Re: Quality of Directorate reviews

Benjamin Kaduk <> Sat, 16 November 2019 07:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6034C1200E3 for <>; Fri, 15 Nov 2019 23:08:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WoRoevpRiiXL for <>; Fri, 15 Nov 2019 23:08:07 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A6B1912008D for <>; Fri, 15 Nov 2019 23:08:07 -0800 (PST)
Received: from ([]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id xAG782Kj016369 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 16 Nov 2019 02:08:05 -0500
Date: Fri, 15 Nov 2019 23:08:02 -0800
From: Benjamin Kaduk <>
To: Michael Richardson <>
Cc: Keith Moore <>,
Subject: Re: Quality of Directorate reviews
Message-ID: <>
References: <> <20191.1573054128@localhost> <> <9182.1573147520@localhost> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 16 Nov 2019 07:08:10 -0000

On Sat, Nov 16, 2019 at 02:42:20PM +0800, Michael Richardson wrote:
> Keith Moore <> wrote:
>     >> On 2019-11-13 11:25 p.m., Keith Moore wrote:
>     >>> On 11/13/19 10:07 AM, Phillip Hallam-Baker wrote:
>     >>>
>     >>>> Maybe what we need is a structure that assigns multiple reviewers
>     >>>> for some projects and rubber stamps others.
>     >>> Seems like ADs already have a fair amount of discretion to ask for
>     >>> multiple in-depth reviewers vs. getting minimal review.   If having a
>     >>> human make such decisions isn't your idea of an appropriate
>     >>> "structure", I'd be curious to know what is.
>     >>>
>     >> The issue is that is only so much senior security clue to go around.
>     >> There is a non-trivial amount of effort for an-out-area reviewer to
>     >> spin up enough understanding about what a WG is doing.  There are a
>     >> lot of documents that simply allocate a new attribute from an existing
>     >> registry and then use it for something.  Determining if this has a
>     >> trivial or non-trivial security impact can be difficult.  If it turns
>     >> out to be trivial, then we've wasted the reviewers time (opportunity
>     >> cost).  If it turns out not to be trivial (and the reviewer missed
>     >> that), then if we are lucky, we catch it at IESG time, and then it
>     >> might be a year later.
>     > I don't disagree with any of the above.  And yet, I don't see how it's
>     > responding to either of the above replies.
> The current system assigns the review prior to the AD determining if they
> need an in-depth review or not.  So if we assign a senior (security) reviewer
> to a document that didn't need in-depth senior experience, then that person
> is unavailable (within the quantum of review assignment period) for the AD to
> assign them to do something more in-depth.

My understanding is that most directorates have a secretary that does the
assignments (secdir does, at least).  By the time an AD is looking at the
review next to the document it might only be a few days before the telechat
where the document is up for approval, which is not really enough time to
get another review in without deferring the document.  Maybe we should go
get that extra review and try to remove the stigma against deferring
documents; I don't have a sense for how the community would feel about

And yes, the AD should look at the directorate review when it arrives, but
looking only at the review and not the document being reviewed is not
always enough to tell whether additional review would be valuable.