--On Tuesday, July 9, 2019 10:59 -0400 Phillip Hallam-Baker <phill@xxxxxxxxxxxxxxx> wrote: >... > This thread is demonstrating a key weakness in defining any > process with security concerns on the basis of random drawing. > The chance of hitting this particular corner case was really > small. > > It doesn't much matter here but it could well matter in another > circumstance. Actually, as any competent statistician would tell you, drawing a random sample from a self-selected pool and then assuming (or pretending) that the sample is actually representative of a broader population is quite likely to go astray. When the membership of that pool is skewed by criteria and considerations that determine who self-selects, things go from "quite likely" to "nearly certain". Unless you are talking about a completely different issue than the one I understand to be the issue, the chances are anything but really small. What happening in this case is that the Nomcom is perceived as requiring sufficient time, resource commitment, and effort that few people are able to volunteer to be in the pool without organizational support. The number of organizations willing to provide that support to a significant number of people is quite limited and we should thank them for doing so. Whether they have concluded that having people on the nomcom is a desirable service to the community, beneficial to the company, or both is largely irrelevant to the composition of the pool. So is whether they know, in allowing or encouraging people to volunteer, that their exposure will be limited to a couple of people and that move volunteers increases the odds that they will have at least some representation on the nomcom itself. The net result is that we end up with a pool with many volunteers from a relatively small number of companies, typically fairly large one, probably the same companies or organizations who are willing to support people in roles like Nomcom chair, and a smattering of people who either come from smaller organizations, have other sources of support, or who are willing to make the investments themselves. When we draw a nomcom at random from that pool, it should be no surprising to anything that those companies are all represented, probably up to the limit (of two) rather than just by one person. Indeed, anything slse would be a surprise. Now, the original 1996 assumption about the nomcom was that it would be representative of the IETF community. Given the random selection process, that assumption's being true requires that the pool from which that selection is made be reasonably representative of the community. Perhaps that was true twenty-odd years ago. Today it isn't. If we are going to open the more general set of nomcom topics the questions of how we feel about that and how, if at all, it affects selections probably belongs on the agenda. AFAIK, none of the above has anything to do with your observation about security concerns or procedures. I'm not competent to judge whether that statement, in that context, is accurate or not although I know there are attacks on the processes for determining randomness themselves. best, john
