Re: Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt)

Bernard,

> I agree with EKR here.  Failed consensus is failed
consensus.  RFC 2026 
> does not support the process that has been recommended
here. 
>
>   

Perhaps Sam and Lisa can explain a bit more as to what
process they 
intend to use.  It seems that Alexey is providing a forum
for discussion 
to improve the document, and I see nothing wrong with that. 
I would 
imagine that both the IESG and the community will still get
their say, 
so what precisely is the problem?

This having been said, it seems to me that in order to
address EKR's 
(and perhaps others') concerns, the document will need
substantial 
work.  I welcome efforts to improve that work.  Where should
that 
happen?  Must Sam do it alone?

Eliot

_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth

Eliot Lear wrote:

> Bernard,
>
>> I agree with EKR here.  Failed consensus is failed
consensus.  RFC 
>> 2026 does not support the process that has been
recommended here.   
>
> Perhaps Sam and Lisa can explain a bit more as to what
process they 
> intend to use.  It seems that Alexey is providing a
forum for 
> discussion to improve the document, and I see nothing
wrong with that.

Indeed, that is exactly what I was trying to say.

Lisa and Sam suggested to use ietf-http-authosafoundation.org and I 
thought it made sense.

> I would imagine that both the IESG and the community
will still get 
> their say, so what precisely is the problem?

Exactly. It is not like ietf-http-authosafoundation.org is a
closed 
moderated mailing list.

> This having been said, it seems to me that in order to
address EKR's 
> (and perhaps others') concerns, the document will need
substantial 
> work.  I welcome efforts to improve that work.  Where
should that 
> happen?  Must Sam do it alone?

If people can suggest a better place for work on this
document, please 
speak up now.

_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth

> [mailto:ietf-http-auth-bouncesosafoundation.org] On
Behalf 
> Of Eliot Lear

> Perhaps Sam and Lisa can explain a bit more as to what

> process they intend to use.  It seems that Alexey is 
> providing a forum for discussion to improve the
document, and 
> I see nothing wrong with that.  I would imagine that
both the 
> IESG and the community will still get their say, so
what 
> precisely is the problem?
> 
> This having been said, it seems to me that in order to

> address EKR's (and perhaps others') concerns, the
document 
> will need substantial work.  I welcome efforts to
improve 
> that work.  Where should that happen?  Must Sam do it
alone?

Its an architecture issue. It is the type of issue that I
would like to see the IAB take up in combination with the
other principal stakeholders here - the banks, the ISPs.

We do have some resources to draw on here, the Anti-Phishing
Working Group and FSTC.
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth

At Mon, 10 Sep 2007 08:59:57 +0200,
Eliot Lear wrote:
> 
> 
> Bernard,
> 
> > I agree with EKR here.  Failed consensus is failed
consensus.  RFC 2026 
> > does not support the process that has been
recommended here. 
> >
> >   
> 
> Perhaps Sam and Lisa can explain a bit more as to what
process they 
> intend to use.  It seems that Alexey is providing a
forum for discussion 
> to improve the document, and I see nothing wrong with
that.  I would 
> imagine that both the IESG and the community will still
get their say, 
> so what precisely is the problem?
>
> This having been said, it seems to me that in order to
address EKR's 
> (and perhaps others') concerns, the document will need
substantial 
> work.  I welcome efforts to improve that work.  Where
should that 
> happen?  Must Sam do it alone?

Sam can of course consult anyone who he chooses for
opinions,
reviews, etc. However, Alexey's original message indicated
something rather different. Namely:


	Subsequent discussions and consensus calls on the document
	would happen on <ietf-http-authosafoundation.org>.

	...

	Alexey,
	in my capacity of shepherd for
draft-hartman-webauth-phishing


This document isn't a WG document and this mailing list is
not a WG
list. It's inappropriate to hold any kind of "consensus
calls".
Moreover, as there's no WG, Alexey isn't the chair and
doesn't
have any authority to run a consensus or any other process.


This document was taken to the IESG and didn't achieve
consensus
in LC. It now has the same status as any other random
individual
ID, nothing more nothing less.

