Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Michael Thomas <> Wed, 28 October 2020 19:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 306E93A0BF2 for <>; Wed, 28 Oct 2020 12:35:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bGB-XVOFyVjR for <>; Wed, 28 Oct 2020 12:35:31 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6A7373A0BE6 for <>; Wed, 28 Oct 2020 12:35:31 -0700 (PDT)
Received: by with SMTP id p17so107683pli.13 for <>; Wed, 28 Oct 2020 12:35:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=Fj37xZx5tNzHzPffThP0AaQ5KFXO9v4Q2EISkxUPw1k=; b=MNLeFLb3fgsxWTtHiLy6bDKX/5W7E+MVfNTtu9NJSYke0yd8mxqtsKSK+aMjOsQvpA 7KakfJ0qrFZ6rzOF+OkM7fQUon7yVJvQdUmhU1tejmTpxwPf+mBUbGjMilNeqhJzTdTp q1Nh1cpJR8OOaiMwmWdj8bYfTwlX/O6Le2DUmEkCYNPtCOo2WhGDv+RAFMm3n0FFNa6U 9gZlYXQNo54KqWsmWkbyeywLQe+oCZvoVwAOTknphqJWpJgSn5nC2+eyqycwgNTvtGUI 2oD29xSDGW+rMqlnjbLmBEdcn0ZvhKoNEZNFYASdPHpXhtJnRSilC7h9racEIGf99UAr 7BUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=Fj37xZx5tNzHzPffThP0AaQ5KFXO9v4Q2EISkxUPw1k=; b=UyALoH1TniHd+2ffja/xtOksKizRT5qShRkUlutGIbjpmzkCQ0AzmVSzq332cFs0Z/ lDlx+J1D3AIjchshVFQ0bzWkLpZ0glDvfbFFmWRsdQaF5RBbT2y0MfxSO+3TTZ0gy4D8 phyO2QSmAfVGOPNnfTi2CWZ2ei4n1j13t5wTyz1GBieJdrGvb/7wfZVMYgoOfKRx5dzi xgD7Vd+V9OKQwewVQxt96jRtBsddTmxpjVUlyK35Svk66aWqkDneaADf8PGEAwveu4m4 MTd+EfZbpfx7d0VIBQVOn03VdKaftOt9Y5JXf6OINVHnjzXfaz2oAKl6eFQP8lgA3x0P hR5g==
X-Gm-Message-State: AOAM531bC9zu7kxkwIe5JcMOHUw/0j2Kurrs9kftyiGZmrwn3tHxLonw Sk6L2Jvl4xKnb89jDjgJp3Kbg/nPZZr7gw==
X-Google-Smtp-Source: ABdhPJyf4knvO1tAOxibtQbcVIG53Fc1B5XQGSxYC1scmJP8iZ0Ap04dWAuvFE4tlr7XST+QZZkpYQ==
X-Received: by 2002:a17:902:b582:b029:d6:6008:264d with SMTP id a2-20020a170902b582b02900d66008264dmr488201pls.80.1603913730323; Wed, 28 Oct 2020 12:35:30 -0700 (PDT)
Received: from mike-mac.lan ( []) by with ESMTPSA id z4sm201827pjn.0.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Oct 2020 12:35:29 -0700 (PDT)
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
To: Benjamin Kaduk <>
Cc: IETF <>
References: <> <> <> <> <> <> <> <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Wed, 28 Oct 2020 12:35:27 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Oct 2020 19:35:33 -0000

On 10/28/20 11:39 AM, Benjamin Kaduk wrote:
> Hi Mike,
> On Tue, Oct 27, 2020 at 06:26:03PM -0700, Michael Thomas wrote:
>> PS: i hope that this doesn't turn into a prosecution of whether my
>> examples are right or wrong because that utterly misses the point. The
>> issue here is that working groups are tribalistic and people who upset
>> that tribalism are the enemy. until you deal with that problem, nothing
>> will happen.
> I don't want to prosecute your examples, and I do believe that your
> examples happened roughly as you describe.  But I do want to ask whether we
> might have already improved since your experiences occurred -- for example,
> I am failing to find anything in the OAuth archives from you more recently
> than 2012.  While the OAuth WG is not always a shining example of comity, I
> can think of several recent cases where someone who is not part of the WG
> mainstream comes in and attempts to raise some issues with one document or
> another.  Yes, some participants ignored or tried to reject these points,
> but others (myself included) did engage with the reporter to tease out
> where the actual issues lie, whether there is a prerequisite for the
> perceived issues that is explicitly out of scope for the work, whether the
> proposed mitigation violates protocol invariants, etc.  So, I am hopeful
> that the current situation is not as dire as the picture you have painted
> (and we will, of course, work to improve in the future).

As I said, I'm willing to believe that that was a rather unique set of 
circumstances, and yes it was around 2012. I don't even remember why I 
took an interest to it... although I was working on some stuff that 
required OAUTH around then in a phone app and probably got me think 
about the issue. From the wg's standpoint I was a random nobody though 
Barry of course knew me. If this thread is solely to entice security 
researchers to lob papers over the wall, then sure. But as I mentioned 
earlier it would be nice to actually interact with the person who found 
it (or thinks it could be a problem) to clarify and perhaps correct some 
incorrect assumptions, etc. At worst, it might result in an errata to 
clarify what led the researcher astray, at best it results in fixes that 
might have been rejected because the wg didn't understand the paper.