On 2019-11-13 11:25 p.m., Keith Moore wrote: > > On 11/13/19 10:07 AM, Phillip Hallam-Baker wrote: > >> Maybe what we need is a structure that assigns multiple reviewers for >> some projects and rubber stamps others. > > Seems like ADs already have a fair amount of discretion to ask for > multiple in-depth reviewers vs. getting minimal review. If having a > human make such decisions isn't your idea of an appropriate > "structure", I'd be curious to know what is. > The issue is that is only so much senior security clue to go around. There is a non-trivial amount of effort for an-out-area reviewer to spin up enough understanding about what a WG is doing. There are a lot of documents that simply allocate a new attribute from an existing registry and then use it for something. Determining if this has a trivial or non-trivial security impact can be difficult. If it turns out to be trivial, then we've wasted the reviewers time (opportunity cost). If it turns out not to be trivial (and the reviewer missed that), then if we are lucky, we catch it at IESG time, and then it might be a year later. WGs are given security advisors, and most don't use them, and many of them are AWOL.