-Ekr








_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth

Eric,

Eric Rescorla wrote:

>At Mon, 10 Sep 2007 08:59:57 +0200,
>Eliot Lear wrote:
>  
>
>>Bernard,
>>    
>>
>>>I agree with EKR here.  Failed consensus is
failed consensus.  RFC 2026 
>>>does not support the process that has been
recommended here.   
>>>      
>>>
>>Perhaps Sam and Lisa can explain a bit more as to
what process they 
>>intend to use.  It seems that Alexey is providing a
forum for discussion 
>>to improve the document, and I see nothing wrong
with that.  I would 
>>imagine that both the IESG and the community will
still get their say, 
>>so what precisely is the problem?
>>
>>This having been said, it seems to me that in order
to address EKR's 
>>(and perhaps others') concerns, the document will
need substantial 
>>work.  I welcome efforts to improve that work. 
Where should that 
>>happen?  Must Sam do it alone?
>>    
>>
>Sam can of course consult anyone who he chooses for
opinions,
>reviews, etc. However, Alexey's original message
indicated
>something rather different. Namely:
>
>
>	Subsequent discussions and consensus calls on the
document
>	would happen on <ietf-http-authosafoundation.org>.
>
>	...
>
>	Alexey,
>	in my capacity of shepherd for
draft-hartman-webauth-phishing
>  
>
On rereading my message, it probably came out stronger than
I intended.
But according to my English-Russian dictionary the verb
"would" can 
convey "polite request", which was my intent.

>This document isn't a WG document and this mailing list
is not a WG
>list. It's inappropriate to hold any kind of
"consensus calls".
>Moreover, as there's no WG, Alexey isn't the chair and
doesn't
>have any authority to run a consensus or any other
process.
>  
>
I think you are reading too much into my message.
I didn't say that I will run any consensus calls,
shepherding AD has the 
authority to do that.
And you are correct of course that I don't have any
authority in this 
case. I am just working for the shepherding AD, trying to
help her in 
getting the document through IESG.

>This document was taken to the IESG and didn't achieve
consensus
>in LC. It now has the same status as any other random
individual
>ID, nothing more nothing less.
>  
>
Yes (the last sentence).

It is not yet clear to me if you have any problems with the
document 
being discussed on http-auth mailing list. If you have, can
you explain 
why and maybe suggest a better place for discussions?

And if you would like to suggest a better process for moving
things 
forward, please share your opinion.

Regards,
Alexey

_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth

At Mon, 10 Sep 2007 18:21:36 +0100,
Alexey Melnikov wrote:
> >	Subsequent discussions and consensus calls on the
document
> >	would happen on <ietf-http-authosafoundation.org>.
> >
> >	...
> >
> >	Alexey,
> >	in my capacity of shepherd for
draft-hartman-webauth-phishing
> >  
> >
> On rereading my message, it probably came out stronger
than I intended.
> But according to my English-Russian dictionary the verb
"would" can 
> convey "polite request", which was my
intent.

Hmm... I'm still not sure what you're trying to say. My
point is
that there shouldn't be any consensus calls by anyone on
the
ietf-http-auth mailing list. It's not a WG.


> >This document isn't a WG document and this mailing
list is not a WG
> >list. It's inappropriate to hold any kind of
"consensus calls".
> >Moreover, as there's no WG, Alexey isn't the chair
and doesn't
> >have any authority to run a consensus or any other
process.
> >  
> >
> I think you are reading too much into my message.
> I didn't say that I will run any consensus calls,
shepherding AD has the 
> authority to do that.
> And you are correct of course that I don't have any
authority in this 
> case. I am just working for the shepherding AD, trying
to help her in 
> getting the document through IESG.
> 
> >This document was taken to the IESG and didn't
achieve consensus
> >in LC. It now has the same status as any other
random individual
> >ID, nothing more nothing less.
> >  
> >
> Yes (the last sentence).
> 
> It is not yet clear to me if you have any problems with
the document 
> being discussed on http-auth mailing list. If you have,
can you explain 
> why and maybe suggest a better place for discussions?
>
> And if you would like to suggest a better process for
moving things 
> forward, please share your opinion.

I have no problem with Sam soliciting opinions in his
document on any
forum of his choice. What I object to is the notion--again
implied in
your above comments--that this document has some formal
standing.  As
I said initially, this is an individual submission that
failed to
obtain consensus. As such it doesn't need shepherding or
shepherding
ADs, any more than any other individual ID.


> And if you would like to suggest a better process for
moving things 
> forward, please share your opinion.

As should be clear from my initial review, I don't think
this document
should move forward.

If the author feels differently, he is of course free to
revise the
document, try to build consensus, and resubmit to the IESG
at some
point in the future. Since it's an individual submission, no
IETF
process is needed or appropriate for that.

-Ekr



_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth

On Mon, Sep 10, 2007 at 11:29:46AM -0700, Eric Rescorla
wrote:
> At Mon, 10 Sep 2007 18:21:36 +0100,
> Alexey Melnikov wrote:
> > On rereading my message, it probably came out
stronger than I intended.
> > But according to my English-Russian dictionary the
verb "would" can 
> > convey "polite request", which was my
intent.
> 
> Hmm... I'm still not sure what you're trying to say. My
point is
> that there shouldn't be any consensus calls by anyone
on the
> ietf-http-auth mailing list. It's not a WG.

Are you saying that a design team can't have
"consensus" or "consensus
calls"?  Surely they can, though consensus internal to
design teams
cannot, and, indeed, must not be binding on any other aspect
of IETF
processes.

So my question is: is the ietf-http-auth mailing list
intended to act as
a forum for a design team working on
draft-hartman-webauth-phishing?

If so then I don't understand your objection.  Let the
design team do
what they will, and if and when they have something to show
then we can
have another IETF LC (or BoF).  Or are you saying that the
IETF LC that
has already taken place failed in a permanent way, as
opposed to finding
issues that need work but which do not prevent the document
from being
brought forward again?  I.e., did the IETF LC on this I-D
really fail
with prejudice?  And if so, who determined that?

> > And if you would like to suggest a better process
for moving things 
> > forward, please share your opinion.
> 
> I have no problem with Sam soliciting opinions in his
document on any
> forum of his choice. What I object to is the
notion--again implied in
> your above comments--that this document has some formal
standing.  As
> I said initially, this is an individual submission that
failed to
> obtain consensus. As such it doesn't need shepherding
or shepherding
> ADs, any more than any other individual ID.

Speaking of consensus on a non-WG/IETF list != formal
standing; I doubt
anyone here would argue that it does.

But this draft does have a formal _state_: "IESG
Evaluation :: Revised
ID Needed."

What you say implies that design teams can't have consensus.
 Surely you
don't actually believe that.

> > And if you would like to suggest a better process
for moving things 
> > forward, please share your opinion.
> 
> As should be clear from my initial review, I don't
think this document
> should move forward.

In its current form?  Or in its approach to the problem?  Is
there a
process by which the IESG or IETF can actually reject an
idea or
document _with prejudice_?

> If the author feels differently, he is of course free
to revise the
> document, try to build consensus, and resubmit to the
IESG at some
> point in the future. Since it's an individual
submission, no IETF
> process is needed or appropriate for that.

I think that's exactly what's happening.

Nico
-- 
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth

At Mon, 10 Sep 2007 14:45:26 -0400,
Jeffrey Altman wrote:
> 
> Eric Rescorla wrote:
> 
> > Hmm... I'm still not sure what you're trying to
say. My point is
> > that there shouldn't be any consensus calls by
anyone on the
> > ietf-http-auth mailing list. It's not a WG.
> 
> Eric:
> 
> It sounds to me as if you are attempting to claim that
only official
> IETF activities are permitted to ask the participants
in a discussion
> what they think.

Not at all. There is a huge difference between "ask
participants
in a discussion what they think" and a "consensus
call". 


> Clearly it is not going to be possible for a subsequent
revision of
> this document to be re-submitted to the IESG if the
contributors to
> the document cannot achieve consensus among
themselves.

