On 9/22/2010 1:02 PM, Thomas Walsh wrote:
Is Disclosure Mandated by RFC 5680: ---------------------------------- No, it
is not. RFC 5680 does not require any NomCom to disclose the list at all nor
to disclose the entire list for that matter. Since this is the first time
the open disclosure has been instituted, NomCom is taking a careful course.
In the past, such information was available only to a subset of the
community. Now, for this NomCom, it is available to anyone in the community
who wants it and it is easy to obtain.
As I said in my previous post, I do not think the decision has major practical
effect, one way or the other. It's worth discussing in terms of principals and
concerns, but not much more than that, IMO. Since anyone can get an IETF login,
and since they do not disclose who they really are, and since the IETF
"community" is some thousands of people, we need to be clear that there is no
privacy created by putting something under IETF login access control.
I think that conservative thinking is the safer 'error' to make, if it's
reasonable to call a choice, here, an error. So while I don't happen to think
it necessary to put the list under access control, I'd rather have had Nomcom
"err" in that direction that to blindly choose open access. If open access had
been the choice and it was then deemed an error, it would be unfixable.
Identity vs. Access Control:
Online identity is a hot topic these day, where hot means popular and
volative. It often does get coupled with resource usage authorization.
Discussions are often confusing, and notably miss the question of whether a
given online identifier is coupled with a real world identity (person,
organization or formal role.) Some identifier mechanisms only worry about
whether one usage of the identifier is by the same agent as a previous usage,
without worrying about who that actor really is. Virtually all public email and
mass-market web login services work that way.
So does the IETF's login.
It doesn't check whether the actor creating a login is real, has multiple
IETF logins, or anything else that is substantial. It's goal is, therefore, one
of ensuring that the use of an identifier is reliable, not that the actor
associated with it is known. In other words, it's a reliable labeling
mechanism, not really an identity mechanism, in its basic form.
Yes, there are some specific services on the IETF web site that have
/additional/ access control lists. These lists most definitely /are/ formed
with specific knowledge of what real person owns a particular identifier.
Nomcom's internal pages are an example of this. But this goes beyond the basic
use of IETF logins.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf