RE: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Roman Danyliw <> Wed, 28 October 2020 15:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ECC7D3A03F2 for <>; Wed, 28 Oct 2020 08:51:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8rHXIhvxLfLH for <>; Wed, 28 Oct 2020 08:51:29 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AFD2A3A0365 for <>; Wed, 28 Oct 2020 08:51:29 -0700 (PDT)
Received: from ( []) by (8.14.7/8.14.7) with ESMTP id 09SFpSNm028408; Wed, 28 Oct 2020 11:51:28 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 09SFpSNm028408
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=yc2bmwvrj62m; t=1603900288; bh=SfQm6alXvaZA2UzLgvMk0ydK6CiytghevKBOxpR1li0=; h=From:To:Subject:Date:References:In-Reply-To:From; b=KQ13Xix+10P7HU41foC54GE61D5KRjJXsYo5iTQEqwUIfnfXhVDEIDpmOY8V2xeU6 dwqNp3GVIzJCp8pVN/mlkRKqT8Qgt7ZRr+Npl3W9cZjzAaLxIGKDlSdpmlBs7sdCjn cyH1n+gxDmjRMi8Wr0C5U66c87wGLp6D6wUxucJg=
Received: from ( []) by (8.14.7/8.14.7) with ESMTP id 09SFpQVw000949; Wed, 28 Oct 2020 11:51:26 -0400
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Wed, 28 Oct 2020 11:51:26 -0400
Received: from ([fe80::555b:9498:552e:d1bb]) by ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.2106.002; Wed, 28 Oct 2020 11:51:26 -0400
From: Roman Danyliw <>
To: Michael Thomas <>, "" <>
Subject: RE: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Thread-Topic: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Thread-Index: Adapa+D5Cfcs8r0xT9Wg091feiESVgCMHiYAABWiuxAAIoqtAAABE40AAC191IAACihmAAAIWcog
Date: Wed, 28 Oct 2020 15:51:24 +0000
Message-ID: <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_7f55408ce3e84c93b22f69765deed892certorg_"
MIME-Version: 1.0
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Oct 2020 15:51:32 -0000

Hi Mike!

From: ietf <> On Behalf Of Michael Thomas
Sent: Wednesday, October 28, 2020 11:25 AM
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

On 10/28/20 3:33 AM, Eliot Lear wrote:
Hi Roman,

On 27 Oct 2020, at 20:06, Roman Danyliw <<>> wrote:

Hi Eliot!

[Roman] In my view, the proposed text effectively says “this is the IETF process and as a last resort, please use the catch all alias”.  My read of your tighter text is the opposite, “here is a new reporting  alias, consider also getting involved in the IETF processes”.  Put in another way, we are actively steering away from established processes (e.g., using the mailing lists) and preferring the triage alias as the first step.  With the reduced text, we are not longer explaining “all the usual processes”.

Ok, Here’s a slightly tweaked version of that text to address how you read the doc:

If you believe you’ve discovered a protocol vulnerability, we very much welcome your contribution.
You are also invited to take your findings to any open IETF working group or mailing list that you believe would be appropriate, in order to discuss protocol improvements to address any vulnerabilities.  If you do not know which IETF working group or mailing list to use or otherwise need help with our processes, we invite you to email “<>” as well as the document authors, and we will assist you.  All of our work is public, and therefore, disclosing to a working group or mailing list is public.  In some cases, we may ask you to file an erratum, and we will be happy to guide you through that process.

This makes an assumption that the authors will be receptive to the vulnerability. My two experiences was that they were not. That hopefully is not universal, but not considering the tendency toward the "i know this, who are you?" reaction is to my mind one of the key problems here. The other problem is that somebody off the street is not going to know arcane IETF process mechanisms which can be wielded as another cudgel to make that reporter go away. That just got used on me yesterday and is perfectly timely: why didn't i follow process XYZ? because i don't know anything about process XYZ, and by the time I understand process XYZ i've already lost interest because i didn't sign up for a protracted bureaucratic fight. that and i have no stake in the outcome beyond just being interested or a user; if you make me have to fight for it, you've lost me.

[Roman] I do not believe the proposal or (defending Eliot’s) language above makes this assumption, unless you are specifically reacting to the words “we very much welcome your contribution.” This proposal will not and isn’t intended to address authors and WG being willing to accept feedback from security researchers.  This approach to vulnerability validation and remediation certainly a crucial issue, but a bit distinct from providing clearer guidance on reporting.  That said, there is definitely interplay between poorly handled validation/remediation process (e.g., untimely, unappreciative, not curious, hostile) to future willingness to report.

[Roman] As I’ve noted in previous responses, I don’t dispute that our processes are elaborate. I’m sure we can further optimize the reporting, validation and remediation processes.  However, this proposal is not focused on defining such new processes and is less ambitiously just trying to document the current state of affairs.  Toerless articulated that based on this discussion there is likely continued appetite to have this conversation beyond providing words on the website to describe how things work now.  We likely need another mailing list to continue this conversation.

The thing about security flaws in particular is they can be very subtle and hard to explain. It took me several readings of the DNS Race flaw to get the jist of it years ago, and that was written up by Vixie after the fact to explain it. The front line is going to be considerably messier since the reporter is not likely an expert in every aspect of the protocol and may get some things right and some things wrong. The wrong things can then be used to dismiss the problem wholesale, especially with the authors who have built in bias.

[Roman] Completely agree.  IMO, that’s why relying on a lightly staff triage alias might not dramatically improve the state of affairs.  The deep expertise is going to be in the original WG or follow-on groups.  However, this routing function to get the information to the right place is still a different issue than the validation process of this vulnerability (agreeing it is actually an issue).

Don't a lot of working groups have security area liasons these days? People who don't have a stake in the outcome, per se? Maybe that's where you want to route this.

[Roman] To my knowledge, formal security area liaisons are not common practice across WG, unless explicitly requested.  I would characterize such formal arrangements as fairly rare.  More common are requests for early Security Directorate (SECDIR) reviews and trying to entice those with security experience to participate in WGs that feel they need that review.  Likewise, there has been an informal push in recent years to include language related to security in charters (which may have helped only a little bit in identifying concerns and need for help early in a work’s lifecycle).