[secdir] Secdir review of draft-moonesamy-ietf-conduct-3184bis

Alan DeKok <aland@deployingradius.com> Thu, 14 November 2013 16:36 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B69621E80D0; Thu, 14 Nov 2013 08:36:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id noWbgWltVuii; Thu, 14 Nov 2013 08:35:47 -0800 (PST)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 42F8421E80E3; Thu, 14 Nov 2013 08:35:43 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id F17E1224013E; Thu, 14 Nov 2013 17:34:40 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTUomB6wosZA; Thu, 14 Nov 2013 17:34:40 +0100 (CET)
Received: from Thor-2.local (bas1-ottawa11-1176121806.dsl.bell.ca [70.26.49.206]) by power.freeradius.org (Postfix) with ESMTPSA id 14FD72240087; Thu, 14 Nov 2013 17:34:39 +0100 (CET)
Message-ID: <5284FBA2.3000404@deployingradius.com>
Date: Thu, 14 Nov 2013 11:34:42 -0500
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: "secdir@ietf.org" <secdir@ietf.org>, sm+ietf@elandsys.com, draft-moonesamy-ietf-conduct-3184bis.all@tools.ietf.org, IESG IESG <iesg@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [secdir] Secdir review of draft-moonesamy-ietf-conduct-3184bis
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2013 16:36:02 -0000

  I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

  This document provides a set of guidelines for personal interaction at
the IETF.  This review therefore ignores any computer protocol issues or
attacks, and focuses on personal and procedural attacks.



...
2. Principles of Conduct

   1. IETF participants extend respect and courtesy to their colleagues
      at all times.

  This is a lofty goal, especially considering the next sentence:

     IETF participants come from diverse origins and backgrounds and
     are equipped with multiple capabilities and ideals.

  I would suggest adding "expectations and assumptions" to that
sentence.  Very often, misunderstandings come from differing
expectations.  Two participants might believe they share a language.
However, underlying assumptions mean that the words have different
meanings.  The expectations means that the approach people take is
different.

  On a simplistic level, everyone believes that they are a reasonable
person.  Everyone believes that other people have the same mental models
they do.  Everyone believes that other people do (and will) behave the
way that they do.

  These assumptions are often wrong.  Discord in groups often comes from
the misunderstanding what other people mean, and attributing
maliciousness to what is actually differing assumptions and expectations.


   2. IETF participants discuss ideas impersonally without finding fault
      with the person proposing the idea.

  It may be useful to re-phrase this as a positive statement.  i.e.:

  IETF participants discuss impersonal ideas, using evidence, fact, and
logic.  Discussions of persons, personalities, or motivations are
outside of the scope of the IETF.


  Items (3) and (4) seem reasonable to me.

  Other items which may be considered are the following.  They are less
inter-personal behavior, than behavior of an individual interacting with
the larger IETF.


- progress.  Participants are expected to contribute to the progress of
the working group.  Simple participation isn't enough.  We have to get
things *done*.

- consensus.  Participants are expected to accept the consensus of the
WG or the larger IETF.  Standards creation necessarily involves
compromise.  Compromise doesn't mean you've been personally put down.
It just means life is imperfect.


  IMHO, the Security Considerations section is not correct.

   Guidelines about IETF conduct do not affect the security of the
   Internet in any way.


  A social denial of service attack can affect the security of the
Internet.  The way to shut down progress on security solutions is simple
and cheap.  Attack the relevant players in court with spurious
accusations of harassment.  Sideline the group with discussion of
politics.  Have people "pick sides", and generally devolve the group
into endless bickering.

  The IETF has been subject to minor attacks by people who engage in
attacks, appeals, and who are repeatedly banned from WG participation.
If one person made it their life goal to destroy the IETF with false
allegations, they could have a significant impact on progress.