On 21-Apr-19 06:44, John C Klensin wrote: > Alissa, > > Just focusing on this one comment... > > --On Thursday, April 18, 2019 12:50 -0400 Alissa Cooper > <alissa@xxxxxxxxxx> wrote: > >> ... >> The proposal in this draft can also be trivially gamed by a >> single or small handful of individuals creating a set of 10 >> email accounts, registering them to participate remotely, and >> having them join remote sessions. As others have pointed out, gaming the IETF by email is not impossible, has been attempted, and could be attempted at any time. One thing we could discuss is whether subscription to any IETF email list should require the subscriber to have a current tracker account**. Since anybody can register for a tracker account, this would not disenfranchise anybody. It would have two advantages, and one obvious disadvantage: +1: Ensures that there is only one place where a bogus subscriber needs to be detected - i.e. the tracker. +2: Would allow us to close the security loophole where mailman sends passwords in the clear. (Details TBD, but it could certainly be done.) -1: Provides a single point of attack for the sock puppets. ** I can't remember whether remote participants require a tracker account, but if they don't, they probably should. Regards Brian