Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote:
>> On 2019-11-13 11:25 p.m., Keith Moore wrote:
>>> On 11/13/19 10:07 AM, Phillip Hallam-Baker wrote:
>>>
>>>> Maybe what we need is a structure that assigns multiple reviewers
>>>> for some projects and rubber stamps others.
>>> Seems like ADs already have a fair amount of discretion to ask for
>>> multiple in-depth reviewers vs. getting minimal review. If having a
>>> human make such decisions isn't your idea of an appropriate
>>> "structure", I'd be curious to know what is.
>>>
>> The issue is that is only so much senior security clue to go around.
>> There is a non-trivial amount of effort for an-out-area reviewer to
>> spin up enough understanding about what a WG is doing. There are a
>> lot of documents that simply allocate a new attribute from an existing
>> registry and then use it for something. Determining if this has a
>> trivial or non-trivial security impact can be difficult. If it turns
>> out to be trivial, then we've wasted the reviewers time (opportunity
>> cost). If it turns out not to be trivial (and the reviewer missed
>> that), then if we are lucky, we catch it at IESG time, and then it
>> might be a year later.
> I don't disagree with any of the above. And yet, I don't see how it's
> responding to either of the above replies.
The current system assigns the review prior to the AD determining if they
need an in-depth review or not. So if we assign a senior (security) reviewer
to a document that didn't need in-depth senior experience, then that person
is unavailable (within the quantum of review assignment period) for the AD to
assign them to do something more in-depth.
--
Michael Richardson <mcr+IETF@xxxxxxxxxxxx>, Sandelman Software Works
-= IPv6 IoT consulting =-
Attachment:
signature.asc
Description: PGP signature
