Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Dan Harkins <dharkins@lounge.org> Thu, 19 November 2020 01:47 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69C833A1154 for <ietf@ietfa.amsl.com>; Wed, 18 Nov 2020 17:47:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmK5ElRC1P73 for <ietf@ietfa.amsl.com>; Wed, 18 Nov 2020 17:47:36 -0800 (PST)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 031A53A1152 for <ietf@ietf.org>; Wed, 18 Nov 2020 17:47:35 -0800 (PST)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QK006GBXSZBE9@wwwlocal.goatley.com> for ietf@ietf.org; Wed, 18 Nov 2020 19:47:35 -0600 (CST)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QK000KMVSWFZK@trixy.bergandi.net> for ietf@ietf.org; Wed, 18 Nov 2020 17:45:52 -0800 (PST)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Wed, 18 Nov 2020 17:45:52 -0800
Date: Wed, 18 Nov 2020 17:47:33 -0800
From: Dan Harkins <dharkins@lounge.org>
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
In-reply-to: <e000ecefa83143ac8819c307bd86d243@cert.org>
To: Roman Danyliw <rdd@cert.org>, "ietf@ietf.org" <ietf@ietf.org>
Message-id: <98027932-cacf-232a-7293-21738254fc7a@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8; format=flowed
Content-language: en-US
Content-transfer-encoding: 8BIT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <3965ff3d-af5a-addb-1c31-8c356c296329@lounge.org> <e000ecefa83143ac8819c307bd86d243@cert.org>
X-PMAS-Software: PreciseMail V3.3 [201116] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/2pcRWC1adIDIJhZr2jY3Uo1Gsrg>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 01:47:37 -0000

   Hi Roman,

On 11/4/20 9:31 AM, Roman Danyliw wrote:
> Hi Dan!
>
>> -----Original Message-----
>> From: Roman Danyliw
>> Sent: Monday, October 26, 2020 7:51 PM
>> To: 'Dan Harkins' <dharkins@lounge.org>rg>; ietf@ietf.org
>> Subject: RE: Call for Community Feedback: Guidance on Reporting Protocol
>> Vulnerabilities
>>
>> Hi Dan!
>>
>> Thank you for the feedback!
>>
>>> -----Original Message-----
>>> From: ietf <ietf-bounces@ietf.org> On Behalf Of Dan Harkins
>>> Sent: Monday, October 26, 2020 12:52 AM
>>> To: ietf@ietf.org
>>> Subject: Re: Call for Community Feedback: Guidance on Reporting
>>> Protocol Vulnerabilities
>>>
>>>
>>>     Howdy,
>>>
>>>     Not all RFCs are the product of a working group so I think the
>>> section dealing with "Expectations from the IETF" should address what
>>> the IETF feels it should do wrt to RFCs published by the IETF that
>>> were not products of a working group. The existing text seems to only
>>> address issues with RFCs that were the produce of a (possibly closed)
>>> working group. This probably has an influence on Figure 1 too-- to be
>>> specific, before the decision of "4" there should be a decision on the
>>> question of whether this is about an RFC that the IETF feels it needs to
>> address.
>>
>> Good point.  Let me figure out how to best finesse the existence of AD
>> sponsored documents, without adding too much (more) complexity.
>>
>> Regardless of the editorial approach, let me know if the possible end states
>> aren't "errata" (8) or "using the general alias" (10), perhaps with a trip through
>> "is there an active working group on the topic" (3).
> Please see the revised text to address a workflow for individual submission:
>
> https://github.com/ietf/vul-reporting-guidance/commit/9698c728b900307f74a2649720755b35c6b0523b
>
> Let me know if this doesn't address your feedback.

   Yes, this does address my comment and I would be happy with this. 
That said,
I think it might be possible to slightly improve things if there was the 
possibility
of a WG looking at fixing an RFC that had been an individual draft. I'm 
thinking of
something like an EAP method that an individual submission. If we can't 
find the
author or the author doesn't care it might make sense to ask EMU if this is
something they might want to look at fixing. In figure 1 I'm thinking of 
maybe
a decision box above 7 that could get the flow into 6 and not terminate 
a 7 if
there's a WG willing to deal with the issue.

   But as I said, I'm happy with what you have so if you want to ignore 
my additional
comment I would be fine with that.

   regards,

   Dan.

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius