"Adult supervision"

Ted Lemon mellon at nominum.com
Tue May 6 14:40:48 CEST 2003 

> Should IESG members really have to debate with each
> document author or working group chair (for instance) whether it's 
> okay to
> assume that a device or server will only be accessible from a local, 
> trusted
> network and that therefore no authentication is needed?

Absolutely not.   It would take forever.   ADs are too busy already.   
But the contrary position is also wrong.  You can't just say "look, 
man, everybody knows you can't just have no authentication, so shut up 
and go away."   There is a middle path, where you write up documents 
documenting issues like this and publish them as RFCs, and then you can 
say "look, man, I don't have time to explain this to you, but your 
protocol needs to conform with RFCmumble, please go read it."

The IETF has RFCs like this, e.g. rfc2219, rfc2434, etc.   The key test 
with these meta-RFCs is that they have passed through the consensus 
process.   There was widespread agreement at the time the RFC was 
written that the position stated in the RFC was a good one.   If 
someone wants to challenge the position, they can publish and attempt 
to advance a draft that updates one of these RFCs, and historically 
that has happened.

What doesn't work is for there to be things that are commonly held to 
be true by one or more IETF people, but which have never been formally 
advanced as BCP drafts (or whatever's appropriate), and that are still 
used to quash ideas that are advanced in WGs through the technique of 
repeated assertion.

I should also point out that the former AD in question, whose name I 
won't mention here because I don't think it would be constructive, did 
have time to read all the email I sent on the issue and respond in 
detail to it, asserting the same points over and over again.   This 
took so much of my time time that I finally had to bow out of the 
exchange due to the massive volume of email it was generating on the WG 
mailing list and due to the fact that I needed to get some work done so 
that I could keep my job.   This was a very effective tactic for 
shutting me up, but not one that I think is effective in making the 
IETF successful.

So I think that citing a lack of time in this case doesn't really make 
sense, even though in a general sense I agree that AD time is precious 
and shouldn't be wasted.

More information about the Problem-statement mailing list