But this list is not the list of contributors to this
document.
It's some other list, one with no formal standing for any
sort
of "consensus call." 


> > I have no problem with Sam soliciting opinions in
his document on any
> > forum of his choice. What I object to is the
notion--again implied in
> > your above comments--that this document has some
formal standing.  As
> > I said initially, this is an individual submission
that failed to
> > obtain consensus. As such it doesn't need
shepherding or shepherding
> > ADs, any more than any other individual ID.
> 
> This is a document for which an Area Director (separate
from the one
> who happened to be the author of the document) wishes
to forward
> progress.  While this does not imply a formal basis for
consideration,
> it does provide incentive to put additional effort into
revising it.
> 
> Alexey was asked by an AD to take responsibility for
this document.

Yes, and my point is that I don't believe that's an
appropriate
procedure. Individual submissions are just that. Given that
this one
has already failed to achieve consensus in a previous IETF
LC, if the
AD wants to actively progress this document--as opposed to
just
passively waiting for some forthcoming revision--then the
appropriate
next step is a BOF followed by a WG.


> > As should be clear from my initial review, I don't
think this document
> > should move forward.
> 
> That is your opinion and you are welcome to hold it.
> 
> However, it is clear to me that this problem area
cannot be addressed by
> organizations such as W3C without the support and
collaboration
> of the IETF.

It may be clear to you, but it certainly hasn't been
established
in any way I find convincing.

In any case, this isn't "the IETF". It's an
individual
submission. "The IETF" would be a WG, IESG
statement, etc.

-Ekr
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth

On Mon, Sep 10, 2007 at 01:52:00PM -0500, Nicolas Williams
wrote:
> But this draft does have a formal _state_: "IESG
Evaluation :: Revised
> ID Needed."

It's state seems to be that it has not exactly failed IETF
LC (e.g., one
IESG member commented that "[i]t is my educated guess
there is rough
consensus in the IETF to publish this document.  However,
additional
work to document that roughconsensus would be helpful given
the strength
of the two last call objections."  Which proves
nothing, except that the
process is such that the sponsoring AD and the IESG as a
whole are
responsible for calling the result of the IETF LC and for
insisting on
whatever changes are needed for IETF LC comments to be
addressed that
have to be addressed.  Once the IESG makes a decision one
can appeal.

Nico
-- 
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth

At Mon, 10 Sep 2007 13:52:00 -0500,
Nicolas Williams wrote:
> 
> On Mon, Sep 10, 2007 at 11:29:46AM -0700, Eric Rescorla
wrote:
> > At Mon, 10 Sep 2007 18:21:36 +0100,
> > Alexey Melnikov wrote:
> > > On rereading my message, it probably came out
stronger than I intended.
> > > But according to my English-Russian
dictionary the verb "would" can 
> > > convey "polite request", which was
my intent.
> > 
> > Hmm... I'm still not sure what you're trying to
say. My point is
> > that there shouldn't be any consensus calls by
anyone on the
> > ietf-http-auth mailing list. It's not a WG.
> 
> Are you saying that a design team can't have
"consensus" or "consensus
> calls"?  Surely they can, though consensus
internal to design teams
> cannot, and, indeed, must not be binding on any other
aspect of IETF
> processes.

Indeed. And so when the "document shepherd"
implies that he or the
AD will be issuing consensus calls, I think that implies
something
quite different from some internal design team consensus
call.


> So my question is: is the ietf-http-auth mailing list
intended to act as
> a forum for a design team working on
draft-hartman-webauth-phishing?

Good question. Let's ask the author of the document, who is
the only
person who can speak to the future direction of an
individual
submission. Sam?



> > If the author feels differently, he is of course
free to revise the
> > document, try to build consensus, and resubmit to
the IESG at some
> > point in the future. Since it's an individual
submission, no IETF
> > process is needed or appropriate for that.
> 
> I think that's exactly what's happening.

That's not what I see, unless Alexey suddenly became the
author of
the document. Rather, I see someone claiming to be the
document
shepherd acting under the direction of the AD talking about
the
way forward. How is that the author revising the document,
trying
to build consensus, etc.?

-Ekr
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth