Skip to main content

Last Call Review of draft-ietf-elegy-rfc8989bis-03
review-ietf-elegy-rfc8989bis-03-secdir-lc-roca-2023-01-24-00

Request Review of draft-ietf-elegy-rfc8989bis
Requested revision No specific revision (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2023-01-23
Requested 2023-01-09
Authors Martin Duke
Draft last updated 2023-01-24
Completed reviews Rtgdir Last Call review of -04 by Acee Lindem
Artart Last Call review of -03 by Scott Hollenbeck (diff)
Secdir Last Call review of -03 by Vincent Roca (diff)
Opsdir Last Call review of -03 by Dan Romascanu (diff)
Genart Last Call review of -03 by Reese Enghardt (diff)
Tsvart Last Call review of -03 by Dr. Bernard D. Aboba (diff)
Secdir Telechat review of -04 by Vincent Roca
Assignment Reviewer Vincent Roca
State Completed
Review review-ietf-elegy-rfc8989bis-03-secdir-lc-roca-2023-01-24
Posted at https://mailarchive.ietf.org/arch/msg/secdir/gqHgHDIG4NP2VoBhzUw4caUuj1k
Reviewed revision 03 (document currently at 04)
Result Has Nits
Completed 2023-01-24
review-ietf-elegy-rfc8989bis-03-secdir-lc-roca-2023-01-24-00
Hello,

I have reviewed this document as part of the security directorate’s ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.

Summary: Has Nits

This I-D proposes an update to the NomCom eligibility process in order to
reduce the risk of coordinated attacks by an adversary who wants to get the
control of IETF, in a context where the generalization of remote attendance to
IETF meetings changes the rules.

I understand (end of section 3):
>   Finally, overly restrictive criteria work against getting a broad
>   talent pool.¶
but here we're not talking about IETF participation (which must remain as open
as possible), it's a key selection process for the IETF.

In my opinion (my two cents):
-- the NomCom candidate must be part of the **active community**.
Being part of the NomCom committee is earned.
How to define "active community" deserves consensus, but if Paths 2 and 3
(section 4) are valid, IMHO Path 1 is not, and there's a huge gap between 2-3
and 1! Can't we find a midway as a replacement for Path 1, e.g., being
co-author of a WG-Item document (the whole standardisation process takes so
long...)?

-- the NomCom candidate **identity must be verified**.
I've never been asked to prove my identity at IETF (registration, picking my
badge, editing an I-D), which is mostly fine. However we're talking here of
being part of a committee that is key to the IETF: it deserves additional
checks. And if there could be good reasons for an IETF participant to use a
pseudonym, this is an exception, not the rule, and it disqualifies for NomCom
IMO.

Additional remark:

-- Section 4: I understand we're talking about IETF, but I see no reason to
ignore IRTF altogether in Path 2 (section 4). Beeing a Research Group Chair or
Secretary is also sign of being part of the active community.

-- Section 4: I don't see a justification for 3 years (WG/RG chair or
secretary) versus 5 years (RFC author). Being in responsibility of a Group is
engaging and a sign of a commitment to the Community, much more than being
co-author of an RFC which is above all an individual achievement.

In any case thank you for considering this important topic.