Re: Quality of Directorate reviews

Michael Richardson <> Fri, 15 November 2019 07:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ABB7D120115 for <>; Thu, 14 Nov 2019 23:56:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8XD69-dDehUY for <>; Thu, 14 Nov 2019 23:56:22 -0800 (PST)
Received: from ( [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2457712011D for <>; Thu, 14 Nov 2019 23:56:21 -0800 (PST)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 29A6E3897C for <>; Fri, 15 Nov 2019 02:53:10 -0500 (EST)
Subject: Re: Quality of Directorate reviews
References: <> <> <> <> <> <> <> <26819.1572990657@localhost> <> <> <> <20191.1573054128@localhost> <> <9182.1573147520@localhost> <> <> <>
From: Michael Richardson <>
Message-ID: <>
Date: Fri, 15 Nov 2019 15:56:12 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Nov 2019 07:56:25 -0000

On 2019-11-13 11:25 p.m., Keith Moore wrote:
> On 11/13/19 10:07 AM, Phillip Hallam-Baker wrote:
>> Maybe what we need is a structure that assigns multiple reviewers for
>> some projects and rubber stamps others.
> Seems like ADs already have a fair amount of discretion to ask for
> multiple in-depth reviewers vs. getting minimal review.   If having a
> human make such decisions isn't your idea of an appropriate
> "structure", I'd be curious to know what is.

The issue is that is only so much senior security clue to go around.
There is a non-trivial amount of effort for an-out-area reviewer to spin
up enough understanding about what a WG is doing.  There are a lot of
documents that simply allocate a new attribute from an existing registry
and then use it for something.  Determining if this has a trivial or
non-trivial security impact can be difficult.  If it turns out to be
trivial, then we've wasted the reviewers time (opportunity cost).  If it
turns out not to be trivial (and the reviewer missed that), then if we
are lucky, we catch it at IESG time, and then it might be a year later.

WGs are given security advisors, and most don't use them, and many of
them are AWOL.