On 10/28/20 10:27 AM, Pete Resnick wrote:
On 28 Oct 2020, at 12:00, Eliot Lear wrote:
This is where I think there may be some subtle issue, and I don’t
want to make this all about Mike. Many researchers have no equities
in our organization. They may not even have a fix available for the
very problem that they have found. We have red teams for a reason:
it’s just a different muscle. So they see their job as finished when
they’ve reported. And then they’re on to the next thing. That’s
their incentive model. Mike just happens to care more than most, but
we shouldn’t optimize around him.
Lest there be any question: I completely agree with you on the above
Eliot. The proposal on the table from the IESG that Roman posted is a
great start into how to deal with exactly those researchers you are
talking about, and I fully support the idea. I don't want those folks
to have to wade through the rest of IETF process if they have no
intention to be part of the whole kit and caboodle of WG protocol
development. The one and only thing I was responding to was Mike's
analysis of the core problem based on his personal experiences. He is
not like one of those researchers in that he does participate in the
IETF as a regular participant, and we should absolutely not be
optimizing around the cases he's concerned with.
As I mentioned earlier, security issues can be very subtle and not easy
to explain or understand. Lobbing a write-only report over the wall is
hardly ideal. They have every right to do that, of course, but if they
can be coaxed to participate while it gets digested, that would be a lot
better. And then of course, there are the cases where somebody thinks
something might be wrong, but isn't sure of it. That more resembles me.
Maybe I'm a unicorn though. I'll check for glitter in a bit.
Mike
