Re: [Txauth] consensus call on WG name: "Authorization and Delegation"

Dick Hardt <> Fri, 15 May 2020 23:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7D3323A0C30 for <>; Fri, 15 May 2020 16:02:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LNocws_2IM7z for <>; Fri, 15 May 2020 16:02:44 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 34C463A0A32 for <>; Fri, 15 May 2020 16:02:44 -0700 (PDT)
Received: by with SMTP id a4so3138841lfh.12 for <>; Fri, 15 May 2020 16:02:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rohRHRwK0I73aHAgnh0AolX9wPlABRbXCdIoMl61Vek=; b=ZXuJhiIF8YcdiK5J8wxR9hrR64ELmLpy32dZC9MgxGObwPMO5eScmSqykRILsiyFYh m3tvHCwIf9dts1VoVE7uBCNlVWsqhhvSLy+GFAIvr4CROG1q2DuoGHEw0QGC2YF9aGgB yn9wgMyAzrF52+TGkRwCtdltxI8G7lzqj8l64Hs/AvqYe1+hZdMQfRT08ldAUgF/iJYW Ond9sGXwb2FnEe4+Hf7AEfytuZTXl4J7lkOPkOVxRgDXec+9hClAtXe/uNM5jf/0BG1y 0WPdDooyOjbAKIbZUuIQdcIUGtebUaKYD9T+qB327fbbKzSdtsz9yTC5/Y0SnAJ2PPv+ AIwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rohRHRwK0I73aHAgnh0AolX9wPlABRbXCdIoMl61Vek=; b=JZ/82gzOqiYubaOlCgcwNRO+Z/D3Rwgp6cRfiVtyk60m/+/LcrsuOGTa7+R5tINudr jwalvKv2HWrWFdwb27toDP1dVCwjxfaPjH6cRSaNsdMhdqOFjaSCFU9YAUyrxYFn1QNJ 1jxsQ00eX0YpCIYBYbGIZOq+PEKeI7qbFGfI7qaChNr41a2sq4azOgLrRb2uikh29JIl 4+ESwXu6Ohhh8QRGeeAdm2LwWNq7iUXW/o4mPZB9/bf/wcsEdsQUgwd8+KLNfJNoiowF Q7SY/S3lVvTmm4zhxjI0MisYvkMagw5zcLnpjNZhPkoP/LjuvNQwSMYk8pcrceDcrG9s utAg==
X-Gm-Message-State: AOAM531+/vHDz/HljlpCz7si6+Ok6HpPwLi/oXoQqdDkWL77UBWXq1C+ rjv9QzuXts5hYG5Al2dGltywOn9itbLHP2ev2ME=
X-Google-Smtp-Source: ABdhPJywXe2rih804rVQAuKh9yPja+/jl12Ezs76aZiWQAr36UDoodDSXmK642ldJdoVlMk1F7AZEi1ywHQQe0BNqn0=
X-Received: by 2002:a19:c88e:: with SMTP id y136mr4011239lff.78.1589583761932; Fri, 15 May 2020 16:02:41 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <>
In-Reply-To: <>
From: Dick Hardt <>
Date: Fri, 15 May 2020 16:02:15 -0700
Message-ID: <>
To: Justin Richer <>
Cc: "" <>, "" <>
Content-Type: multipart/alternative; boundary="0000000000007885f005a5b7cf37"
Archived-At: <>
Subject: Re: [Txauth] consensus call on WG name: "Authorization and Delegation"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 May 2020 23:02:48 -0000

We are not going to make the May 18 deadline. My suggestion of
"Authorization and Delegation" was a Hail Mary attempt to get consensus
last minute.

There was not consensus to use "transactional". As Roman stated, we are not
voting, we are looking for rough consensus.

Per your concern on the process, we are looking for consensus as Roman
stated, not a majority of votes.

wrt. the votes, I was proposing that people would state their preference
(1st, 2nd, 3rd), not equal votes (top 3 choices)

Your last comment is confusing given your recent posts.

Have your concerns been addressed?

On Fri, May 15, 2020 at 3:50 PM Justin Richer <> wrote:

