Re: [CFRG] Escalation: time commitment to fix *production* security bugs for BLS RFC v4?
Loup Vaillant-David <loup@loup-vaillant.fr> Fri, 23 April 2021 23:38 UTC
Return-Path: <loup@loup-vaillant.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 402323A1500 for <cfrg@ietfa.amsl.com>; Fri, 23 Apr 2021 16:38:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G5wKmnkgYbRk for <cfrg@ietfa.amsl.com>; Fri, 23 Apr 2021 16:38:34 -0700 (PDT)
Received: from relay12.mail.gandi.net (relay12.mail.gandi.net [217.70.178.232]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 063E03A14FF for <cfrg@irtf.org>; Fri, 23 Apr 2021 16:38:33 -0700 (PDT)
Received: from grey-fade (unknown [78.198.246.40]) (Authenticated sender: loup@loup-vaillant.fr) by relay12.mail.gandi.net (Postfix) with ESMTPSA id 4C187200004; Fri, 23 Apr 2021 23:38:28 +0000 (UTC)
Message-ID: <49ca86ec6409217d60e3f2e94e3090ef2b571f80.camel@loup-vaillant.fr>
From: Loup Vaillant-David <loup@loup-vaillant.fr>
To: Quan Thoi Minh Nguyen <msuntmquan@gmail.com>, "Riad S. Wahby" <rsw@jfet.org>
Cc: cfrg@irtf.org
Date: Sat, 24 Apr 2021 01:38:27 +0200
In-Reply-To: <CAAEB6g=dcsRKz6zm7F15F-uZ7Zfi_qF06KwQXmrireKEKZYHFg@mail.gmail.com>
References: <CAAEB6g=tU=MF1_QKduEN55ft0rWe+7x0wBbywS083fJrjzP=XA@mail.gmail.com> <20210423195504.d6f74x4jsdrzagcc@muon> <CAAEB6g=dcsRKz6zm7F15F-uZ7Zfi_qF06KwQXmrireKEKZYHFg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ZnYRrQ-tKW0EdbUkI29YKQBwZ5Q>
Subject: Re: [CFRG] Escalation: time commitment to fix *production* security bugs for BLS RFC v4?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Apr 2021 23:38:37 -0000
Hi Quan, > It's very unfortunate that the bottleneck for fixing security bugs is > purely voluntary and has no commitment. This sounds pretty wrong from > a vulnerability management point of view. I don't have any proposal > to mitigate this deadlock. There may be one way: holding implementers accountable. They relied on a draft. As such, they took a gamble. Now they lost that gamble, and gambling ethics dictates that they pay up. Specifically, they can hire a professional cryptographer to devise or vet a fix. Or better yet, proposing a fix that is very likely to be adopted in the RFC itself. We could counter with the idea that it would be too expensive for the maintainers of those implementations. You mentioned Ethereum, though. I would expect it'd be easy for them to raise enough funds for a couple day's worth of expertise (which I expect would cost a couple thousand euros). If implementers argue that they are *not* responsible for bugs resulting of the adoption of an RFC *draft*, we can consider making some noise on the relevant social networks and news aggregators. I do not relish the idea of feeding them to the lynch mob, but I'm afraid this is the closest we can have from a trial. Loup.
- [CFRG] Escalation: time commitment to fix *produc… Quan Thoi Minh Nguyen
- Re: [CFRG] Escalation: time commitment to fix *pr… Riad S. Wahby
- Re: [CFRG] Escalation: time commitment to fix *pr… Quan Thoi Minh Nguyen
- Re: [CFRG] Escalation: time commitment to fix *pr… Loup Vaillant-David
- Re: [CFRG] Escalation: time commitment to fix *pr… Salz, Rich
- Re: [CFRG] Escalation: time commitment to fix *pr… Paul Hoffman
- Re: [CFRG] Escalation: time commitment to fix *pr… Quan Thoi Minh Nguyen
- [CFRG] Bitcoin delenda est. Was: Escalation: time… Phillip Hallam-Baker
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Daniel Franke
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Kyle Rose
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Michael Sierchio
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Michael Sierchio
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Kyle Rose
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Michael Sierchio
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Phillip Hallam-Baker
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Mike Hamburg
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Mike Hamburg
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Thomas Dineen
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Phillip Hallam-Baker
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Thomas Dineen
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Thomas Dineen
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … denis bider
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Eric Rescorla
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … denis bider
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Soatok Dreamseeker
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … denis bider
- Re: [CFRG] Bitcoin delenda est. Was: Escalation: … Nick Sullivan
- Re: [CFRG] Escalation: time commitment to fix *pr… Jeff Burdges