Fred, excellent comments. > As stated, this sounds adversarial. While there have been adversarial > relations with some WGs, I don't think that generalizes. In many cases > where I have delayed updating a draft, it was because it wasn't clear to > me what was being asked for, or there was no tickler that told me that the > comments had been posted. "You failed to provide security" is, if you > think about it, a pretty content-free statement. A better statement would > be "I believe that this is open to a man-in-the-middle attack of this > type" or "I don't see your threat analysis in the document". yes, on all counts. > Frankly, apart from a special cases, I think ADs sound like they are > ruling by edict because they get a little frustrated saying the same thing > a zillion times. Although I suspect there are a variety of reasons, the one you cite is particularly interesting, because it suggests that the iesg could generate a kind of 'semantic nits' document. Of course, the issues are deeper than syntactic nits, but when they are consistently a problem, then dealing with them almost can be routinized. > My issue > with "security considerations" has always been that I personally am not a > security expert, and dunning me for being open to this attack or that > without informing me that the attack exists mostly feels to me like an > attack. yup. > I notice that the > current id-nits removes that set of questions; I think the net result is > that people will not ask themselves about obscure forms of attack. But I > think that approach is better than saying "you didn't do an adequate > threat analysis"; tell people how to do a good one and what questions they > are likely to need to answer. yup. d/ --- Dave Crocker Brandenburg InternetWorking +1.408.246.8253 dcrocker a t ... WE'VE MOVED to: www.bbiw.net _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf