Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Michael Thomas <> Wed, 28 October 2020 16:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 922253A0657 for <>; Wed, 28 Oct 2020 09:45:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tVGEOLfHqTUY for <>; Wed, 28 Oct 2020 09:45:05 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 92E2E3A047D for <>; Wed, 28 Oct 2020 09:45:05 -0700 (PDT)
Received: by with SMTP id x23so2755275plr.6 for <>; Wed, 28 Oct 2020 09:45:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=1PeCNDPQTDC6uaVQ6bXePn9czcWzcCbdm3JvDnGNVYY=; b=BDwFpg0yWay6eEROARLWle4i4D0wvY/Maatb6YwgwFV9EZhSNRYd7HD0fChSRKKHdn VPd3zgBcU+uZb2L3asrvmQFXQO0cax9TzWJCP29ONPFpry5QTodLuZTbccBaddazq2Dr GpwqyTViNVTPK1elz8Fp0K38oaK6YLCISVrmNW6hVthLUhuFY5X2P2rdS4v0PYZkEj7Y VrW9j814FLfIAol4hBBveXN3g4hPoeZZS5RuXJl/SppueKeVyZnDhB0eziIU81drnooK GxmSKslI+c41LOjBnuzq+R18vhXOsDKTRVaP9YtzMUiHgideI3olSL52yhdb/tf7bXQy IQJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=1PeCNDPQTDC6uaVQ6bXePn9czcWzcCbdm3JvDnGNVYY=; b=T12gL4LNr5vyNiXqqnkWiOEq71gVbmHV9vFa06jy5mCQRRD7Tncgxz3Y6xJnNBwLj7 mAaJcB0UfYJ664dwNnzclSEfFyulpgE73zoQjPPpjXmUp/PphPozk0FE7augTPPQ9NUU oZB5cX9RZULvfozVXpsdkBE2pSxrkac00hVxIfTHdv2EfiDcc8CG5RJv9EZe9dl0qpLd PTmTkONJUK3dF2aQlD8TCW4l6C9lru5QaKO503LS8EmuqWJWtKsoRGbfZzOr92KoFFHp tIY+iGWv07Ke+c+G2BDkHQg88AbCuDF6vE2ls5MS5deyzITAKKhCWSCNull7Mozglxsf xYFA==
X-Gm-Message-State: AOAM532YIFJqIls5ul0k27Kc1T+7NY2Cxhwc13zdrax4EAlw7QeLA1/o 91SiLo2TWZyjqoZF6iMm4MPjS8uTwU7zFw==
X-Google-Smtp-Source: ABdhPJzOdA8LwaF4LHfXKW41+x3gYPUhiYaG7brTEQtW785SnhPmM5pUZuIu3G89a4njUhzCPaE0EQ==
X-Received: by 2002:a17:90a:2a8a:: with SMTP id j10mr208433pjd.117.1603903504457; Wed, 28 Oct 2020 09:45:04 -0700 (PDT)
Received: from mike-mac.lan ( []) by with ESMTPSA id n25sm6277699pgd.67.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Oct 2020 09:45:03 -0700 (PDT)
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
To: Eliot Lear <>
Cc: The IETF List <>
References: <> <> <> <> <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Wed, 28 Oct 2020 09:45:00 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Oct 2020 16:45:09 -0000

On 10/28/20 9:20 AM, Eliot Lear wrote:

>> That hopefully is not universal, but not considering the tendency 
>> toward the "i know this, who are you?" reaction is to my mind one of 
>> the key problems here. The other problem is that somebody off the 
>> street is not going to know arcane IETF process mechanisms which can 
>> be wielded as another cudgel to make that reporter go away. That just 
>> got used on me yesterday and is perfectly timely: why didn't i follow 
>> process XYZ? because i don't know anything about process XYZ, and by 
>> the time I understand process XYZ i've already lost interest because 
>> i didn't sign up for a protracted bureaucratic fight. that and i have 
>> no stake in the outcome beyond just being interested or a user; if 
>> you make me have to fight for it, you've lost me.
> Yes.  And what I am getting at is a little bit of hand holding on our 
> side for, as I said, people who don’t want to play “Inside Baseball” 
> could be very useful to this community.
What I suggested elsewhere is that maybe some sort of independent 
verification that there is a good likelihood that there is a flaw by 
somebody who knows inside ball may be helpful for things that could be 
high impact if true. The other part is that nobody but actual crackpots 
wants to be labeled one. Finding a flaw in an existing protocol that's 
been through extensive review is fraught with "am i reading this 
right?". To be jumped on as being a crackpot by authors from the outset 
is not very fun and definitely not an experience somebody who has no dog 
in the fight looks forward to. Obviously this left a really bad taste in 
my mouth but i doubt i'm the only one. Had somebody with known clue 
from, say, the security area vouched that it is problem, the author 
would have been a lot less likely to go ballistic (given that author, 
that was no guarantee though).