IETF Logo Mail Archive

Re: [CFRG] Escalation: time commitment to fix *production* security bugs for BLS RFC v4?

"Riad S. Wahby" <rsw@jfet.org> Fri, 23 April 2021 19:55 UTC

Return-Path: <rswatjfet.org@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B61CA3A1BF1 for <cfrg@ietfa.amsl.com>; Fri, 23 Apr 2021 12:55:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.402
X-Spam-Level:
X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MNCEmcKHsVQJ for <cfrg@ietfa.amsl.com>; Fri, 23 Apr 2021 12:55:07 -0700 (PDT)
Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4083E3A1BF0 for <cfrg@irtf.org>; Fri, 23 Apr 2021 12:55:07 -0700 (PDT)
Received: by mail-qk1-f170.google.com with SMTP id d19so15103636qkk.12 for <cfrg@irtf.org>; Fri, 23 Apr 2021 12:55:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=JFoaqXicBPb394KJnHmyiPcsd+QSCETwDmugOrnhP1U=; b=p5pBfIG+lzfgdECy9x5OsRtVVzv0ujagnBMGP9PBYh2z5qTHy1OgVTsM0GXbNpmv0c mxhmdBme7dc9HQRFoYi/d0ITrIr7hbYIZU99h+iUD0ieJ9piOh21cJ0UHnPp+ZqdnFuY PORhRo0HHeeQm+urkg1MIVnFxJxntoN+gJwesnsOAA0c0ezBGVGPW/cmlGUI+1tArXHW MVgWj+VQmK/WhN4pDQWG26H4oFzzRxjCAoeqEtuSGFzn1ni00UxpViRuC1MXVq4qMCcY Co1YqYZLCV2F3dpQqzKK27YoQjRq6MNVJr5Dwl9Uythfljxs5EIzYxNy1JvKx4RqZT66 XE5A==
X-Gm-Message-State: AOAM531TqM2mRc8Xs9xJSzEsmEEwOdPIRBswHfY7lfxH4Fi6fUASLfDA /HKebdm5taNOk7zQMxiLJl8=
X-Google-Smtp-Source: ABdhPJw4TzKDhS/DGsgBp9KYjcU80AGch5afafqRYFa0My9yQDdGfv/cATGWMHzHrAW4oY/kUhpUrQ==
X-Received: by 2002:a37:2e81:: with SMTP id u123mr5943231qkh.218.1619207706178; Fri, 23 Apr 2021 12:55:06 -0700 (PDT)
Received: from localhost (mobile-166-170-222-227.mycingular.net. [166.170.222.227]) by smtp.gmail.com with ESMTPSA id o12sm5059920qtg.14.2021.04.23.12.55.04 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 23 Apr 2021 12:55:05 -0700 (PDT)
Date: Fri, 23 Apr 2021 15:55:04 -0400
From: "Riad S. Wahby" <rsw@jfet.org>
To: Quan Thoi Minh Nguyen <msuntmquan@gmail.com>
Cc: cfrg@irtf.org
Message-ID: <20210423195504.d6f74x4jsdrzagcc@muon>
References: <CAAEB6g=tU=MF1_QKduEN55ft0rWe+7x0wBbywS083fJrjzP=XA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAAEB6g=tU=MF1_QKduEN55ft0rWe+7x0wBbywS083fJrjzP=XA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/k1wMZdzRZt6Vuk4gVFtkkgtEBMI>
Subject: Re: [CFRG] Escalation: time commitment to fix *production* security bugs for BLS RFC v4?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Apr 2021 19:55:09 -0000

Hi Quan,

(Reposting my message from GitHub.)

I really appreciate your reporting the bug and all of the thought
you have clearly put into this.

The short answer to your question, "what is the time commitment of the
authors?" is: we're doing this on a volunteer basis, and therefore real
life takes priority. For my part: I have not had a moment's spare time
in the last 6 months. I hope to have time in the next several weeks
to think more about this but I do not have more specific information
than that. I can't speak for any of the other authors.

Regarding deployment in production: I really do understand the concern
here, and I share it. But this document is in draft status, which means
the risk of bugs or incomplete features is understood to be nonzero,
including by people who choose to deploy the draft specification.
I am not pointing this out to be legalistic or to justify inaction,
only to push back on the idea that somehow production deployment
changes the authors' volunteer status or time commitment.

I very much plan to deal with this issue once real life lets up a bit,
but I do not know how soon that is. That is really the best commitment
I can give you.

Thanks for understanding,

-=rsw

v2.29.0 | Report a Bug | By Email | System Status