"Adult supervision"
Ted Lemon
mellon at nominum.com
Tue May 6 14:40:48 CEST 2003
> Should IESG members really have to debate with each
> document author or working group chair (for instance) whether it's
> okay to
> assume that a device or server will only be accessible from a local,
> trusted
> network and that therefore no authentication is needed?
Absolutely not. It would take forever. ADs are too busy already.
But the contrary position is also wrong. You can't just say "look,
man, everybody knows you can't just have no authentication, so shut up
and go away." There is a middle path, where you write up documents
documenting issues like this and publish them as RFCs, and then you can
say "look, man, I don't have time to explain this to you, but your
protocol needs to conform with RFCmumble, please go read it."
The IETF has RFCs like this, e.g. rfc2219, rfc2434, etc. The key test
with these meta-RFCs is that they have passed through the consensus
process. There was widespread agreement at the time the RFC was
written that the position stated in the RFC was a good one. If
someone wants to challenge the position, they can publish and attempt
to advance a draft that updates one of these RFCs, and historically
that has happened.
What doesn't work is for there to be things that are commonly held to
be true by one or more IETF people, but which have never been formally
advanced as BCP drafts (or whatever's appropriate), and that are still
used to quash ideas that are advanced in WGs through the technique of
repeated assertion.
I should also point out that the former AD in question, whose name I
won't mention here because I don't think it would be constructive, did
have time to read all the email I sent on the issue and respond in
detail to it, asserting the same points over and over again. This
took so much of my time time that I finally had to bow out of the
exchange due to the massive volume of email it was generating on the WG
mailing list and due to the fact that I needed to get some work done so
that I could keep my job. This was a very effective tactic for
shutting me up, but not one that I think is effective in making the
IETF successful.
So I think that citing a lack of time in this case doesn't really make
sense, even though in a general sense I agree that AD time is precious
and shouldn't be wasted.
More information about the Problem-statement
mailing list