Re: [secdir] [Last-Call] Secdir last call review of draft-foudil-securitytxt-08

[Benjamin Kaduk <kaduk@mit.edu>]

On Sat, Dec 28, 2019 at 09:38:36PM -0800, Randy Bush wrote:
> 
> >> these half-assed "the market demands something" panaceas provide
> >> false solutions we have to clean up later; emphasis on that last
> >> clause.  rwhois anyone?  the highway is littered with whitepages
> >> roadkill.  today there is a massive problem with authority in the IRR
> >> (which some RIRs throw in with whois); and retrofitting a solution is
> >> now years in blah blah blah.
> >> 
> >> no one is asking for the perfect over the good.  but it is our
> >> obligation, before putting the ietf stamp on it, for it to be as good
> >> as we can reasonably get for the time.  this proposal is not, as has
> >> been enumerated time and again as it has been shoved through the
> >> process over objections.
> >> 
> >> imiho, tero's review stands.
> > 
> > I do note the second 'i', but I have to say that to me, "shoved
> > through the process over objections" sounds like a pretty serious
> > process violation that ought to be remedied.
> 
> that may be what you heard, but that is not what i said, or at least
> meant to say.
> 
> > I'd like to better understand what you see as the process violation
> > (if any) here, so that I can try to remedy it.
> 
> if i had a process objection, i would say it quite clearly.  i have a
> reputation to maintain :)

Okay, thanks for clarifying.

> technical objections have been raised all along the path of this
> document.  many of them ignored and repeated, many covered in tero's
> most excellent secdir review.  but the draft marched on.  today sm
> raised new issues.

Well, I do remember some objections raised when this draft was still at
SAAG/SECDISPATCH, but I also assigned it a document shepherd and refused to
touch it myself until the shepherd had worked with the authors to address
those comments to the extent that we understood them.  (That was mostly
comments from Paul Wouters, if I remember correctly; there may have been
others.)  So I'm not sure which objections you think have been ignored
while "the draft marched on" -- my intent was to get the initial objections
addressed (and yes, sometimes that was by attempting to make them "out of
scope", which does not always work well), and the next step in the process
is AD review followed by IETF LC.  Having more issues raised during a
single IETF LC isn't surprising (though it is perhaps unusual, with many
drafts getting no LC comments other than directorate reviews, which is
probably a different thread), so "ignored and repeated" and "but the draft
marched on" feel a bit like hyperbole to me.  But maybe I messed up and we
missed something; I'm sure you won't be shy about telling me if that's the
case.

> but you're a security guy, have the badge and all, even if your name is
> not steve.  read the darn thing and tell us what you think of it as
> reasonable and prudent secops practice.

I mean, I read it when I did the AD evaluation, and what I recall thinking
is that it proposes a mechanism that's useful in some cases but potentially
harmful in other cases, so the trick would be to get the writing to be
clear about the risks.  Having it already being in use tends to tilt the
scales towards "document the thing so that the semantics are well-defined",
though that does not absolve us of the duty to accurately document the
drawbacks and risks.  It's a mixed bag, and you'll need to think before
relying on the information in the file, but that's hardly unique to this
mechanism.

-Ben