Fred,
excellent comments.
As stated, this sounds adversarial. While there have been adversarial
relations with some WGs, I don't think that generalizes. In many cases
where I have delayed updating a draft, it was because it wasn't clear to
me what was being asked for, or there was no tickler that told me that the
comments had been posted. "You failed to provide security" is, if you
think about it, a pretty content-free statement. A better statement would
be "I believe that this is open to a man-in-the-middle attack of this
type" or "I don't see your threat analysis in the document".
yes, on all counts.
Frankly, apart from a special cases, I think ADs sound like they are
ruling by edict because they get a little frustrated saying the same thing
a zillion times.
Although I suspect there are a variety of reasons, the one you cite is
particularly interesting, because it suggests that the iesg could generate a
kind of 'semantic nits' document. Of course, the issues are deeper than
syntactic nits, but when they are consistently a problem, then dealing with
them almost can be routinized.
My issue
with "security considerations" has always been that I personally am not a
security expert, and dunning me for being open to this attack or that
without informing me that the attack exists mostly feels to me like an
attack.
yup.
I notice that the
current id-nits removes that set of questions; I think the net result is
that people will not ask themselves about obscure forms of attack. But I
think that approach is better than saying "you didn't do an adequate
threat analysis"; tell people how to do a good one and what questions they
are likely to need to answer.
yup.
d/
---
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
WE'VE MOVED to: www.bbiw.net
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf