Hello,

I have reviewed this document as part of the security directorate’s ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.

Summary: Has Nits

This I-D proposes an update to the NomCom eligibility process in order to reduce the risk of coordinated attacks by an adversary who wants to get the control of IETF, in a context where the generalization of remote attendance to IETF meetings changes the rules.

I understand (end of section 3):
>   Finally, overly restrictive criteria work against getting a broad
>   talent pool.¶
but here we're not talking about IETF participation (which must remain as open as possible), it's a key selection process for the IETF.

In my opinion (my two cents):
-- the NomCom candidate must be part of the **active community**.
Being part of the NomCom committee is earned.
How to define "active community" deserves consensus, but if Paths 2 and 3 (section 4) are valid, IMHO Path 1 is not, and there's a huge gap between 2-3 and 1!
Can't we find a midway as a replacement for Path 1, e.g., being co-author of a WG-Item document (the whole standardisation process takes so long...)?

-- the NomCom candidate **identity must be verified**.
I've never been asked to prove my identity at IETF (registration, picking my badge, editing an I-D), which is mostly fine.
However we're talking here of being part of a committee that is key to the IETF: it deserves additional checks.
And if there could be good reasons for an IETF participant to use a pseudonym, this is an exception, not the rule, and it disqualifies for NomCom IMO.

Additional remark:

-- Section 4: I understand we're talking about IETF, but I see no reason to ignore IRTF altogether in Path 2 (section 4).
Beeing a Research Group Chair or Secretary is also sign of being part of the active community.

-- Section 4: I don't see a justification for 3 years (WG/RG chair or secretary) versus 5 years (RFC author).
Being in responsibility of a Group is engaging and a sign of a commitment to the Community, much more than being co-author of an RFC which is above all an individual achievement.

In any case thank you for considering this important topic.