Internet DRAFT - draft-krishnan-nomcom-tools

draft-krishnan-nomcom-tools






IETF Nomcom                                                  S. Krishnan
Internet-Draft                                                J. Halpern
Intended status: Informational                                  Ericsson
Expires: January 24, 2013                                  July 23, 2012


           Requirements for IETF Nominations Committee tools
                     draft-krishnan-nomcom-tools-02

Abstract

   This document defines the requirements for a set of tools for use by
   the IETF Nominations Committee.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 24, 2013.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.






Krishnan & Halpern      Expires January 24, 2013                [Page 1]

Internet-Draft                Nomcom tools                     July 2012


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
     1.1.  Conventions used in this document . . . . . . . . . . . . . 3
   2.  Meta requirement  . . . . . . . . . . . . . . . . . . . . . . . 3
   3.  Authentication  . . . . . . . . . . . . . . . . . . . . . . . . 3
   4.  Security and Access Control . . . . . . . . . . . . . . . . . . 4
   5.  Nominations . . . . . . . . . . . . . . . . . . . . . . . . . . 5
   6.  Acceptances and Declines  . . . . . . . . . . . . . . . . . . . 6
   7.  Questionnaires  . . . . . . . . . . . . . . . . . . . . . . . . 6
   8.  Feedback Collection . . . . . . . . . . . . . . . . . . . . . . 7
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
   10. Security considerations . . . . . . . . . . . . . . . . . . . . 8
   11. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 8
   12. Normative References  . . . . . . . . . . . . . . . . . . . . . 8
   Appendix A.  Example for key generation . . . . . . . . . . . . . . 8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 9


































Krishnan & Halpern      Expires January 24, 2013                [Page 2]

Internet-Draft                Nomcom tools                     July 2012


1.  Introduction

   The IETF Nominations Committee (Nomcom) is a body that selects
   candidates for the open IESG, IAB and IAOC positions following the
   process outlined in [RFC3777].  There is a need for a set of tools to
   aid the Nomcom to operate efficiently.  This document lays out a set
   of requirements for such a tool.

1.1.  Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].


2.  Meta requirement

   There is an existing tool for supporting Nomcom work.  The set of
   requirements specified in this document are mainly enhancement
   requirements or behavior changes to the existing tool.  Unless
   otherwise stated all of the current functions of the existing Nomcom
   tool need to be supported in the new tool as well.

   o  META-001: The tool MUST provide all the functionality that is
      provided by the current Nomcom tool except in the cases where one
      of the requirements specified in this document overrides the
      current behavior.  The current Nomcom tool can be found at the
      following URLs; https://www.ietf.org/group/nomcom/2012/private/
      that displays the Nomcom private parts of the tool (Private Nomcom
      tool) and https://www.ietf.org/group/nomcom/2012/ that displays
      the community member accessible parts of the tool (Public Nomcom
      tool).


3.  Authentication

   All access to the Nomcom tools needs to be authenticated.  The users
   of the tools have different privileges based on their role.  The tool
   needs to support at least three levels of access:Community member,
   Nomcom member, Nomcom chair.  The levels of access are setup by the
   staff of the IETF Secretariat.  It is to be noted that the
   Secretariat staff do not have any access to the tool.  They are
   responsible for administering the server that the tool runs on and
   hence they setup the access control list for the tool.

   The Community member access is applicable to the Public Nomcom tool.
   The Nomcom member and the Nomcom chair access are applicable to the
   Private Nomcom tool, as Nomcom members can use the interfaces on the



Krishnan & Halpern      Expires January 24, 2013                [Page 3]

Internet-Draft                Nomcom tools                     July 2012


   Public Nomcom tool in the community member role.  The Nomcom chair
   access authentication applies to the private webpage in the same
   fashion as a Nomcom member, with the additional ability to update the
   information on both webpages (i.e., what is visible in the various
   forms, the templates for the automatic emails, etc.).

   o  AUTH-001: The tool MUST allow the members of the community to
      login with their existing datatracker.ietf.org credentials.
   o  AUTH-002: The tool MUST allow the members of the community to
      create a new login using the datatracker.ietf.org login system.
   o  AUTH-003: The tool MUST allow the secretariat to input an email
      address to be granted the Nomcom chair role and a list of email
      addresses to be granted the Nomcom member role.


4.  Security and Access Control

   All communication between the community and the Nomcom and amongst
   the members of the Nomcom needs to be stored in an encrypted form.
   This information can only be accessed by the members of the Nomcom.

   o  SEC-001: The security procedures for the tool MUST be structured
      so that even system administrators do not have routine or
      accidental visibility to any data accumulated by the tool.  This
      data includes all confidential feedback and discussions.
   o  SEC-002: The tool MUST allow the Nomcom chair to input a public
      key ("Nomcom public key").  This key is generated by the Nomcom
      chair independent of the tool, for example, using the procedure
      described in Appendix A.
   o  SEC-003: All communication sent to the Nomcom mailing list MUST be
      encrypted with the Nomcom public key before being committed to
      persistent storage.
   o  SEC-004: All community feedback entered using the Nomcom tool MUST
      be encrypted with the Nomcom public key before being committed to
      persistent storage.
   o  SEC-005: After logging in, the tool MUST allow the Nomcom members
      to input a private key ("Nomcom private key") that corresponds to
      the Nomcom public key.  This key will be used to decrypt the
      feedback/communications that the member is trying to access.  Once
      entered, this key MUST be available for the entire length of the
      session until the user logs out.  This private key MUST NOT be
      stored in plaintext form into persistent storage at any point of
      time.
   o  SEC-006: The tool MUST provide a mechanism for the Nomcom Chair to
      destroy all the data collected by the Nomcom at the end of the
      Nomcom's term.  Since the Nomcom's term overlaps with that of the
      next year's Nomcom, the tool MUST ensure that the data collected
      by the next year's Nomcom is not affected by this deletion.



Krishnan & Halpern      Expires January 24, 2013                [Page 4]

Internet-Draft                Nomcom tools                     July 2012


5.  Nominations

   After the Nomcom is consituted, the Nomcom chair issues a call for
   nominations for the open positions.  There are two broad ways in
   which nominees are introduced into the system.  The predominant way
   is that the nominations can be entered into the system directly by
   members of the community.  The secondary way is that the nominees are
   entered in by the members of the Nomcom.  The main difference is that
   members of the Nomcom can enter nominatios that are originated by
   other community members.  In both of the cases an email address for
   the nominee needs to be entered into the tool.  Please note that
   Nomcom members usually use the Public Nomcom tool, and not the
   Private Nomcom tool, to enter their personal nominations and
   comments.

   o  NOM-001: The tool MUST allow the members of the community to enter
      nominations into the Public Nomcom tool.
   o  NOM-002: The tool MUST allow the members of the Nomcom to enter
      nominations into the Private Nomcom tool.  The tool MUST allow the
      Nomcom member to optionally enter information about the originator
      of the nomination.  The tool MUST record the identity of the
      originator (if known) of the nomination for audit purposes.  Note
      that anonymous nominations are allowed, and thus the actual
      identify of an originator may not always be entered into the tool.
   o  NOM-003: The tool MUST allow the Nomcom chair to specify the
      information that is required for the nominations.  This
      information will be entered by the Nomcom chair as freeform text,
      and will be presented to the individual performing the nomination.
   o  NOM-004: The tool MUST email the nominee after the nomination
      mentioning the position(s) that they have been nominated for.
      This email MUST NOT disclose to the nominee the identity of the
      person who performed the nomination.
   o  NOM-005: The tool MUST allow the content of this email to be
      customized by the Nomcom chair.
   o  NOM-006: The tool MUST automatically attach the questionnaires for
      the positions for which the nominee has been nominated to this
      email.
   o  NOM-007: The tool MUST be able to identify duplicate nominations
      of the same person with the same email address and consolidate
      them to point to the same nominee.
   o  NOM-008: In case the same person has been nominated multiple times
      using different email addresses the tool MUST allow the Nomcom
      chair to mark duplicate nominations of the same person and
      consolidate them to point to the same nominee.
   o  NOM-009: The tool MUST allow the setting of a communication email
      address for a nominee that is different than the email address
      with which they were nominated.




