Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

ned+ietf@mauve.mrochek.com Tue, 27 October 2020 17:28 UTC

Return-Path: <ned+ietf@mauve.mrochek.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A479C3A0E55 for <ietf@ietfa.amsl.com>; Tue, 27 Oct 2020 10:28:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vX2msNe3a8nX for <ietf@ietfa.amsl.com>; Tue, 27 Oct 2020 10:28:46 -0700 (PDT)
Received: from plum.mrochek.com (plum.mrochek.com [172.95.64.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D9EC3A0DFB for <ietf@ietf.org>; Tue, 27 Oct 2020 10:28:46 -0700 (PDT)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01RRASWXHUXC006F6Q@mauve.mrochek.com> for ietf@ietf.org; Tue, 27 Oct 2020 10:23:44 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: TEXT/PLAIN; CHARSET="US-ASCII"; format="flowed"
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01RQN4TDY6V4005PTU@mauve.mrochek.com> (original mail from NED@mauve.mrochek.com) for ietf@ietf.org; Tue, 27 Oct 2020 10:23:41 -0700 (PDT)
From: ned+ietf@mauve.mrochek.com
Cc: ietf@ietf.org
Message-id: <01RRASWVT8OO005PTU@mauve.mrochek.com>
Date: Tue, 27 Oct 2020 09:48:10 -0700
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
In-reply-to: "Your message dated Tue, 27 Oct 2020 08:17:29 -0700" <61d17bb9-9056-ecbd-e7f8-e7bd5bd27d97@mtcc.com>
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <09B0A1A1-6534-4A44-A162-9962FFF8D8B8@cisco.com> <362d68dd6117452f925322f8180de423@cert.org> <B864FFAE-3E3E-4CEF-B832-4552C8BAE70B@cisco.com> <61d17bb9-9056-ecbd-e7f8-e7bd5bd27d97@mtcc.com>
To: Michael Thomas <mike@mtcc.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/FtY5-vyrCUNEkVkd9-4bMw-6NT8>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 17:28:48 -0000

Michael Thomas <mike@mtcc.com> wrote:

> So coming in here a bit late, but isn't the basic problem is that
> working groups don't want to hear criticism or take it seriously? So if
> you figure out problems with the protocol it's pushing on string at best
> and snarl inducing at worst.

I've been on both the sending and receiving end of many security concerns, both
here and elsewhere. This includes, but is not limited to, my work as a media
types reviewer for 20+ years, where I've written dozens of responses, including
responses to working groups, pointing out inadequate security considerations.

In all of that, I can count the number of times where my concerns were ignored
or not taken seriously on the fingers of one hand. And while I'm obviously not
the best judge when I'm on the receiving end, I can't think of a time when I've
observed the sort of behavior you describe in a working group.

What does happen sometimes is someone raises what is effectively a nonissue:
It's either already been dealt with, so trivial it's not worth the bits to
describe, out of scope, or simply nonsense. And when they are told as much,
sometimes they get upset.

> It would be great if working groups were
> receptive to issues, but there is every incentive to ignore or ridicule
> problems. And then of course there is the problem that there may not be
> a working group anymore.

Really? And what happens when the RFC is published without having addressed or
at least acknowledged the concern, and whoever raised it points it out to the
trade press?

This sounds like an incredibly short-sighted, not to mention potentially
reputation-destroying, approach to me.

> Mike, who has experienced this repeatedly

			Ned, who has not.