Re: [Txauth] consensus call on WG name: "Authorization and Delegation"

Justin Richer <> Fri, 15 May 2020 23:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C61553A0A3C for <>; Fri, 15 May 2020 16:18:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kJ09xj-Y6x7t for <>; Fri, 15 May 2020 16:18:30 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8A3353A076C for <>; Fri, 15 May 2020 16:18:30 -0700 (PDT)
Received: from (W92EXEDGE3.EXCHANGE.MIT.EDU []) by (8.14.7/8.12.4) with ESMTP id 04FNHjGa007650; Fri, 15 May 2020 19:18:00 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1293.2; Fri, 15 May 2020 19:18:09 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1365.1; Fri, 15 May 2020 19:18:12 -0400
Received: from ([]) by ([]) with mapi id 15.00.1365.000; Fri, 15 May 2020 19:18:12 -0400
From: Justin Richer <>
To: Dick Hardt <>
CC: "" <>, "" <>
Thread-Topic: [Txauth] consensus call on WG name: "Authorization and Delegation"
Thread-Index: AQHWKuW/ssvjsfNNgUyB7JxcG80LLqiplYEAgABQhICAAAvNgP//wY0AgABH4oD//8Ik14AASZ2A//+/FvM=
Date: Fri, 15 May 2020 23:18:12 +0000
Message-ID: <>
References: <> <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Txauth] consensus call on WG name: "Authorization and Delegation"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 May 2020 23:18:33 -0000

Thank you for the clarification on the deadline and the voting process, as that was not clear in the initial thread.  

I appreciate and understand that we are not a voting organization, it's one of the core tenets of the IETF as you know. I hope that the chairs can continue to be transparent about all of the information that they use to call consensus. 

I'm sorry that the fact that I want a fair and clear process is confusing to you, though I'm not sure why. Every response and action I have taken here has been to that goal. I hope that you can assume good intentions. 

- Justin
From: Dick Hardt []
Sent: Friday, May 15, 2020 7:02 PM
To: Justin Richer
Subject: Re: [Txauth] consensus call on WG name: "Authorization and Delegation"

We are not going to make the May 18 deadline. My suggestion of "Authorization and Delegation" was a Hail Mary attempt to get consensus last minute.

There was not consensus to use "transactional". As Roman stated, we are not voting, we are looking for rough consensus.

Per your concern on the process, we are looking for consensus as Roman stated, not a majority of votes.

wrt. the votes, I was proposing that people would state their preference (1st, 2nd, 3rd), not equal votes (top 3 choices)

Your last comment is confusing given your recent posts.

Have your concerns been addressed?

On Fri, May 15, 2020 at 3:50 PM Justin Richer <<>> wrote:
I have a concern about the short timeframe needed here, which, as I understand it, would require getting everyone to participate over the weekend in order to get results in time - the original deadline given was Monday May 18. I fear that the timing will make people miss it entirely and we will not get a representative sample of the group.

As an aside, I'm also concerned that you would discount the results below when the decision to not use "transactional" was a much, much smaller sample and margin. And yet that decision seems set and done, since it was excluded from the poll options entirely.

I'm also concerned that the process outlined is not fully specified. If we are going to do this, I would like to know more about the voting process proposed in 3, specifically what the timing will be and how votes will be counted. Is this a preference system, where order matters, or is it three equal votes per person? I think these things need to be clear before anyone submits feedback.

More than anyone, I want this process to be fair and representative. I am eager to get on to the real work because I think we have an opportunity to make major steps forward for application security on the internet.

 - Justin
From: Dick Hardt [<>]
Sent: Friday, May 15, 2020 6:20 PM
To: Justin Richer
Subject: Re: [Txauth] consensus call on WG name: "Authorization and Delegation"

Justin: are you saying you have concerns with [3]? Do you have an alternative proposal?

FWIW: if the actual results had been what you posted below, I would have rerun the poll with less dots per person to see if we would get to have rough consensus on one name. I would not consider those results below to be consensus.

Additionally, with the significantly larger number of voters compared to previous votes, and the large number that all voted the same, together indicated the poll was being gamed. It is not possible to know which votes where legit, and which were not, which is why the conclusion was to call the poll spoiled.


On Fri, May 15, 2020 at 3:02 PM Justin Richer <<><<>>> wrote:
Thanks for the transparency, Roman. And thanks to Dick for providing the logs.