> I have a concern about the short timeframe needed here, which, as I
> understand it, would require getting everyone to participate over the
> weekend in order to get results in time - the original deadline given was
> Monday May 18. I fear that the timing will make people miss it entirely and
> we will not get a representative sample of the group.
> As an aside, I'm also concerned that you would discount the results below
> when the decision to not use "transactional" was a much, much smaller
> sample and margin. And yet that decision seems set and done, since it was
> excluded from the poll options entirely.
> I'm also concerned that the process outlined is not fully specified. If we
> are going to do this, I would like to know more about the voting process
> proposed in 3, specifically what the timing will be and how votes will be
> counted. Is this a preference system, where order matters, or is it three
> equal votes per person? I think these things need to be clear before anyone
> submits feedback.
> More than anyone, I want this process to be fair and representative. I am
> eager to get on to the real work because I think we have an opportunity to
> make major steps forward for application security on the internet.
>  - Justin
> ________________________________________
> From: Dick Hardt []
> Sent: Friday, May 15, 2020 6:20 PM
> To: Justin Richer
> Cc:;
> Subject: Re: [Txauth] consensus call on WG name: "Authorization and
> Delegation"
> Justin: are you saying you have concerns with [3]? Do you have an
> alternative proposal?
> FWIW: if the actual results had been what you posted below, I would have
> rerun the poll with less dots per person to see if we would get to have
> rough consensus on one name. I would not consider those results below to be
> consensus.
> Additionally, with the significantly larger number of voters compared to
> previous votes, and the large number that all voted the same, together
> indicated the poll was being gamed. It is not possible to know which votes
> where legit, and which were not, which is why the conclusion was to call
> the poll spoiled.
> [
> <]%E1%90%A7>
> On Fri, May 15, 2020 at 3:02 PM Justin Richer <<mailtomailto:
>>> wrote:
> Thanks for the transparency, Roman. And thanks to Dick for providing the
> logs.
> I did a quick analysis of the results myself. I went through cleaned up
> the log file a little (there were some mixed spaces and tabs that made
> automatic parsing difficult) and disambiguated the several expansions of
> different names:
> TXAuth1: Truly eXtensible Authorization
> TXAuth2: Testable eXtensible Authorization
> TxAuth3: Transmission of Authority
> TIDYAuth1: Transference via Intent Driven Yield Auth
> TIDYAuth2: Trust via Intent Driven Yield Auth
> By removing every entry where all five points were awarded to TxAuth:
> Transmission of Authority, and tallying all others (including votes for
> other entries that had all five points awarded by one voter but to a
> different option), we get the following results:
> Totals:
> TxAuth3: 42
> TXAuth1: 25
> GNAP: 20
> PAuthZ: 19
> TXAuth2: 12
> TINOA: 9
> TIDYauth2: 8
> CTAP: 7
> NIRAD: 6
> ZAuthZ: 6
> GranPro: 4
> TIAAP: 4
> TIDYauth1: 3
> ReAuthZ: 3
> DIYAuthZ: 3
> IDPAuthZ: 2
> TIDEAuth: 2
> TIEAuth: 2
> RefAuthZ: 2
> BeBAuthZ: 2
> AZARP: 1
> AAuthZ: 1
> BYOAuthZ: 1
> CPAAP: 1
> As you can see, the winner of the poll is :still: overwhelmingly
> “Transmission of Authority”, even with all of these entries removed. I’ll
> note that this does not include the last seven votes that came in the last
> couple days, so these results are skewed even then.
> To be clear, I don’t think it’s fair to throw out all such votes, but
> since they are what’s suspect here I felt it important to see the results
> just those removed and see if it told a different story. It does not, and I
> think that indicates the consensus is actually still pretty clear.
> I am attaching both the cleaned-up log file as well as the quick python
> script that I wrote to do the analysis of the results, please check for any
> errors or inconsistencies.
>  — Justin
> On May 15, 2020, at 5:46 PM, Roman Danyliw <<mailtomailto:
>>> wrote:
> Hi!
> Full transparency here -- the chairs definitely consulted me with their
> concerns about the poll and with the logs before announcing the results
> [1].  I re-reviewed the logs [2].  It shows around vote #16 – 41, there is
> a number of entries where all votes assigned to a single choice (“TxAuth
> Transmission of Authority: 5”).  Observations (by Dick) of the incoming
> results, pinned these votes in a narrow time window.  Likewise, most of all
> of the other entries split their 5 ballots.  Could that be overwhelming
> support in the community?  Absolutely!  However, the lack of precise
> timestamps and IPs makes it hard to judge in this non-traditional scenario
> for selecting names.
> We’re going to have to live with this choice – names matter – and I don’t
> want any sense of skew to linger.  We tried an experiment using a tech that
> allows anonymous input (i.e., Decido) – it didn’t work (no fault of the
> tech).  Let’s do it the old fashion way on the mailing list.  If you have
> objections to [3], please raise your concern.
> We’re not in the voting business.  If we end up with two options that are
> “close”, we’re going to talk a little more.  Prior to final selection, WG
> chairs and I will also listen for objections to the name that the mailing
> list feedback suggested.
> I appreciate everyone patience.  I too would like to have a name chosen so
> we can get the charter advanced.  However, we’re going to do this name
> selection again so we can all have confidence in the process.
> Regards,
> Roman
> [1]
> [2]
> [3]
> From: Dick Hardt <<>>
> Sent: Friday, May 15, 2020 5:04 PM
> To: Justin Richer <<>>
> Cc:<>; Roman Danyliw <
> <>>
> Subject: Re: [Txauth] consensus call on WG name: "Authorization and
> Delegation"
> Justin: if you have a concern with how I am chairing the group, the
> appropriate action would be to bring it up with the AD (cc'ed). FYI: I had
> forwarded the log and my conclusions to Roman, and he had agreed that the
> poll had been gamed.
> As to my proposal of "Authorization and Delegation", I took the name you
> had proposed, and removed the adjective that people had found concerning. I
> was hoping that a bland name would be acceptable and we could move on to
> the actual work -- but that does not seem to be the case.
> On Fri, May 15, 2020 at 1:16 PM Justin Richer <<mailtomailto:
>>> wrote:
> -1
> I think the results of the poll were pretty conclusive and it’s not an act
> of good faith for the chair to propose a poll and then throw out the
> results of that same poll and go with something of their own choosing
> instead.
> How are you sure that it’s one person stuffing the ballot box? For my
> part, I put two dots on the winning title and one dot each of three others.
> I had a couple different people contact me off-list and told me they’d put
> their five dots on Transmission of Authority. So I think it’s reasonable to
> believe that’s the actual result, without examining the logs myself.
>  — Justin
> > On May 15, 2020, at 2:21 PM, Dick Hardt <<mailtomailto:
>>> wrote:
> >
> > Following on from my email wrt. the results of voting, please indicate
> if you are aligned with calling the working group the "Authorization and
> Delegation" working group with a +1 or -1.
> > --
> > Txauth mailing list
> ><>
> >
> ᐧ