"Russ" == Russ Housley <housley(_at_)vigilsec(_dot_)com> writes:
Russ> Sam:
>>> So in conclusion, I strongly value technical contribution and
>>> demonstrated ability to pick up new knowledge in an AD. I do not
>>> highly value knowing all the things going on in a specific area
>>> at the time the AD joins the IESG.
Russ> We mostly agree. We both agree that strong technical
Russ> contribution is an important aspect of the qualification.
Russ> However, I believe that some basic clue in the Area is needed.
Russ> Could you image serving with a Security Co-AD that could not
Russ> explain how cryptography could be used for authentication?
Russ, we both served with someone who joined the IESG with gaps this big
(not security). It worked out OK, although it was quite rough for the
person involved and for the co-ad.
I also have some experience helping people learn about security.
I do think I can imagine serving with someone like that, yes; it's frightening.
While I think I have an existence proof that it can work with big gaps
like that, no it would not be my choice to serve with someone who had
those gaps.
To use security examples we're both familiar with, my claim is that
there are a lot of people outside the security area who have used
security technologies and who could explain for example how
cryptographic authentication works. There are a lot of people running
around RAI with a fair bit of security clue. Some of those people might
have enough implementation or other experience to understand significant
details of a couple of security protocols. It wouldn't surprise me if
some of those folks had the skills to know when additional review was
required and to learn fast enough that it would work out for them to be
security ADs.
(Now why they'd want to do that to themselves is another story
entirely:-)
No, I don't think you can drop someone who is unfamiliar with an area
into an AD job. I do think you can potentially throw someone into an AD
job who has broad IETF experience and who has some familiarity with the
area in question.
I am having a hard time characterizing how much experience is needed,
but I think it's a lot lower than "world expert," but very much higher
than "couldn't follow important discussions in the area."