I have some concerns with the document, and with the process by which we've 
gotten here.

  Let me recap some history.  There's a lot to take
in, so I'll present concerns in point form.

  First, the document.

* my "Security Considerations" text was first plagarised in draft-06,

* when I pointed this out (May 9, 2017), there was no reply to my
  message by the authors, and no change was made to the document.

* the ADs did respond, and indicated that they had talked to the
  authors about the issue, and that it was a simple misunderstand and
  would be fixed.

* A year later, I raised the issue again (March 2018).  There as no
  reply to my concerns by the authors, and no change was made to the
  document.

* in all, 4 separate revisions of the document plagarized my text, for
  over a year, sometimes with minor edits, despite repeated requests
  to address the issue.

  Those issues alone are surprising.

* The text which was good enough to plagarize was then claimed to have
  deficiencies

* no one in the WG had noted any technical issues with the text

* the only issues were with attribution, not with the text in the
  Security Considerations section

* there is now a -10, which has essentially the same points as the
  previous text, just reworded

  I should point out that the RFC process is supposed to be about
content, not authorship.  There are many RFCs issued with text written
by multiple people.  Where the authors cannot all be acknowledged on
the first page, the primary editor can be listed with the (Ed.)
suffix, to indicate editorship.  Other authors can be named as authors
on the first page, or in the Acknowledgements section.

  Second, concerns with engagement with the WG.  It continues.

* multiple people in the WG have requested the authors engage with the
  Working Group.  Most notably, many messages in May 2017.

* multiple people in the WG have requested the authors explain what's
  changed in each new revision, or perhaps to acknowlege comments and
  reviews (May 2017 again, among other times).

* This engagement has been minimal, despite multiple revisions of
  the document being published after these WG requests.

* new revisions have most often been "thrown over the wall" with
  minimal (or no) explanation as to what changed, and why.

* this new draft is no different, i.e. it "revised the security
  section".  Why?  How?  What changed?  What were any alleged
  "deficiencies"?

* the author have stated again that they "will endeavor to be much
  more reactive to comments".

* this statement or similar ones have been repeatdly, with little
  change in observable behavior.

* The authors request (again) that the WG review this new document
  wholesale.

  Speaking of reviews, let's continue with third, responses to
reviews.

* I have given multiple line-by-line reviews of the entire document,
  for multiple revisions of the document.

* as noted above, these reviews have generally been ignored.

* as noted above, new versions of the document have appeared which may
  or may not have addressed these reviews.

* Given the lack of feedback on the reviews before a new draft is
  issued, it is unclear whether the review comments have been
  addressed.

* due to these issues, I have stopped reviewing the document, as it
  is not productive.

  There are other issues with the larger community.  I'll continue.

* there was broad support for publication of early revisions of the
  document, despite it clearly not describing the protocol in a way
  that permits inter-operable implementations

* the people who supported adopting the document as a WG document
  have generally not reviewed or commented on it

* existing implementors of TACACS+ have not reviewed or commented on
  the document (Alex Clouter's review was done as part of a brand-new
  implementation)

* we have therefore no idea whether or not this document describes
  anything that anyone has implemented

  In order for the document to be published, we should have (at the
minimum) statements from multiple implementors that the draft matches
their implementations.

  Fourth, there are process issues, too.  I'll continue.

* the IETF has traditionally started a new WG to standardize new
  management protocols (i.e. a protocol new to the IETF)

* examples include the protocols described in RFC 6632.  These
  protocols have had their own working groups, going back to at least
  1996, and continuing to the present

* working on a new (and eventually standards track) document in the
  OPS area is therefore a new step for the IETF

* I have raised all of the concerns mentioned herein with the chairs
  and ADs in private email, public email on the list, and in person at
  multiple meetings

* There does not appear to be any action taken as a result.

* Messages to the list raising these issues have largely been
  unaddressed

  It is general IETF practice for document authors to interact with
the WG. And, to respond to WG reviews and comments.  See the many
comments in the OPSAWG archives in May 2017 for broad WG support of
this position.

  As the authors have largely ignored the WG comments, the chairs and
ADs should have taken steps to address this issue.  As of this
writing, it appears to be the same "status quo" of the past few years.

  I don't think these comments are unreasonable.  If we truly don't
care about the WG opinion, then the chairs and AD can:

* make a public statement saying that WG feedback can be ignored

* state that that the document can be published in whatever form the
  authors choose

* publish the document even if it does not describe the protocol in
  sufficient detail to create inter-operable implementations.

  I don't think that's the right approach, of course.  But it's
largely what's been happening due to silence and/or inaction of the
parties involved.

  I see no point in further reviewing the document.  I again oppose
publication of this document until such time as all of the WG issues
have been addressed.

  If we do actually care about what's in the document, then I suggest
finally the following steps be taken to address the ongoing concerns:

* the document should not be published until such time as multiple
  implementors have agreed that the specification matches their
  implementation.

* the chairs and ADs should insist that the authors address the
  outstanding WG concerns about this document

* the chairs and ADs should insist that authors follow established
  practice of *interacting* with the WG, including responding to
  future reviews and comments.

* the chairs and ADs should insist that new revisions of the document
  are accompanied by an explanation of what changed, and why

* that if the authors do not follow these steps (as they have not so
  far), that the chairs and ADs should replace them with other WG
  member(s) who will follow the IETF process.

  Alan DeKok.

_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

Reply via email to