I have some concerns with the document, and with the process by which we've gotten here.
Let me recap some history. There's a lot to take in, so I'll present concerns in point form. First, the document. * my "Security Considerations" text was first plagarised in draft-06, * when I pointed this out (May 9, 2017), there was no reply to my message by the authors, and no change was made to the document. * the ADs did respond, and indicated that they had talked to the authors about the issue, and that it was a simple misunderstand and would be fixed. * A year later, I raised the issue again (March 2018). There as no reply to my concerns by the authors, and no change was made to the document. * in all, 4 separate revisions of the document plagarized my text, for over a year, sometimes with minor edits, despite repeated requests to address the issue. Those issues alone are surprising. * The text which was good enough to plagarize was then claimed to have deficiencies * no one in the WG had noted any technical issues with the text * the only issues were with attribution, not with the text in the Security Considerations section * there is now a -10, which has essentially the same points as the previous text, just reworded I should point out that the RFC process is supposed to be about content, not authorship. There are many RFCs issued with text written by multiple people. Where the authors cannot all be acknowledged on the first page, the primary editor can be listed with the (Ed.) suffix, to indicate editorship. Other authors can be named as authors on the first page, or in the Acknowledgements section. Second, concerns with engagement with the WG. It continues. * multiple people in the WG have requested the authors engage with the Working Group. Most notably, many messages in May 2017. * multiple people in the WG have requested the authors explain what's changed in each new revision, or perhaps to acknowlege comments and reviews (May 2017 again, among other times). * This engagement has been minimal, despite multiple revisions of the document being published after these WG requests. * new revisions have most often been "thrown over the wall" with minimal (or no) explanation as to what changed, and why. * this new draft is no different, i.e. it "revised the security section". Why? How? What changed? What were any alleged "deficiencies"? * the author have stated again that they "will endeavor to be much more reactive to comments". * this statement or similar ones have been repeatdly, with little change in observable behavior. * The authors request (again) that the WG review this new document wholesale. Speaking of reviews, let's continue with third, responses to reviews. * I have given multiple line-by-line reviews of the entire document, for multiple revisions of the document. * as noted above, these reviews have generally been ignored. * as noted above, new versions of the document have appeared which may or may not have addressed these reviews. * Given the lack of feedback on the reviews before a new draft is issued, it is unclear whether the review comments have been addressed. * due to these issues, I have stopped reviewing the document, as it is not productive. There are other issues with the larger community. I'll continue. * there was broad support for publication of early revisions of the document, despite it clearly not describing the protocol in a way that permits inter-operable implementations * the people who supported adopting the document as a WG document have generally not reviewed or commented on it * existing implementors of TACACS+ have not reviewed or commented on the document (Alex Clouter's review was done as part of a brand-new implementation) * we have therefore no idea whether or not this document describes anything that anyone has implemented In order for the document to be published, we should have (at the minimum) statements from multiple implementors that the draft matches their implementations. Fourth, there are process issues, too. I'll continue. * the IETF has traditionally started a new WG to standardize new management protocols (i.e. a protocol new to the IETF) * examples include the protocols described in RFC 6632. These protocols have had their own working groups, going back to at least 1996, and continuing to the present * working on a new (and eventually standards track) document in the OPS area is therefore a new step for the IETF * I have raised all of the concerns mentioned herein with the chairs and ADs in private email, public email on the list, and in person at multiple meetings * There does not appear to be any action taken as a result. * Messages to the list raising these issues have largely been unaddressed It is general IETF practice for document authors to interact with the WG. And, to respond to WG reviews and comments. See the many comments in the OPSAWG archives in May 2017 for broad WG support of this position. As the authors have largely ignored the WG comments, the chairs and ADs should have taken steps to address this issue. As of this writing, it appears to be the same "status quo" of the past few years. I don't think these comments are unreasonable. If we truly don't care about the WG opinion, then the chairs and AD can: * make a public statement saying that WG feedback can be ignored * state that that the document can be published in whatever form the authors choose * publish the document even if it does not describe the protocol in sufficient detail to create inter-operable implementations. I don't think that's the right approach, of course. But it's largely what's been happening due to silence and/or inaction of the parties involved. I see no point in further reviewing the document. I again oppose publication of this document until such time as all of the WG issues have been addressed. If we do actually care about what's in the document, then I suggest finally the following steps be taken to address the ongoing concerns: * the document should not be published until such time as multiple implementors have agreed that the specification matches their implementation. * the chairs and ADs should insist that the authors address the outstanding WG concerns about this document * the chairs and ADs should insist that authors follow established practice of *interacting* with the WG, including responding to future reviews and comments. * the chairs and ADs should insist that new revisions of the document are accompanied by an explanation of what changed, and why * that if the authors do not follow these steps (as they have not so far), that the chairs and ADs should replace them with other WG member(s) who will follow the IETF process. Alan DeKok. _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg