Re: negotiation and consensus-finding styles
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 16 December 2015 16:51 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70AF21A1B2E for <ietf@ietfa.amsl.com>; Wed, 16 Dec 2015 08:51:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.122
X-Spam-Level:
X-Spam-Status: No, score=0.122 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dzvnTavHlcyN for <ietf@ietfa.amsl.com>; Wed, 16 Dec 2015 08:51:13 -0800 (PST)
Received: from mail-lf0-x22a.google.com (mail-lf0-x22a.google.com [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4F631A1AFC for <ietf@ietf.org>; Wed, 16 Dec 2015 08:51:12 -0800 (PST)
Received: by mail-lf0-x22a.google.com with SMTP id p203so33849335lfa.0 for <ietf@ietf.org>; Wed, 16 Dec 2015 08:51:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=9QBKwanhlmPqC/gj46JFxu+DVQVFNsC3UhD5I1/Ekbw=; b=hTw1MORAzh1REi/h0by9Fjw2niAT/dtOYn0Z1YkAGP0jAZJcObAXCajyRnVFdQuPmy GovAf1CzwmBXzaoGSStq4shNNRqaqSFDbbX1HWF1LXdDpmXndjvP/cruAKA7fvT75Bpx jU34851WvM652WfP0C1Zo8lox/jpW6wUHREj/paj6aaU/CY7Kkm7qMjOA1zPYJRBS+OH NMlByFX6E6VhBeghG0b8LYDqGxX8n+vRaMcbzLSLs0kaFm7EJgsQURLEN6SNSYrzj4H8 5yCkYwPCBuA23fnlGm17IfJn3rkrLLzW7KW1ZtF3wqYepQSSMY6NkbD5wfYIrLNrUvKV ud1Q==
MIME-Version: 1.0
X-Received: by 10.25.206.203 with SMTP id e194mr15328782lfg.166.1450284670885; Wed, 16 Dec 2015 08:51:10 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Wed, 16 Dec 2015 08:51:10 -0800 (PST)
In-Reply-To: <CAMm+LwgAaXQ94LvJdm-njR+kcUAuEwer0a01KPbAHon72AyErQ@mail.gmail.com>
References: <6E5B3A89-B75C-47DA-ADEE-E0F7B642C87C@piuha.net> <CAMm+LwgAaXQ94LvJdm-njR+kcUAuEwer0a01KPbAHon72AyErQ@mail.gmail.com>
Date: Wed, 16 Dec 2015 11:51:10 -0500
X-Google-Sender-Auth: wLHHMG-LQxyedthX2rcnxEVyjg0
Message-ID: <CAMm+LwgPg+0=OyZ9VbAVy-uJjbXEj1U88-4qHeOkrNcKG1PF8g@mail.gmail.com>
Subject: Re: negotiation and consensus-finding styles
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Jari Arkko <jari.arkko@piuha.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/qsfQzkepCYvuzCMbN0HOzWUpJtY>
Cc: IETF <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 16:51:14 -0000
On Wed, Dec 16, 2015 at 1:22 AM, Phillip Hallam-Baker <phill@hallambaker.com> wrote: > On Mon, Dec 14, 2015 at 8:04 AM, Jari Arkko <jari.arkko@piuha.net> wrote: > That is why consequences are important. A tenfold increase in > data volume is a serious consequence and should be accepted as > justification for a red line. The fact that the browser market is > driven by competition to optimize page load latency gives > rise to consequences. > > In general, a red line is not a personal constraint, it is an external one. Another way to identify a genuine red line from a bluff is what happens afterwards. Right now we have a situation in which CABForum rules for managing the WebPKI deliberately and intentionally violate a MUST in RFC 5280 Sec 4.2.1.10. According to RFC 5280, a name constraint MUST be marked critical. The industry explicitly rejected that approach and the CABForum has an override that allows the CA to decide. This is not an abstract dispute, conforming with RFC5280 causes a lot of real world systems to break which is of course the sole point of the critical flag. The only reason for marking an extension critical is when the desired behavior is for relying parties that do not understand the extension to reject the certificate. The industry has decided that wherever possible, name constraints should be used to limit the exposure of a CA or intermediate in the case of breach or compromise. Marking the certificates critical would have rendered them unacceptable. There has been one positive outcome from the situation though. I did use it in a private discussion with a former senior NSA employee as an example of an instance where the disclosure of the NSA BULLRUN program has materially damaged cyber security efforts. That person has subsequently changed their position on crypto backdoors to oppose them. Even if it is the case that the opposition was not driven by a covert NSA program, the suspicion that it might be is obviously damaging and corrosive. My personal theory is that that particular set of slides was actually written by a Major trying to make Colonel who was trying to explain how his cyber-defense activities fit into a mandate for cyber-attack. I think that there is a need for some mechanism to correct the situation in cases like these where a group in IETF came to a particular decision and the actual users of the specification came to a different decision and acted on it. No useful purpose is served by insisting that the specification reflect a Working Group consensus that has been rejected in the defacto Industry standard. More generally, I see a rather important distinction between 'the consensus is that we shall all do X' and 'the consensus is that you must do X'. There is a particular style of 'consensus based' standards making where a small group decide what they want to do and then use some very sharp elbows to eliminate folk who might have a different idea from the conversation. This is a particular problem with some of the people who peddle consulting in 'IETF process' and whose metric for success is speed to get their client's proposal published as an RFC rather than establishing the industry support necessary to get the proposal widely used.
- negotiation and consensus-finding styles Jari Arkko
- Re: negotiation and consensus-finding styles Carsten Bormann
- Re: negotiation and consensus-finding styles ned+ietf
- Re: negotiation and consensus-finding styles lloyd.wood
- Re: negotiation and consensus-finding styles Phillip Hallam-Baker
- Re: negotiation and consensus-finding styles Phillip Hallam-Baker
- Re: negotiation and consensus-finding styles Ted Hardie