--On Wednesday, January 22, 2014 18:02 -0500 Sam Hartman
<hartmans-ietf@xxxxxxx> wrote:
>...
> If you think those are reasonable, then I'd strongly prefer to
> spend the time to figure out what we actually mean. Come up
> with text that makes it sure that such questions are
> reasonable while ruling out the things people are worried
> about.
>
> If we do not think that WGs should be required to justify
> these positions, then I strongly object to a claim that we
> have chosen to mitigate perpass attacks because I believe that
> claim is meaningless without actually being able to get WGs to
> justify these decisions while doing architectural review.
IMO, this lies nearly at the core of one of my fundamental
issues with the draft. If we are looking to make a broad
statement of intent that is not actually actionable, then the
statement linked from the IETF home page as "Leading Engineers
Agree to Upgrade Standards to Improve Internet Privacy..." is
probably sufficient. If someone wanted to republish that as an
Informational RFC, I'd hope that would not be controversial (if
it were, we have much deeper problems with this "perpass-attack"
draft).
On the other hand, if there is a real commitment to action, then
WGs have to be accountable for design decisions that do (or do
not) support the goal and be ready to explain their decisions,
even privacy-protecting ones that impose or increase costs to
performance, operations, or elsewhere. And I would expect (not
merely fear) ADs to push back strongly on a WG that was
unwilling or unable to do that and expect Nomcoms to hold ADs
accountable if they did not enforce the intent of the rules.
It is not clear to me that the community is really willing to
make that commitment. Fortunately, I'm lucky enough to not have
to make that call.
But it seems to me that this document, especially with some of
the recently-proposed changes, is trying to simultaneously be
-- a general statement of principles that sounds good,
encourages people to do good deeds wrt privacy and
surveillance issues but doesn't represent a real,
actionable, commitment by the IETF and
-- something far more substantial that actually changes
the way we do things wrt this particular area.
I don't think it can be both. And, if it is the latter, then
ADs who holding up a document with a DISCUSS or who try to force
a WG to more clearly justify its decisions are not being abusive
-- they are doing the job that the community has demanded of
them. And that, IMO, is what is different from the various
notes that have said, more or less, "we don't need to worry
about ADs holding up documents and abusing the system because of
this draft because there are ample opportunities for abuse
already". The concern is the AD who will say "just doing my job
and that document explicitly tells me that the community said
that was my job -- it isn't a judgment call whether or not it
is". That is ok if it is what the community wants, but we
need to be careful what we wish for.
john