ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Confirming vs. second-guessing

2008-03-18 06:47:58
from [Hallam-Baker, Phillip] [Permanent Link] 
Lets look at this from a security usability point of view.

The whole nomcon process is opaque, all meetings and discussions are secret. 
Requests for comment are solicited in confidence. Given those circumstances it 
is a reasonable assumption for a participant to make that all nomcon actions 
are strictly confidential. In fact that is by far the most reasonable 
assumption to make.

When you have a process that is vested in such a high degree of secrecy you 
will inevitably end up with a very high degree of suspicion. Secret processes 
are antithetical to accountability.


The worst failure mode here is not that the nomcon is going to make the wrong 
choices and the IAB is unable to rescue them. The worst failure mode is that 
information that is released with a reasonable expectation of confidentiality 
is then disclosed.

I would much prefer to have a process that is completely open except in regard 
to actual balloting. To paraphrase Dave Crocker: Why would we expect to be 
experts in the area? We do bits on the wire, design of political institutions 
is certainly not an area in which competency has been demonstrated. 

But a process that is assumed to be more confidential than it actually is would 
appear to be the worst of all cases.


-----Original Message-----
From: ietf-bounces(_at_)ietf(_dot_)org on behalf of Steven M. Bellovin
Sent: Mon 17/03/2008 10:08 PM
To: Christian Huitema
Cc: 'Fred Baker'; Dan Wing; 'IETF Discussion'
Subject: Re: Confirming vs. second-guessing
 
On Mon, 17 Mar 2008 18:44:49 -0700
Christian Huitema <huitema(_at_)windows(_dot_)microsoft(_dot_)com> wrote:


And in order to make the confidentiality issue more concrete
(ie, real) would folks offer some examples of what falls under
it.


"I accept the nomination of area director.  The current area
director, Mr. J. Sixpack, has been attempting to impose his
opinion that beer should contain rice.  This is causing a rift
in the working groups within the area.  I would follow the area
consensus that we should outlaw rice in beer and thus my
appointment as new area director would achieve peace and
harmony within the area."


Why should such a statement be confidential?


Try this one, quite non-hypothetical: a candidate for the IESG is
contemplating switching jobs.  His or her current employer does not yet
know this.  It has a clear bearing on whether or not that person can do
the job of AD, but equally clearly should not be broadcast to the world.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
IETF mailing list
IETF(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf


_______________________________________________
IETF mailing list
IETF(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Confirming vs. second-guessing, Theodore Tso
Next by Date:  Re: Last Call: draft-freed-sieve-environment (Sieve Email Filtering: Environment Extension) to Proposed Standard, Alexey Melnikov
Previous by Thread:  RE: Confirming vs. second-guessing, Hallam-Baker, Phillip
Next by Thread:  Re: Confirming vs. second-guessing, Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]