On 10/27/20 1:27 PM, Pete Resnick wrote:
On 27 Oct 2020, at 12:48, Michael Thomas wrote:
The most recent was with the STIR wg. I found some problems and
brought it up on the working group list and was ignored. This was
after they had issued RFC 8226 so I interpreted it at the time as
just not wanting revisit anything. I started writing a blog post
about the things I found, but ended giving up because there were so
many things wrong/underspecified. I then went through the wg archives
and saw that Dave Crocker had written a list of about 100 things that
were wrong/questionable at last call almost all of which were
ignored. Worse: there wasn't much intersection between our lists. So
that reads to me as a wg that isn't interested in hearing about
problems. The same thing happened to me commenting on OAUTH which
caused the then editor to go ballistic. None of this should be
especially surprising: nobody likes somebody attacking (literally in
the case of security) their baby.
So I presume you walked through the conflict resolution and appeals
process, in the case of STIR starting with the STIR Chair, the ART
Area Director, and/or the IESG as per RFC 2026 6.5.1, and in the case
of OAUTH with the OAUTH Chair, the SEC Area Director and/or the IESG?
Why on earth would I want to be a drama queen? Especially since I had no
dog in either fight?
Particularly in the case of OAUTH, if a document editor is
misbehaving, then that needs to be dealt with. All it takes is an
email message to start.
Barry handled the author fine, iirc. It's just that wg as a whole
dismissed the problem even though what I predicted is exactly what
happened. They wrote my concern into the security requirements with like
a one sentence dismissal and everybody ignored it.
Unless you actually engaged with the process and actually made
leadership aware that something was going pear-shaped, I'm not
terribly sympathetic.
Isn't this thread about getting outside clue to the attention of the
working groups more seamlessly? Your quoted process and sympathy is
exactly the wrong way to foster that.
People seem very unwilling to walk through the conflict resolution and
appeals process, and it's absolutely essential to the good functioning
of the IETF that people use it from time to time. Again, the start of
it is simply an email message to the chair saying "My comments are
being ignored" or "The WG screwed up and made a bad technical choice".
If you don't like the answers you get, well that's a different thing,
but if you haven't actually engaged, you have only yourself to blame.
In OAUTH's case I did talk to Barry. For STIR after seeing what they did
to Crocker at last call it was apparent that it would fall on deaf ears
so why bother? I did bring it up my concern on their mailing list before
I read the archives, but crickets. The flip side of this that nobody
wants to be seen as an insane Casandra in case you are actually wrong.
If you want outside clue but the reality is that they treat you as the
enemy, you're not going to get the desired result. Any fix for this
needs to account for that.
Mike
