Re: [OPSAWG] draft-ietf-opsawg-tacacs-?? overview of significant changes over the last year

Andrej Ota <andrej@ota.si> Mon, 23 April 2018 14:52 UTC

Return-Path: <andrej@ota.si>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F023A129C51 for <opsawg@ietfa.amsl.com>; Mon, 23 Apr 2018 07:52:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RDNS_NONE=0.793, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral (1024-bit key) reason="invalid (public key: does not support hash algorithm 'sha256')" header.d=ota.si
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VClG3rfPZPL for <opsawg@ietfa.amsl.com>; Mon, 23 Apr 2018 07:52:10 -0700 (PDT)
Received: from mta2.toshio.eu (unknown [IPv6:2001:470:99f7::b423]) by ietfa.amsl.com (Postfix) with ESMTP id 36E36127909 for <opsawg@ietf.org>; Mon, 23 Apr 2018 07:52:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mta2.toshio.eu (Postfix) with ESMTP id 9980015933; Mon, 23 Apr 2018 14:51:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ota.si; h= message-id:references:content-transfer-encoding:date:date :in-reply-to:from:from:subject:subject:mime-version:content-type :content-type:received; s=toshio; t=1524495096; x=1526309497; bh=I1gVCVuzbqRd/CMafbHRSS4jXU/CHRN304qKS2QTPhM=; b=t924i6OGvybt s4iCnH2l5vRreB0/pzmJs/oPK4m69arRFtNR9GNMLGD4Sh7sLn+YBo7xfXq3x8it ii/urbZIbUiCCtCOlzoYwqrBLjtHPB19bi0sQ5pprgrQ+cgWjeGD9qdGqnzw+JBI i/25cfPlTWQI2cLTOY/ReLwHUNRpp90=
X-Virus-Scanned: amavisd-new at toshio.org
Received: from mta2.toshio.eu ([212.18.48.35]) by localhost (srv-fe-3.dom.ota.si [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id SeRPd_uDd9YT; Mon, 23 Apr 2018 14:51:36 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Andrej Ota <andrej@ota.si>
In-Reply-To: <A3EB12A3-99CE-4623-83A3-4FC17A73D511@deployingradius.com>
Date: Mon, 23 Apr 2018 15:51:23 +0100
Cc: Douglas Gash <dcmgash@cisco.com>, Thorsten Dahm <thorstendlux@google.com>
Content-Transfer-Encoding: quoted-printable
References: <20180418184951.0506116A73@mta2.toshio.eu> <057F06CD-875F-440F-9BF8-EBA3250F2AA5@deployingradius.com> <20180420112616.55FE416EDA@mta2.toshio.eu> <A3EB12A3-99CE-4623-83A3-4FC17A73D511@deployingradius.com>
To: Alan DeKok <aland@deployingradius.com>, opsawg@ietf.org
Message-Id: <20180423145135.91C991592D@mta2.toshio.eu>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/DlqUSMl_vVrZ-zG4uxV2Ia9VxTM>
Subject: Re: [OPSAWG] draft-ietf-opsawg-tacacs-?? overview of significant changes over the last year
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2018 14:52:13 -0000

Hi Alan and everyone,


>> I'm providing an explanation here. Please do not take it as an excuse but rather as what we see to be an honest and certainly not a flattering sequence of our choices. I hope to save others from repeating our mistakes in future.
>> 
>> We (the authors) have made a series of decisions immediately preceding -06 and following -06 which lead to breakdown in communication and generated significant frustration in others. The ones I'm aware of are:
>> 1) We used the text you suggested verbatim in -06 without adding an attribution at the same time. This was a big negligence on our part. We thought this would show responsiveness by aggregating verbiage of others, but in this we neglected that any significant addition requires and equally significant acknowledgment.
> 
>  What I saw was no response by the authors to my message.  It doesn't really matter what else is going on, a simple message of "oops, we're sorry" shouldn't take a year to write.
> 
>  As for showing responsiveness, a simple 5-minute email would be best.  Ignoring multiple messages for a year demonstrates total unresponsiveness to the issue.

We (all three of us) agree with you on both points.