Krishnan & Halpern      Expires January 24, 2013                [Page 5]

Internet-Draft                Nomcom tools                     July 2012


   o  NOM-010: The tool MUST be able to use the datatracker address book
      system as the basis for requirements NOM-007, NOM-008, and NOM-009
      but MUST allow the Nomcom chair to perform manual overrides.
   o  NOM-011: The tool MUST keep track of the accept and decline status
      for the nominees.


6.  Acceptances and Declines

   After receiving the nomination mail, the nominees usually respond to
   indicate either their acceptance of the nomination or their
   unwillingness to do so.

   o  AD-001: The tool MUST allow the nominees to indicate their
      acceptance or decline of their nomination.  This is preferably
      done by providing distinct hyperlinks in the email that the
      nominees receive.
   o  AD-002: The tool MUST allow the Nomcom chair to point to email
      responses from the nominees and flag them as acceptances or
      declines.
   o  AD-003: The tool MUST allow the Nomcom chair to manually flag
      nominees as accepting or declining without the need for any
      nominee action.
   o  AD-004: The tool MUST allow the Nomcom members to view the list of
      all nominees along with their acceptance or decline status.
   o  AD-005: The tool MUST allow the Nomcom members to view reports of
      acceptance or decline status both per nominee as well as per open
      position.
   o  AD-006: The tool MUST be configurable to send reminder mails to
      all nominees who have not responded, either on specified dates or
      at specified intervals.  The contents of the reminder mails MUST
      be customizable by the Nomcom chair.
   o  AD-007: The tool MUST be able to generate a summary report
      containing statistics (total/accept/decline/no response)
      concerning nominations by position.


7.  Questionnaires

   The nominees fill in a questionnaire for each of the positions for
   which they accept a nomination.  The filled in questionnaire is sent
   in by email to the Nomcom mailing list.  If a person has been
   nominated for multiple positions they may elect to send in a combined
   questionnare for a subset (or all) of the positions (QR-002) or fill
   up one questionnaire per open position (QR-006).






Krishnan & Halpern      Expires January 24, 2013                [Page 6]

Internet-Draft                Nomcom tools                     July 2012


   o  QR-001: The tool MUST allow the Nomcom chair to enter a different
      questionnaire for each of the open positions.
   o  QR-002: The tool MUST allow the Nomcom chair to point to email
      responses from the nominees and flag them as questionnaires.
   o  QR-003: The tool MUST allow the Nomcom members to directly access
      the filled in questionnaires of the nominees.
   o  QR-004: The tool MUST keep track of the questionnaire receipt
      status for the nominees.  The filled in questionnaires are
      received as emails to the Nomcom mailing list.
   o  QR-005: Like all other correspondance on the Nomcom mailing list,
      the filled in questionnaires MUST be encrypted by the Nomcom
      public key before being stored.
   o  QR-006: The Nomcom chair MUST be able to flag an email as the
      filled in questionnaire for a nominee corresponding to a specific
      open position.
   o  QR-007: Once flagged, the questionnaire provided by the nominee
      for a specific position MUST be directly accessible without
      needing to look through all the other feedback received for that
      nominee.


