[secdir] Secdir last call review of draft-ietf-elegy-rfc8989bis-03

Vincent Roca via Datatracker <noreply@ietf.org> Tue, 24 January 2023 13:07 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Vincent Roca via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-elegy-rfc8989bis.all@ietf.org, eligibility-discuss@ietf.org, last-call@ietf.org
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <167456565791.19127.12641700321697459649@ietfa.amsl.com>
Reply-To: Vincent Roca <vincent.roca@inria.fr>
Date: Tue, 24 Jan 2023 05:07:37 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/gqHgHDIG4NP2VoBhzUw4caUuj1k>
Subject: [secdir] Secdir last call review of draft-ietf-elegy-rfc8989bis-03

Reviewer: Vincent Roca
Review result: Has Nits

Hello,

I have reviewed this document as part of the security directorate’s ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.

Summary: Has Nits

This I-D proposes an update to the NomCom eligibility process in order to
reduce the risk of coordinated attacks by an adversary who wants to get the
control of IETF, in a context where the generalization of remote attendance to
IETF meetings changes the rules.

I understand (end of section 3):
>   Finally, overly restrictive criteria work against getting a broad
>   talent pool.¶
but here we're not talking about IETF participation (which must remain as open
as possible), it's a key selection process for the IETF.

In my opinion (my two cents):
-- the NomCom candidate must be part of the **active community**.
Being part of the NomCom committee is earned.
How to define "active community" deserves consensus, but if Paths 2 and 3
(section 4) are valid, IMHO Path 1 is not, and there's a huge gap between 2-3
and 1! Can't we find a midway as a replacement for Path 1, e.g., being
co-author of a WG-Item document (the whole standardisation process takes so
long...)?

-- the NomCom candidate **identity must be verified**.
I've never been asked to prove my identity at IETF (registration, picking my
badge, editing an I-D), which is mostly fine. However we're talking here of
being part of a committee that is key to the IETF: it deserves additional
checks. And if there could be good reasons for an IETF participant to use a
pseudonym, this is an exception, not the rule, and it disqualifies for NomCom
IMO.

Additional remark:

-- Section 4: I understand we're talking about IETF, but I see no reason to
ignore IRTF altogether in Path 2 (section 4). Beeing a Research Group Chair or
Secretary is also sign of being part of the active community.

-- Section 4: I don't see a justification for 3 years (WG/RG chair or
secretary) versus 5 years (RFC author). Being in responsibility of a Group is
engaging and a sign of a commitment to the Community, much more than being
co-author of an RFC which is above all an individual achievement.

In any case thank you for considering this important topic.

[secdir] Secdir last call review of draft-ietf-el… Vincent Roca via Datatracker
Re: [secdir] Secdir last call review of draft-iet… Martin Duke
Re: [secdir] Secdir last call review of draft-iet… Michael Richardson
Re: [secdir] [Eligibility-discuss] Secdir last ca… Brian E Carpenter
Re: [secdir] [Eligibility-discuss] Secdir last ca… Eric Rescorla
Re: [secdir] [Eligibility-discuss] Secdir last ca… Vincent Roca
Re: [secdir] [Eligibility-discuss] Secdir last ca… Lars Eggert
Re: [secdir] [Last-Call] [Eligibility-discuss] Se… Toerless Eckert
Re: [secdir] [Last-Call] [Eligibility-discuss] Se… Salz, Rich
Re: [secdir] [Last-Call] [Eligibility-discuss] Se… Brian E Carpenter