Re: [111attendees] Why do we allow people to edit CodiMD meeting notes who are not logged in?

"Joel M. Halpern" <> Sat, 31 July 2021 19:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2837B3A158B for <>; Sat, 31 Jul 2021 12:02:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AE5RfNveo-yr for <>; Sat, 31 Jul 2021 12:02:18 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EA2783A15BB for <>; Sat, 31 Jul 2021 12:02:09 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4GcYXx4hLKz1nwhr; Sat, 31 Jul 2021 12:02:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=2.tigertech; t=1627758129; bh=/h5UZVzyQT8n8yMPx9YJwqI49Ly6yFw+KhWU1btCljo=; h=Subject:To:References:From:Date:In-Reply-To:From; b=UGY2IkiqGwY65/6C1N5pszFj5PcsSvghjU7tHYp/SFgbadgY5bVEx8t888aqkVLp+ 0U/V88cADvhBdG6h6I/jH+m6Stvh4FJz0wfE030V5Re5EmxbDq/G+8vw9awFPC0i+p TcUVym/NUeOH1VnsI1mdi/+jw2cQXQ7sM3KFkHtk=
X-Quarantine-ID: <O5gFGVeyCMEP>
X-Virus-Scanned: Debian amavisd-new at
Received: from [] ( []) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPSA id 4GcYXw3XFsz1nwgs; Sat, 31 Jul 2021 12:02:08 -0700 (PDT)
To: Matthew Finkel <>,
References: <> <20210730214914.y4zrqylmn7ynf2cj@localhost> <> <20210731180517.g2l43erk422w74qo@localhost>
From: "Joel M. Halpern" <>
Message-ID: <>
Date: Sat, 31 Jul 2021 15:02:07 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <20210731180517.g2l43erk422w74qo@localhost>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [111attendees] Why do we allow people to edit CodiMD meeting notes who are not logged in?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for IETF 111 attendees <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 31 Jul 2021 19:02:23 -0000

I would point out that if minutes are IETF contributions (which it seems 
to me they are), then for doing our best to confirm that the contributor 
has seen the note well, we probably want registration.

In general, while there are ways (that have been demonstrated) to bend 
the rules, IETF contributions are not supposed to be anonymous or 
pseudonymous.  Anyone can participate.  But you are responsible for your 


On 7/31/2021 2:05 PM, Matthew Finkel wrote:
> On Sat, Jul 31, 2021 at 01:16:30AM +0200, Carsten Bormann wrote:
>> On 30. Jul 2021, at 23:49, Matthew Finkel <> wrote:
>>> I'm still new around here, so please excuse my ignorance. Are you
>>> concerned about malicious edits? Have you seen abuse? Is there an
>>> inherent need for edit attribution?
>> Much less nefarious — I was taking notes with two other people, and I couldn’t see who they were — a little nudge to authenticate in the browser that you use for note-taking would take this uncertainty away.
>> (Why is that important?  If you do shared note taking, you want to know who is distracted, who knows about a particular subject so you can let them write that up, etc.  It’s just harder to fly blind.)
> Thanks for explaining the motivation, this is very helpful. I see
> authorship of anonymous edits [0][1] should be available in a newer
> version, but, from what I can see, a "Guest" can't set their own name .
> That is an unfortunate limitation [2].
> Requiring being logged-in is an immediate solution, but hopefully [2]
> will provide an alternative in the future.
> [0]
> [1]
> [2]
>> The possibility of malicious edits hasn’t hit us yet, and it might, so that may be another reason to go for “logged in” authorization.
>> But those really determined to grief would find a way anyway...
> Yes, that is certainly a risk, but I encourage supporting
> anonymous/pseudonymous contributions and edits because they are
> valuable, until this is no longer sustainable.
> Thanks,
> Matthew
>> Grüße, Carsten
>> -- 
>> 111attendees mailing list