Last Call Review of draft-ietf-elegy-rfc8989bis-03
review-ietf-elegy-rfc8989bis-03-secdir-lc-roca-2023-01-24-00
| Request | Review of | draft-ietf-elegy-rfc8989bis |
|---|---|---|
| Requested revision | No specific revision (document currently at 05) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2023-01-23 | |
| Requested | 2023-01-09 | |
| Authors | Martin Duke | |
| I-D last updated | 2023-01-24 | |
| Completed reviews |
Rtgdir Last Call review of -04
by Acee Lindem
(diff)
Artart Last Call review of -03 by Scott Hollenbeck (diff) Secdir Last Call review of -03 by Vincent Roca (diff) Opsdir Last Call review of -03 by Dan Romascanu (diff) Genart Last Call review of -03 by Reese Enghardt (diff) Tsvart Last Call review of -03 by Dr. Bernard D. Aboba (diff) Secdir Telechat review of -04 by Vincent Roca (diff) |
|
| Assignment | Reviewer | Vincent Roca |
| State | Completed | |
| Request | Last Call review on draft-ietf-elegy-rfc8989bis by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/gqHgHDIG4NP2VoBhzUw4caUuj1k | |
| Reviewed revision | 03 (document currently at 05) | |
| Result | Has nits | |
| Completed | 2023-01-24 |
review-ietf-elegy-rfc8989bis-03-secdir-lc-roca-2023-01-24-00
Hello, I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: Has Nits This I-D proposes an update to the NomCom eligibility process in order to reduce the risk of coordinated attacks by an adversary who wants to get the control of IETF, in a context where the generalization of remote attendance to IETF meetings changes the rules. I understand (end of section 3): > Finally, overly restrictive criteria work against getting a broad > talent pool.¶ but here we're not talking about IETF participation (which must remain as open as possible), it's a key selection process for the IETF. In my opinion (my two cents): -- the NomCom candidate must be part of the **active community**. Being part of the NomCom committee is earned. How to define "active community" deserves consensus, but if Paths 2 and 3 (section 4) are valid, IMHO Path 1 is not, and there's a huge gap between 2-3 and 1! Can't we find a midway as a replacement for Path 1, e.g., being co-author of a WG-Item document (the whole standardisation process takes so long...)? -- the NomCom candidate **identity must be verified**. I've never been asked to prove my identity at IETF (registration, picking my badge, editing an I-D), which is mostly fine. However we're talking here of being part of a committee that is key to the IETF: it deserves additional checks. And if there could be good reasons for an IETF participant to use a pseudonym, this is an exception, not the rule, and it disqualifies for NomCom IMO. Additional remark: -- Section 4: I understand we're talking about IETF, but I see no reason to ignore IRTF altogether in Path 2 (section 4). Beeing a Research Group Chair or Secretary is also sign of being part of the active community. -- Section 4: I don't see a justification for 3 years (WG/RG chair or secretary) versus 5 years (RFC author). Being in responsibility of a Group is engaging and a sign of a commitment to the Community, much more than being co-author of an RFC which is above all an individual achievement. In any case thank you for considering this important topic.