On 21-Apr-19 06:44, John C Klensin wrote:
> Alissa,
>
> Just focusing on this one comment...
>
> --On Thursday, April 18, 2019 12:50 -0400 Alissa Cooper
> <alissa@xxxxxxxxxx> wrote:
>
>> ...
>> The proposal in this draft can also be trivially gamed by a
>> single or small handful of individuals creating a set of 10
>> email accounts, registering them to participate remotely, and
>> having them join remote sessions.
As others have pointed out, gaming the IETF by email is not
impossible, has been attempted, and could be attempted at any
time.
One thing we could discuss is whether subscription to any IETF
email list should require the subscriber to have a current tracker
account**. Since anybody can register for a tracker account, this
would not disenfranchise anybody. It would have two advantages, and
one obvious disadvantage:
+1: Ensures that there is only one place where a bogus subscriber
needs to be detected - i.e. the tracker.
+2: Would allow us to close the security loophole where mailman
sends passwords in the clear. (Details TBD, but it could certainly
be done.)
-1: Provides a single point of attack for the sock puppets.
** I can't remember whether remote participants require a tracker
account, but if they don't, they probably should.
Regards
Brian