> 
>> 2) By the time of Scott's mail, we already committed ourselves to do more research into vulnerabilities to expand on what you already provided and for that reason we left the mail unanswered at the time.
> 
>  That's not a valid reason for failing to respond to my message.  I'm surprised that this would be presented as an excuse, to be honest.

I have explicitly asked not to take this as an excuse, but as a list of errors that we've made. Call it a post-mortem.


> 
>  As for additional research, you have resources that have been ignored: the working group.  Perhaps there could be a *discussion* on the WG mailing list about the security issues?  A discussion that many people were requesting?  After all, that's what the WG is for.

We completely agree. I have already sent out the first mail with an aim to try and reveve the technical discussion about the topic.

I have separately sent a list what we recognized as a negative impact on the technical merit of the document - not to excuse ourselves, but to enable WG to add more where we missed things while self-reflecting.


> 
>  This attitude again shows a closed attitude towards the document.  The authors go off in private, do work, and update the document.  All without significant WG interaction.

We agree and we did take note of how bad this turned out to be. The list in the previous e-mail is an attempt to check with WG if we missed more than what we're already aware of (point 6.).



> 
>  The worst part is that it's still clear you don't know *why* WG interaction is important.  Many years into the process, and after multiple messages telling you what to do, you still show a lack of awareness about it.

Apart from trying to reboot the technical discussion, accepting responsibility for the mistakes we've done, trying to list the mistakes that we're aware of so the WG can point out if we missed anything, fixing mistakes that we can fix going forward and consistently keep communicating with the rest of the WG, what can we further improve?


> 
>> 3) The work proved to be more time consuming than we expected and this was reflected in barely keeping up with expiration deadlines. There was only -07 in August and -08, the first version which included an attribution, last February.
> 
>  That's not true.  It acknowledged I had *reviewed* the document.  There was *no* acknowledgement that "Sections X through Y were written by Alan DeKok.

I stand corrected. Acknowledgment is not the same as attribution.

What do you think about the following:
"The authors would particularly like to thank Alan DeKok, who provided significant insights and recommendations on all aspects of the document and the protocol. Alan authored the first draft text of Sections 9.1. through 9.8. which served as a critical foundation of the final text which continues to include large parts of Alan's original work."


> 
>> Almost a full year after -06. I can only imagine how your frustration must have been growing as months were passing while we were completely unresponsive and acknowledgment nowhere to be seen. This was another big negligence on our part.
> 
>  It comes across like the document is a private document, and that the WG opinions and reviews are completely unimportant.
> 
>  If you can spend time researching things, you can spend time interacting with the WG.  Which is the whole purpose of a WG.
> 
>  The IETF doesn't (or shouldn't) rubber-stamp documents written in privacy.  Yet that has been the process so far.

We agree with all three points you have raised. I do not like to repeat apologies and everyone is probably tired of reading about "will do this" or "will do that". The only thing we can do is to let future actions speak for themselves.


> 
>> 6) In the meantime we neglected to update the WG with information on:
>>  6.a) What work we were doing. This robbed the WG of the chance to set us on a better course of action.
>>  6.b) What were the intermediate results of the work even if not yet captured in a draft update.
>>  6.c) Overall progress of the work related to the draft between the sparse updates.
>> 
>> Even for this list I do not claim a perfect hindsight. If I missed more mistakes that we've made along the way, it would be good to repeat what it was even if it's probably frustrating to repeat what was already said or written.
> 
>  You were CC'd two days ago on my message saying I was OK with using the text, but wanted attribution.  Your response to that message apologized for misunderstanding my intent, that I didn't want the text used.
> 
>  That message could not have been more clear.  The charitable conclusion is that my message was simply not read.
> 
>  Which again shows the problem.

We apologized and continue to apologize for bad decisions we've made in the past, beginning with the decision to include your text without attribution.

I was thinking about the wrong decision we took in 2017 when we misunderstood your intent. By the time that was clarified, we were already in the progress of committing the next mistake. I understand how frustrating this must be, but we can only fix things going forward, we cannot make the past any nicer than what we made it.


> 
>  There have been many promises over the years to "interact more with the WG".  It hasn't really happened.  I welcome it, if it happens.  But you've given me no reason to believe what you say.

I am happy you decided to keep communicating with us.


Andrej Ota.