Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Michael Thomas <mike@mtcc.com> Wed, 28 October 2020 15:42 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FB1D3A005E for <ietf@ietfa.amsl.com>; Wed, 28 Oct 2020 08:42:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H5rHVpMcfR3M for <ietf@ietfa.amsl.com>; Wed, 28 Oct 2020 08:42:23 -0700 (PDT)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25CA13A005D for <ietf@ietf.org>; Wed, 28 Oct 2020 08:42:23 -0700 (PDT)
Received: by mail-pf1-x42f.google.com with SMTP id y14so3128767pfp.13 for <ietf@ietf.org>; Wed, 28 Oct 2020 08:42:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=3cwZGgxdwEmPW7hHCBgeqZvhiL3nCYzh0v1PDMAxzi0=; b=OcaphDlEH7KrefNV6qGhQxsSkXdeB4oonDT7vFj+owkBGw64ny7hsliXCM7L2lcPTD 5SbsKhgTrk7WHkcL86SE+STCy6gze5QMSANVcIcCPjqI2Hx0LkrPtM6r8ltzWccobh+o N7yzM5pTHsvZDiclGgIHtYsXxw4RO4+WTgkeRyobuRh6GjkX6OKgqrT/gNCs7ZPj3eKu uhVrtTuGgQgPoFDR3i8x91EhgLIKNMzbA8NEX4E2StFZC5CIlakfkBE8wHRRK8HuHsGm k+//UPUFGRWaoeLfIV2zHKnf+N9soTVy/KN+UsZuMiUzdNF/WchMf9QBKs4BwuyqOmh7 So5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=3cwZGgxdwEmPW7hHCBgeqZvhiL3nCYzh0v1PDMAxzi0=; b=bbGzeZbG+O9IhFw/v5abFzQF6VYncd/zdf7r1EMAjC4oQcKd+P2zD2E1616HTSlqpL eKlzcoyC7gmAspqB3phaKcS2TADdy6dXXj9A5pkqKu/CWtKE8VclZt8k6Z7+ciNUtSSW f87MZduj4t5Q1gqaHykxN+St5JzaAgw6qTWoIxXvMpu72lPahujvX6GuFpJvjaEIjZCJ cpYT7BmH/EG8P+Moqd+8wt4uf3XZumoeo4mM2qHmIE+lFwQZmXMw3Ho8C3y4hISgPXgl 1Gw2K8yWoGnFkcAhMs+yjigZqqYqx/qRdNZAiYPuOoePxZgMkgPIPdWxrmchAIFySWMN 3uQg==
X-Gm-Message-State: AOAM533f78BYS2h33Ce8a1Izk0q0ToAXoavrTsBZzLZxraROJtDUZXIM L5o5ciUNIdmGmaCctezI7lv5TFzYXaXPrA==
X-Google-Smtp-Source: ABdhPJw63J5SRf0mwH8iSCyD2PtBq4OQQEdNXZQC7xOpcPdNjYaoPCKa+0e/X1DRkDKHtrUCi8DkXA==
X-Received: by 2002:a63:fe0f:: with SMTP id p15mr6961999pgh.343.1603899742161; Wed, 28 Oct 2020 08:42:22 -0700 (PDT)
Received: from mike-mac.lan (107-182-45-196.volcanocom.com. [107.182.45.196]) by smtp.gmail.com with ESMTPSA id o15sm12742pfd.16.2020.10.28.08.42.21 for <ietf@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Oct 2020 08:42:21 -0700 (PDT)
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
To: ietf@ietf.org
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <09B0A1A1-6534-4A44-A162-9962FFF8D8B8@cisco.com> <362d68dd6117452f925322f8180de423@cert.org> <B864FFAE-3E3E-4CEF-B832-4552C8BAE70B@cisco.com> <11D079DF-614B-44CD-93F4-F53E353E31C7@akamai.com> <20201027142612.GB11207@faui48f.informatik.uni-erlangen.de> <C8ED3CFD-47FC-4746-8CE6-ADB48850A7AC@akamai.com> <20201028152533.GC57039@faui48f.informatik.uni-erlangen.de> <6695C5C1-38B3-4B1A-8F72-6747C070851B@akamai.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <1794caa5-f3bf-9d54-e510-3e0e65281531@mtcc.com>
Date: Wed, 28 Oct 2020 08:42:19 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <6695C5C1-38B3-4B1A-8F72-6747C070851B@akamai.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/L3_TOh-4GxLNxf-f3uMkhP0Rpxw>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 15:42:24 -0000

On 10/28/20 8:37 AM, Salz, Rich wrote:
>      >> I worry about something like "protocol-vulnerabilities@ietf.org" becoming swamped with implementation issues, but I would support this if we agreed it was a two-year experiment or something.
>
>>     Too much success ? We are not paying money, so why the fear ? Any similar
>      problems in other places ?
>
> Overloading the people who will be filtering the emails.
>
>
>
Isn't overloading filtering of implementation questions signal in and of 
itself? if a particular protocol is generating lots of implementation 
questions, that's could be telling you it is underspecified. but ietf is 
not the first place i'd think to come to with implementation issues. 
stackoverflow, etc is where i'd head first.

Mike