--On Tuesday, April 23, 2019 11:43 +1000 Mark Nottingham <mnot@xxxxxxxx> wrote: > > My initial discomfort with decreasing the number of > signatories on a recall petition may have been caused by my > perception of it as a mechanism to ensure some level of input > quality, since Section 7.5 of RFC7437 gives almost no guidance > to the recall committee, in contrast to the fairly detailed > guidance we give NOMCOMs regarding selection of our > leadership. First of all, as I think others (and my now long-ago note that SM pointed to in a note yesterday) have pointed out, the change in the procedures from "anyone can initiate" to the current requirement of 20 nomcom-eligible individuals was a DoS attack prevention mechanism. The newer and more restrictive procedure was, fwiw, a mechanism for preventing a type of attack on the process that we speculated was possible but that we had never seen, even with no protection at all other than (possibly-bogus) identification of the petitioner. With or without the change, there is/was nothing in the recall petitioning process that has anything to do with quality... any more than there are input quality protection mechanisms in nominating candidates for IETF leadership positions. That is actually another way to attack the IETF procedurally and consume community resources that takes less time and effort than faking names for a recall petition: create a few hundred bogus identities in the datatracker system (wouldn't take a determined attacker long and there are now many domains in which one can create cheap or free email addresses), find the right place in the Nomcom cycle, and then have them start nominating each other, and real identities chosen at random, for enough positions so that the Nomcom has to deal with a hundred or two candidates for each of a large range of positions. While the Nomcom might be able to dismiss a potential candidate who didn't respond to questionnaire requests, excluding someone without, e.g., scheduling interviews and otherwise pretending to take the candidacy seriously would be unprecedented and probably lead to appeals and other forms of noise. We haven't had that happen either and I think the point is that making the recall petitioning process harder (or even leaving it as hard as it is) provides no additional protection against attacks, if only because potential attackers have a range of equally or more effective mechanisms available at the same or lower cost. What it does do is to attack the claim and perception that the IETF leadership is actually accountable to the community. > Speculating, I suppose a lot would depend on the recall > committee chair; they could choose to run a process that > involves input across the community, or they could just focus > on the loudest complaints. Again, the draft in question only addresses the petitioning process. We don't have a standing recall committee (deliberately and for good reason, although that would be one way to cut down on the very long time an actual recall would take). If you think the recall committee process needs reform, I look forward to a draft, but I note that your concern above also applies to the Nomcom -- they could really try to get to the bottom of claims of poor or inappropriate behavior or they could believe what they hear from the loudest people or most numerous group. I hope we can assume that they strike a reasonable balance (although anyone who has been around the IETF long enough probably considers one or two choices that were made over the years to have been dubious). I don't see any reason to assume that a recall committee would be a lot worse. >... best, john
