Last Call Review of draft-ietf-iasa2-rfc2031bis-05
review-ietf-iasa2-rfc2031bis-05-secdir-lc-orman-2019-08-08-00

(with corrected subject line)       

	 Security review of The IETF-ISOC Relationship
	 draft-ietf-iasa2-rfc2031bis-05

Do not be alarmed.  I generated this review of this document as part
of the security directorate's ongoing effort to review all IETF
documents being processed by the IESG.  These comments were written
with the intent of improving security requirements and considerations
in IETF drafts.  Comments not addressed in last call may be included
in AD reviews during the IESG review.  Document editors and WG chairs
should treat these comments just like any other last call comments.

Knitz.

This is an overview of the ways the IETF and the ISOC are entwined
with structural and legal relationships.  I believe that changes to
the RFC have been required because a new entity, the IETF LLC, is
being formed.  That slightly changes the way the IETF and ISOC
interrelate.

Does this affect the security of the Internet (something that might be
regarded as largely a mythical concept)?  The only problem that comes
to mind is that the several organizations might at some future time
have philosophical differences that are so deep that the ability of
the IETF to publish RFCs would be disrupted.  The organization that
holds IP is different from the organization that has the financial
oversight, and neither is the IP generator, so things might come apart
in some unforeseeable future.  I can see that the way the boards are
structured largely mitigates such worries.  Perhaps that is the best
that can be done.

An important document, the "operating agreement" (Limited Liability
Company Agreement of IETF Administration LLC", August 2018), is not
available via the reference section of the draft in question.  I was
able to use Internet search to find a copy.

Section 6, "Legal Relationship with ISOC" mentions both the IETF LLC
and the IETF Trust.  It would greatly help to use subheadings to
clarify that these are two separate legal entities.

This sentence is a grammatical trainwreck:
"It was established by the ISOC/IETF LLC Agreement [OpAgreement] on
August 27, 2018, and governs the relationship between the IETF LLC and
ISOC."  The pronoun "it" refers to the IETF LLC.  The second clause
has no subject, but if it did, the subject would be "the operating
agreement".

We also see that "The creation of the IETF LLC has changed the way
that the IETF Trust's trustees are selected but did not change the
purpose or operation of the Trust.  One of the IETF Trust's trustees
is appointed by the ISOC's board of trustees."  How did it change
the way the trustees are selected?  Were there previously more or
fewer than one trustee appointed by ISOC?  Or was there some other change?

This sentence, which has probably been there for some time, "ISOC has
agreed to provide some funding support for the IETF (ISOC has
historically provided the IETF with significant financial support)"
sounds odd.  What is the different between "some" and "significant"?
Should it be "insignifant" and "significant"?  "Not much" and "a
lot"?  Is the differentiation even meaningful now?  When did ISOC last
affirm its agreement?  Does it matter?

RFCs generally use American spelling, so at least the uncapitalized
uses of "programme" should be changed to "program" in

   ISOC also supports the IETF standards process more indirectly (e.g.,
   by promoting it in relevant communities) through several programmes.
   For example, ISOC's Policymakers Programme to the IETF (usually
   referred to simply as ISOC's policy fellows programme)