Alissa, Just focusing on this one comment... --On Thursday, April 18, 2019 12:50 -0400 Alissa Cooper <alissa@xxxxxxxxxx> wrote: >... > The proposal in this draft can also be trivially gamed by a > single or small handful of individuals creating a set of 10 > email accounts, registering them to participate remotely, and > having them join remote sessions. I note first that leaving the number at 20 wouldn't change that scenario significantly, if one had the skills and motivation to set up 10 such accounts, one could almost as easily set up 20 or 50. Second, the requirement is a little more complicated: one would not only have to set up those accounts but, if the 3 of 5 rule is preserved, they would have to join remote sessions during at least three consecutive IETF meetings, taking up most of a year. If one were trying to disrupt the IETF, mount a DoS attack, or impose large costs on the community, the need to work that far in advance would be a significant deterrent given that other, faster and easier mechanisms are readily available. > Even if all this would > result in is a series of recall committees being forced to be > constituted to deal with recall petitions that get rejected, > this could be a significant tax on our community. I think > analyzing the countervailing benefits of this proposal against > this tax or analyzing the costs and benefits of doing identity > verification to overcome it are important tasks that would > require the kind of discussion a WG can provide, and also > require a clear understanding of what the problem statement is. We may need to agree to disagree, but let me suggest a different way to look at this: Keep in mind that, as far as I know, we still have a rule that all substantive community decisions, including technical reviews in WGs and IETF Last Calls, get made on mailing lists. I feel as if that principle is eroding, but that might be just me and is a different topic in any event. Suppose there is a bad guy who wants to disrupt the IETF and prevent anything from getting done. So, following your scenario above, they set up a number of fake email accounts identities. Ten would probably be enough given how easily our mailing lists can be led into repeated discussions and down ratholes by a single person pushing an idea that is a little off-target or close to one that was considered earlier and rejected, but, as pointed out above, once someone decides to create a few such accounts, twenty or fifty is not much harder than ten and they don't need to be (and shouldn't be) created all as once. Now those virtual people show up on the IETF list and a selection of WG and other discussion lists, advocating positions that are either unacceptable or slightly-plausible but short of complete nonsense. They could even draw candidate topics and possible threads from discussions of the past, e.g., "SMTP is obsolete and attack-prone and it is time to replace it with..." or "the failure, after 24 years, of IPv6 to deploy, be the primary protocol at that layer, and restore unique addresses and the end to end model indicates that we should drop it and make another plan focused on...". One could think about identity verification as a counterattack, but I note that is another noise-inducing topic with which we have had a good deal of contentious experience. Other counterattacks include revocation of posting rights, but that has to be done one mail account at a time (unless we can prove that that all have the same origin and identify that origin, something we have massively failed to do with, e.g., spammers) and is also very expensive of community time. That alternate approach may be a little bit harder for some would-be evildoers than the one you posit because it requires either typing in messages or setting up and using a script generator, but if someone decides to disrupt the IETF (or impose taxes on the community), it has the huge advantage of almost-instant gratification. That attack has been available since the IETF got large enough that all participants ceased to know each other personally, certainly since the early 1990s. Despite some claims of deployment of "sock puppets", it has never been used effectively, or even, AFAICT, attempted in a serious way. Bottom line: An attack roughly equivalent to the one you outline, one that requires less calendar-time delay before causing the IETF to feel significant pain, does not depend on details of the recall procedure, has been available for a quarter-century and has never been attempted. Unless your analysis shows that the proposed change to the recall procedure would measurably and significantly increase the risk relative to what has been available for years, I suggest that we move on. best, john
