they are designing solutions for the INTERNET, they do not care about
INTRANETS. Part of the problem is that the press takes every opportunity
to criticize the "Internet" for its lack of security, which is threatening
the overall reputation of the whole Internet concept and has forced the
IETF to take somewhat extreme measures in response.
If, like Ira states, implementors react against some of the security
language in an IETF document, then they will implement an "almost conforming"
version without the security features they do not like. In the end, the
market decides what products you can sell at what price. My assumption
though is that customers will buy the "secure" versions, even if they cost
a bit more, as soon as the recently standardized IETF security features
become more generally available as products (which might take a couple of
years). So I think that we are debating a timing problem rather than a
technical problem.
Carl-Uno