Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Eliot Lear <lear@cisco.com> Wed, 28 October 2020 17:00 UTC

Return-Path: <lear@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE2B63A0062 for <ietf@ietfa.amsl.com>; Wed, 28 Oct 2020 10:00:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lx28HuEIVe70 for <ietf@ietfa.amsl.com>; Wed, 28 Oct 2020 10:00:53 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09D513A005F for <ietf@ietf.org>; Wed, 28 Oct 2020 10:00:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3859; q=dns/txt; s=iport; t=1603904453; x=1605114053; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=oM/Ulzsy6uOPCvNxhCkuYsijoZR0Ci28UWsrBphsHhc=; b=Blzau1uuknBhQfcRjTyLTLUJnzRMtp8IpZI3RX7+hecdxnT1MA3FsI0e xZCEnMO/bLOD9m5BMiNkKYJ3/KFNL6c41Qr7JK0+IKdYf0id/wvmNNQyB 8RZFgGcyA+4JQwgjZlV/E843q/Vseid6Uy88xbY7vYZnvn99CERhKslkx 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BCAQAFo5lf/xbLJq1gHQEBAQEJARIBBQUBgX4FAQsBgSKCTAEgEi2EPYkFh2kmlAuIGgsBAQENAQEvBAEBhEoCggYmNwYOAgMBAQsBAQUBAQECAQYEbYU0BjOFcgEBAQECAR0GJDIFCwsEFCoCAlcGExQBgxGCXSCtDXaBMoM7ghyEeYE4AYFbi3iCAIE4DBCCTT6HVDOCLAS4DYJ1gxiXaAMfkkWPG7Adg18CBAYFAhWBaiSBVzMaCBsVZQGCPj4SGQ2IXJQNQAMwOAIGAQkBAQMJjkgBAQ
X-IronPort-AV: E=Sophos; i="5.77,427,1596499200"; d="scan'208,217"; a="30642896"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Oct 2020 17:00:49 +0000
Received: from [10.61.234.166] ([10.61.234.166]) by aer-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 09SH0mQE025852 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 28 Oct 2020 17:00:48 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <043890FA-0954-41D0-9E4E-AEBB456FB158@cisco.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_50ACB34F-59D9-4498-801C-23DC575616F9"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Date: Wed, 28 Oct 2020 18:00:48 +0100
In-Reply-To: <47EC23B7-2B5A-4C79-9B1A-FC5F5CB75631@episteme.net>
Cc: Michael Thomas <mike@mtcc.com>, Ned Freed <ned.freed@mrochek.com>, The IETF List <ietf@ietf.org>
To: Pete Resnick <resnick@episteme.net>
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <09B0A1A1-6534-4A44-A162-9962FFF8D8B8@cisco.com> <362d68dd6117452f925322f8180de423@cert.org> <B864FFAE-3E3E-4CEF-B832-4552C8BAE70B@cisco.com> <61d17bb9-9056-ecbd-e7f8-e7bd5bd27d97@mtcc.com> <01RRASWVT8OO005PTU@mauve.mrochek.com> <3552cbcd-2d6e-da06-5d66-d0218f6c57ac@mtcc.com> <4679D0DD-7EBB-48BF-973B-6BCA9C4D5F8D@episteme.net> <18e2e799-cf48-9a4f-c324-29533800b2cf@mtcc.com> <01RRB7O4NQ0S005PTU@mauve.mrochek.com> <ec504816-a90c-f551-1ded-1866119ec2c5@mtcc.com> <47EC23B7-2B5A-4C79-9B1A-FC5F5CB75631@episteme.net>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Outbound-SMTP-Client: 10.61.234.166, [10.61.234.166]
X-Outbound-Node: aer-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/-s_9Bh2JhWBKErzkDPutsL3iPAA>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 17:00:55 -0000

Pete,

> On 28 Oct 2020, at 17:42, Pete Resnick <resnick@episteme.net> wrote:
> 
> The fact that you think invoking them makes you a "drama queen" means that you are part of the problem. And the idea that if you "don't have a dog in the fight" means that you shouldn't fully participate (including using the pushback mechanisms we have), you're not understanding what the IETF is supposed to be about: We have plenary meetings and Last Calls and the like so that groups can get cross-area and outside feedback. Failure to call out problems simply because you're not a primary player is exacerbating the cultural problem you claim to see.

This is where I think there may be some subtle issue, and I don’t want to make this all about Mike.  Many researchers have no equities in our organization.  They may not even have a fix available for the very problem that they have found.  We have red teams for a reason: it’s just a different muscle.  So they see their job as finished when they’ve reported.  And then they’re on to the next thing.  That’s their incentive model.  Mike just happens to care more than most, but we shouldn’t optimize around him.

Eliot