8.  Feedback Collection

   Community feedback is very important in the Nomcom process.
   Community feedback about the nominees is the primary mechanism by
   which the Nomcom members evaluate the nominees.

   o  FB-001: The tool MUST allow the members of the community to enter
      feedback about any of the accepting nominees into the Public
      Nomcom tool.
   o  FB-002: The tool MUST allow the members of the Nomcom to enter
      feedback about any of the accepting nominees into the Private
      Nomcom tool.  The tool MUST allow the Nomcom member to optionally
      enter information about the originator of the feedback.  Note
      that, as in FB-002, anonymous feedback is allowed, and thus the
      actual identify of an originator may not always be entered into
      the tool.
   o  FB-003: The tool MUST allow the Nomcom members to view the
      feedback entered for each nominee.  If the submitter of the
      feedback did not wish to be anonymous, the identity of the
      submitter should also be visible along with the feedback.
   o  FB-004: The Nomcom members MUST be able to enter their interview
      comments as feedback for the nominee being interviewed.
   o  FB-005: All email received on the Nomcom mailing list MUST be
      archived.  This includes all correspondance among the Nomcom
      members, feedback received over email as well as filled in
      questionnaires.




Krishnan & Halpern      Expires January 24, 2013                [Page 7]

Internet-Draft                Nomcom tools                     July 2012


   o  FB-006: The tool MUST allow the Nomcom chair to manually copy any
      of the archived mails into the feedback section of one or more
      nominees for one or more open positions.  This is required because
      a single email may contain feedback concerning more than one
      nominee or more than one open position.


9.  IANA Considerations

   This document does not require any IANA actions.


10.  Security considerations

   The tool must authenticate all users and must allow classifying
   logins into 3 roles.  Nomcom chair, Nomcom member and community
   member.  All communications to/from the Nomcom and among the members
   of the Nomcom must be stored in an encrypted form.


11.  Acknowledgements

   The authors would like to thank Russ Housley, Barry Leiba, Brian
   Haberman, Phillip Hallam-Baker, Stewart Bryant, Adrian Farrel,
   Stephen Farrell, Martin Stiemerling, Benoit Claise, Sean Turner,
   Ralph Droms, Mary Barnes, Subramanian Moonesamy and Menachem Dodge
   for their valuable comments to improve this document.


12.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3777]  Galvin, J., "IAB and IESG Selection, Confirmation, and
              Recall Process: Operation of the Nominating and Recall
              Committees", BCP 10, RFC 3777, June 2004.


Appendix A.  Example for key generation

   The Nomcom chair generates a public/private key pair to be used to
   encrypt Nomcom correspondence and feedback.  As an example, the
   Nomcom chair can use openssl to generate the key pair using the
   following commands:

   First the config file for openssl needs to be created with the
   following contents (example for the 2012-2013 Nomcom).



Krishnan & Halpern      Expires January 24, 2013                [Page 8]

Internet-Draft                Nomcom tools                     July 2012


[ req ]
distinguished_name = req_distinguished_name
string_mask        = utf8only
x509_extensions    = ss_v3_ca

[ req_distinguished_name ]
commonName           = Common Name (e.g., NomcomYY)
commonName_default  = Nomcom12

[ ss_v3_ca ]

subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment
basicConstraints = critical, CA:true
subjectAltName = email:nomcom12@ietf.org
extendedKeyUsage= emailProtection

# modify the email address to match the year.


                        Figure 1: nomcom-config.cnf

   Then the following command needs to be issued in order to generate
   the private key and the certificate.

   $ openssl req -config nomcom-config.cnf -x509 -new -newkey rsa:2048
   -sha256 -days 730 -nodes -keyout privateKey.pem -out nomcom12.cert

   The certificate can then be provided to the tool in order to extract
   the public key.


Authors' Addresses

   Suresh Krishnan
   Ericsson
   8400 Blvd Decarie
   Town of Mount Royal, Quebec
   Canada

   Email: suresh.krishnan@ericsson.com


   Joel Halpern
   Ericsson

   Email: joel.halpern@ericsson.com




Krishnan & Halpern      Expires January 24, 2013                [Page 9]