Re: Quality of Directorate reviews

Michael Richardson <> Sun, 17 November 2019 02:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 82AF01200F1 for <>; Sat, 16 Nov 2019 18:58:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iAwc0DTrV8ze for <>; Sat, 16 Nov 2019 18:58:46 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 29416120058 for <>; Sat, 16 Nov 2019 18:58:46 -0800 (PST)
Received: from (unknown [IPv6:2001:67c:370:128:2472:ebff:feda:c977]) by (Postfix) with ESMTPS id B9E1A1F451 for <>; Sun, 17 Nov 2019 02:58:44 +0000 (UTC)
Received: by (Postfix, from userid 179) id 2C696109F; Sun, 17 Nov 2019 10:58:43 +0800 (CST)
From: Michael Richardson <>
Subject: Re: Quality of Directorate reviews
In-reply-to: <>
References: <> <20191.1573054128@localhost> <> <9182.1573147520@localhost> <> <> <> <> <> <> <>
Comments: In-reply-to Benjamin Kaduk <> message dated "Fri, 15 Nov 2019 23:08:02 -0800."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Sun, 17 Nov 2019 10:58:43 +0800
Message-ID: <>
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 17 Nov 2019 02:58:48 -0000

Benjamin Kaduk <> wrote:
    >> Keith Moore <> wrote: >> On 2019-11-13 11:25
    >> p.m., Keith Moore wrote: >>> On 11/13/19 10:07 AM, Phillip
    >> Hallam-Baker wrote:

    >> >>>> Maybe what we need is a structure that assigns multiple reviewers
    >> >>>> for some projects and rubber stamps others.  >>> Seems like ADs
    >> already have a fair amount of discretion to ask for >>> multiple
    >> in-depth reviewers vs. getting minimal review.   If having a >>> human
    >> make such decisions isn't your idea of an appropriate >>> "structure",
    >> I'd be curious to know what is.

    >> >> The issue is that is only so much senior security clue to go
    >> around.  >> There is a non-trivial amount of effort for an-out-area
    >> reviewer to >> spin up enough understanding about what a WG is doing. 
    >> There are a >> lot of documents that simply allocate a new attribute
    >> from an existing >> registry and then use it for something. 
    >> Determining if this has a >> trivial or non-trivial security impact
    >> can be difficult.  If it turns >> out to be trivial, then we've wasted
    >> the reviewers time (opportunity >> cost).  If it turns out not to be
    >> trivial (and the reviewer missed >> that), then if we are lucky, we
    >> catch it at IESG time, and then it >> might be a year later.
    >> > I don't disagree with any of the above.  And yet, I don't see how
    >> it's > responding to either of the above replies.
    >> The current system assigns the review prior to the AD determining if
    >> they need an in-depth review or not.  So if we assign a senior
    >> (security) reviewer to a document that didn't need in-depth senior
    >> experience, then that person is unavailable (within the quantum of
    >> review assignment period) for the AD to assign them to do something
    >> more in-depth.

    > My understanding is that most directorates have a secretary that does
    > the assignments (secdir does, at least).

yes, that's my understanding.

I'd like to see more coordination between ADs (particularly Sec-ADs) and
directorates so that the security review process can occur earlier, and so
that any loop with the SecADs can happen earlier.

In the case of draft-ietf-anima-bootstrapping-keyinfra, I'd have liked to get
more attention from Christian,Jari and Russ (reviewers) and the various ADs
earlier.  The significant reviews were done a year ago, and we are just
finishing now.
That's a big investment of time among the 6 or 7 people involved.

    > By the time an AD is looking
    > at the review next to the document it might only be a few days before
    > the telechat where the document is up for approval, which is not really
    > enough time to get another review in without deferring the document.

It seems that we doing these early secdir reviews, but someone this is not
feeding up to the ADs well enough, who then do their own review.  That's just
not leveraging the secdir well.

    > Maybe we should go get that extra review and try to remove the stigma
    > against deferring documents; I don't have a sense for how the community
    > would feel about that.

I'm okay with this, but maybe the sponsoring AD and WG chairs need to be more
active in chasing down reviewers.

Again, I'd like more offocial acknowledgement of the work reviewers do.

    > And yes, the AD should look at the directorate review when it arrives,
    > but looking only at the review and not the document being reviewed is
    > not always enough to tell whether additional review would be valuable.

What if the Shepherd write up was had more ways to flag things?

Michael Richardson <>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-