I did a quick analysis of the results myself. I went through cleaned up the log file a little (there were some mixed spaces and tabs that made automatic parsing difficult) and disambiguated the several expansions of different names:

TXAuth1: Truly eXtensible Authorization
TXAuth2: Testable eXtensible Authorization
TxAuth3: Transmission of Authority
TIDYAuth1: Transference via Intent Driven Yield Auth
TIDYAuth2: Trust via Intent Driven Yield Auth

By removing every entry where all five points were awarded to TxAuth: Transmission of Authority, and tallying all others (including votes for other entries that had all five points awarded by one voter but to a different option), we get the following results:

TxAuth3: 42
TXAuth1: 25
GNAP: 20
PAuthZ: 19
TXAuth2: 12
TIDYauth2: 8
ZAuthZ: 6
GranPro: 4
TIDYauth1: 3
ReAuthZ: 3
DIYAuthZ: 3
IDPAuthZ: 2
TIDEAuth: 2
TIEAuth: 2
RefAuthZ: 2
BeBAuthZ: 2
AAuthZ: 1
BYOAuthZ: 1

As you can see, the winner of the poll is :still: overwhelmingly “Transmission of Authority”, even with all of these entries removed. I’ll note that this does not include the last seven votes that came in the last couple days, so these results are skewed even then.

To be clear, I don’t think it’s fair to throw out all such votes, but since they are what’s suspect here I felt it important to see the results just those removed and see if it told a different story. It does not, and I think that indicates the consensus is actually still pretty clear.

I am attaching both the cleaned-up log file as well as the quick python script that I wrote to do the analysis of the results, please check for any errors or inconsistencies.

 — Justin

On May 15, 2020, at 5:46 PM, Roman Danyliw <<><<>>> wrote:


Full transparency here -- the chairs definitely consulted me with their concerns about the poll and with the logs before announcing the results [1].  I re-reviewed the logs [2].  It shows around vote #16 – 41, there is a number of entries where all votes assigned to a single choice (“TxAuth Transmission of Authority: 5”).  Observations (by Dick) of the incoming results, pinned these votes in a narrow time window.  Likewise, most of all of the other entries split their 5 ballots.  Could that be overwhelming support in the community?  Absolutely!  However, the lack of precise timestamps and IPs makes it hard to judge in this non-traditional scenario for selecting names.

We’re going to have to live with this choice – names matter – and I don’t want any sense of skew to linger.  We tried an experiment using a tech that allows anonymous input (i.e., Decido) – it didn’t work (no fault of the tech).  Let’s do it the old fashion way on the mailing list.  If you have objections to [3], please raise your concern.

We’re not in the voting business.  If we end up with two options that are “close”, we’re going to talk a little more.  Prior to final selection, WG chairs and I will also listen for objections to the name that the mailing list feedback suggested.

I appreciate everyone patience.  I too would like to have a name chosen so we can get the charter advanced.  However, we’re going to do this name selection again so we can all have confidence in the process.



From: Dick Hardt <<><<>>>
Sent: Friday, May 15, 2020 5:04 PM
To: Justin Richer <<><<>>>
Cc:<><<>>; Roman Danyliw <<><<>>>
Subject: Re: [Txauth] consensus call on WG name: "Authorization and Delegation"

Justin: if you have a concern with how I am chairing the group, the appropriate action would be to bring it up with the AD (cc'ed). FYI: I had forwarded the log and my conclusions to Roman, and he had agreed that the poll had been gamed.

As to my proposal of "Authorization and Delegation", I took the name you had proposed, and removed the adjective that people had found concerning. I was hoping that a bland name would be acceptable and we could move on to the actual work -- but that does not seem to be the case.

On Fri, May 15, 2020 at 1:16 PM Justin Richer <<><<>>> wrote:

I think the results of the poll were pretty conclusive and it’s not an act of good faith for the chair to propose a poll and then throw out the results of that same poll and go with something of their own choosing instead.

How are you sure that it’s one person stuffing the ballot box? For my part, I put two dots on the winning title and one dot each of three others. I had a couple different people contact me off-list and told me they’d put their five dots on Transmission of Authority. So I think it’s reasonable to believe that’s the actual result, without examining the logs myself.

 — Justin

> On May 15, 2020, at 2:21 PM, Dick Hardt <<><<>>> wrote:
> Following on from my email wrt. the results of voting, please indicate if you are aligned with calling the working group the "Authorization and Delegation" working group with a +1 or -1.
> --
> Txauth mailing list