Hi Mike, On Wed, Oct 28, 2020 at 09:23:31AM -0700, Michael Thomas wrote: > > On 10/28/20 8:51 AM, Roman Danyliw wrote: [...] > > [Roman] To my knowledge, formal security area liaisons are not common > > practice across WG, unless explicitly requested. I would characterize > > such formal arrangements as fairly rare. More common are requests for > > early Security Directorate (SECDIR) reviews and trying to entice those > > with security experience to participate in WGs that feel they need > > that review. Likewise, there has been an informal push in recent > > years to include language related to security in charters (which may > > have helped only a little bit in identifying concerns and need for > > help early in a work’s lifecycle). > > > > I seem to recall seeing security area reviews as the document is winding > toward last call, but it's been a long time since I've really > participated more than just cursorily. Part of why I chimed in is > because i'm part of the outside-looking-in kind of crowd this seems to > be addressing. I probably know more than your average security > researcher about ietf process, culture etc, but it's not my $DAYJOB by > any means and i'm pretty clueless about process archana. > > The other part of this is that in my two experiences, it wasn't THIS IS > WRONG YOU MUST FIX!!! It was "is there a problem here? can somebody > explain to me why it isn't?" I expect that most credible submissions are > going to be more like the latter than the former, but even those were > met with either hostility or indifference. Assuming it's been filtered > to being a credible concern, it seems to me that it ought to be > independently validated (or not), and better with somebody who doesn't > have a stake in the rfc (authors, participants) who aren't eager to open > pandora's box. At the point somebody with known clue can vouch that > there's a good probability there's some there there, it become much > harder for the working group and authors to ignore. I believe that the WG chairs/ADs can and should play this role of helping to determine whether there is a real concern. -Ben
