Michael Thomas <mike@xxxxxxxx> wrote:
So coming in here a bit late, but isn't the basic problem is that working groups don't want to hear criticism or take it seriously? So if you figure out problems with the protocol it's pushing on string at best and snarl inducing at worst.
I've been on both the sending and receiving end of many security concerns, both here and elsewhere. This includes, but is not limited to, my work as a media types reviewer for 20+ years, where I've written dozens of responses, including responses to working groups, pointing out inadequate security considerations. In all of that, I can count the number of times where my concerns were ignored or not taken seriously on the fingers of one hand. And while I'm obviously not the best judge when I'm on the receiving end, I can't think of a time when I've observed the sort of behavior you describe in a working group. What does happen sometimes is someone raises what is effectively a nonissue: It's either already been dealt with, so trivial it's not worth the bits to describe, out of scope, or simply nonsense. And when they are told as much, sometimes they get upset.
It would be great if working groups were receptive to issues, but there is every incentive to ignore or ridicule problems. And then of course there is the problem that there may not be a working group anymore.
Really? And what happens when the RFC is published without having addressed or at least acknowledged the concern, and whoever raised it points it out to the trade press? This sounds like an incredibly short-sighted, not to mention potentially reputation-destroying, approach to me.
Mike, who has experienced this repeatedly
Ned, who has not.
