IETF Logo Mail Archive

Re: Escalation: time commitment to fix *production* security bugs for BLS RFC v4?

Quan Thoi Minh Nguyen <msuntmquan@gmail.com> Mon, 26 April 2021 15:47 UTC

Return-Path: <msuntmquan@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E45C93A25CC for <ietf@ietfa.amsl.com>; Mon, 26 Apr 2021 08:47:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IdwW8I_tUrMt for <ietf@ietfa.amsl.com>; Mon, 26 Apr 2021 08:47:23 -0700 (PDT)
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0B073A25C5 for <ietf@ietf.org>; Mon, 26 Apr 2021 08:47:23 -0700 (PDT)
Received: by mail-pl1-x633.google.com with SMTP id v20so1882350plo.10 for <ietf@ietf.org>; Mon, 26 Apr 2021 08:47:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RuAYVGxeWrLFxTItKBrFncscgmcFmgUP45dGl/xGKfw=; b=J02FKF+q4JGw0pBUBeTmlhg9x1VUFmx9UXGpGb8SOFzjx8F19bshJbrTbZkqOx21rD CBm8uJEkR560F5FMAoNAm+Ojgn2aAsrHbeBQ+4NJvv3rTGwgspR8poKg1d7PJoITWLq+ /28nmmOUdP+9fCEkKqBl+gT6mLFpFr5PqhpLib4enxp6hYsOIMx8pA7AP0Cq8RcjTa/T g0SUlN+vGo3PgSzVOQ20DJAJ4/wF0joXume7qT33heDqRt/KEmjNkAPcyRFU1E5uN1xT D6O9tjWLDl9GjByyCMp+0JyH5sxhSb8fKVu+NrrsgqTTOimsN/WbPmYffzkrnRAFfGMn 1Q1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RuAYVGxeWrLFxTItKBrFncscgmcFmgUP45dGl/xGKfw=; b=IoJcNXOg1Uy1TpkRs/gcpy+0HLO4x89YeC/KSBBfH6BuxcIvFdOniqRkicNCoNRAKo e9TplX83NZZuWdhraDwB+r06XVy6kvg36QImTC8SWz2yFkjLY5kNQ0VgEXyJQlRT/jYS z5LSSJSoQVd6rTmhIe1hfCZpKR4Lhb153XenmQrz3bmZ7F+Nw23y3jYbOGO1n0mle37k iY8GrJm80xSmXpix48KITsGLMpLk1WnFv+q0Y6lGtw0FcY+gnWOgRA4rcK5CbrErxTYw zJq8MeaVQWHf7I/pznBEiPl/0lEQFc5kuhVY7/6ObVmWIrYjTdzzMAkvvDb7M8JSs0W0 3ifA==
X-Gm-Message-State: AOAM533GKdhSK3Z/Jr43zEaFINrT9GxPMPJ4i3wkAQsqbqMP12D4nPdn eG4ENy8ozuBx6ZdyfYDiEYMuAJPKkDjxwQSAWiGzk9bsHoH5Sg==
X-Google-Smtp-Source: ABdhPJwZs2DOEpzTMXkze69+Ak+VQFqxsVRZ4wq0EEHHIqbKBRR61mn88d24c/9ncmoaaouhLDQOofklVam94ACv9jU=
X-Received: by 2002:a17:902:b687:b029:eb:6491:b3f7 with SMTP id c7-20020a170902b687b02900eb6491b3f7mr19322761pls.38.1619452042613; Mon, 26 Apr 2021 08:47:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAAEB6g=tU=MF1_QKduEN55ft0rWe+7x0wBbywS083fJrjzP=XA@mail.gmail.com> <CAAEB6gn+QWuCX4BxCJuofz6JF6amaPtWiDtg7ZAmRT9FwaX8vA@mail.gmail.com> <C2025926-ECD9-4846-BE36-9B243000DF5F@akamai.com> <CAAEB6gm710=5KrNEpVPWRKpMWFupcYFuCBiHP80=BwOormiABg@mail.gmail.com> <30B2523F-F116-454A-BE64-349A260F54D7@akamai.com> <CAAEB6gm2815anAJyugVkah5dFBQxEawHiGtodk2q=O4g8Q+kOA@mail.gmail.com> <DA7E8D75-2643-431A-A043-0C0317F5A824@akamai.com>
In-Reply-To: <DA7E8D75-2643-431A-A043-0C0317F5A824@akamai.com>
From: Quan Thoi Minh Nguyen <msuntmquan@gmail.com>
Date: Mon, 26 Apr 2021 08:46:46 -0700
Message-ID: <CAAEB6gnXi20_15DoJx9AEQ2V3J-T5ViPRjSKCtJhOHBKHUZEBA@mail.gmail.com>
Subject: Re: Escalation: time commitment to fix *production* security bugs for BLS RFC v4?
To: "Salz, Rich" <rsalz@akamai.com>
Cc: "ietf@ietf.org" <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bb164305c0e20fa1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/Jfsz9e7A_Q1qm-B_twp3FI0iayU>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Apr 2021 15:47:28 -0000

On Mon, Apr 26, 2021 at 8:24 AM Salz, Rich <rsalz@akamai.com> wrote:

>
>    - It doesn't matter to you, but it does matter to other people like
>    me.
>
>
>
> You have been told several times, by several people, that a draft is not a
> standard.  No matter what vendors do, no matter what emails say about it.
> Even if the subject of the document says “A Standard BLS Mechanism,” until
> it is an RFC it is not a standard.
>
>
>
> People within the IETF often use the word standard in a number of ways.
> That doesn’t mean the document IS a standard.
>
>
>
> I unmderstand this is frustrating to you, but just because some vendors
> implemented a draft, and you found a bug, that doesn’t mean the draft
> authors have to push out an update immediately.
>

Not immediately. I reported the bugs privately a long time ago by a
responsible disclosure mechanism, no fixing action and then I reported it
publicly, no fixing action, no time commitment. I have been reporting
security bugs many time (e.g. I reported most bugs (mine and on behalf of
other people) in
https://github.com/google/wycheproof/blob/master/doc/bugs.md), but this is
the 1st time there is a strange deadlock. I understand BLS Internet-Draft
authors' perspectives and I understand libraries authors' perspectives. I
tried but failed in convincing everyone to compromise in moving and fixing
it :(

> There is a reason, after all, why the document is called a **draft**
>
>
>

v2.23.0 | Report a Bug | By Email