Lets look at this from a security usability point of view.
The whole nomcon process is opaque, all meetings and discussions are secret.
Requests for comment are solicited in confidence. Given those circumstances it
is a reasonable assumption for a participant to make that all nomcon actions
are strictly confidential. In fact that is by far the most reasonable
assumption to make.
When you have a process that is vested in such a high degree of secrecy you
will inevitably end up with a very high degree of suspicion. Secret processes
are antithetical to accountability.
The worst failure mode here is not that the nomcon is going to make the wrong
choices and the IAB is unable to rescue them. The worst failure mode is that
information that is released with a reasonable expectation of confidentiality
is then disclosed.
I would much prefer to have a process that is completely open except in regard
to actual balloting. To paraphrase Dave Crocker: Why would we expect to be
experts in the area? We do bits on the wire, design of political institutions
is certainly not an area in which competency has been demonstrated.
But a process that is assumed to be more confidential than it actually is would
appear to be the worst of all cases.
-----Original Message-----
From: [EMAIL PROTECTED] on behalf of Steven M. Bellovin
Sent: Mon 17/03/2008 10:08 PM
To: Christian Huitema
Cc: 'Fred Baker'; Dan Wing; 'IETF Discussion'
Subject: Re: Confirming vs. second-guessing
On Mon, 17 Mar 2008 18:44:49 -0700
Christian Huitema <[EMAIL PROTECTED]> wrote:
> > > And in order to make the confidentiality issue more concrete
> > > (ie, real) would folks offer some examples of what falls under
> > > it.
> >
> > "I accept the nomination of area director. The current area
> > director, Mr. J. Sixpack, has been attempting to impose his
> > opinion that beer should contain rice. This is causing a rift
> > in the working groups within the area. I would follow the area
> > consensus that we should outlaw rice in beer and thus my
> > appointment as new area director would achieve peace and
> > harmony within the area."
>
> Why should such a statement be confidential?
>
Try this one, quite non-hypothetical: a candidate for the IESG is
contemplating switching jobs. His or her current employer does not yet
know this. It has a clear bearing on whether or not that person can do
the job of AD, but equally clearly should not be broadcast to the world.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
IETF mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
IETF mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf
