Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Michael Thomas <> Tue, 27 October 2020 21:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9A6073A15C0 for <>; Tue, 27 Oct 2020 14:16:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mv2LW27xsYZg for <>; Tue, 27 Oct 2020 14:16:52 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 12CDE3A15BD for <>; Tue, 27 Oct 2020 14:16:51 -0700 (PDT)
Received: by with SMTP id w11so1429145pll.8 for <>; Tue, 27 Oct 2020 14:16:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=haeQnifZUpD6THI0rT6JkiJwO0/etSGUvHo/IoWk58s=; b=XCW7RxUu+XGfAQlHFyYI0PuTSrV/QxX99SJScu/OWawazosTqntZsYdLH3Vdmvzlwe LtCYEAsGCCyVL2MsYCTIKji6SbFuRAarB7OyaF+6x9rzsgffZsQsB/04Cl6GCGXlpCPE 62h9jF+oLRB3RwMrN3Z0ZuAq7+7LIxhpUvmP3F3dqoeJRsYnyfZRDLp6aCwUZD9VV6sj NvReTYJi6xW8S/b+aQ3uX/mE21vxoFMJswJgODzzDy2XKf3HF801YNUwbp3QA0RniEvJ 55rQQUJyXTmUR4Oi08NdQmug7MCBi4P2UKE7Li5zWwMe5s8/7+Yxnf05ZEbploIntWlz P4ig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=haeQnifZUpD6THI0rT6JkiJwO0/etSGUvHo/IoWk58s=; b=ukg6DpwRZ3NUCEM5Y4yduU0mI+j5wOuVShTXahsNSItOT02Uafz6OX7w/Osf/WFaaP rE5a3y5qiv69NdGyExVE/0YIc4LM+4jgM/P2VI1o9GEGt+T1efGdsM0yRsOdVGhcG9fU +k7UYMqgYdX4SD4q2cjvLtyXzavNdtijLWPNtr4HPXe1q6Sl1qr5pcWEnXcLlduNKFJp gb5xv6E12oTLxkQ2X27Y4/ISmqTt1LdskusONnRFhJ5+GW2yH9xdje269lH23/WqNiKW W2lvAIz03oiUPz+sfWyaJKlqPQQMBURRIsqWIU0jCXWqcJfnQujr3cuf4VxC8lN3YGig 4D3g==
X-Gm-Message-State: AOAM533mEICRAo5L9sso/FGuWw/HJJqXdNkqSWR4rly1x2C64ikvz5YG zpdWUpcmunc7AeVGTjZgg59Cfr2sz6g0Tw==
X-Google-Smtp-Source: ABdhPJyBcDfh6c3IHkMG6mblVfxHzsy4wRX2xrUsHD1WPaSoOP4884rMmU/ZFaugx7bt8DoPw1aREw==
X-Received: by 2002:a17:902:9347:b029:d3:7c08:86c6 with SMTP id g7-20020a1709029347b02900d37c0886c6mr4172084plp.84.1603833410716; Tue, 27 Oct 2020 14:16:50 -0700 (PDT)
Received: from mike-mac.lan ( []) by with ESMTPSA id e4sm2714030pgg.37.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 27 Oct 2020 14:16:50 -0700 (PDT)
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
To: Pete Resnick <>
Cc: Ned Freed <>, IETF <>
References: <> <> <> <> <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Tue, 27 Oct 2020 14:16:48 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 27 Oct 2020 21:16:54 -0000

On 10/27/20 1:27 PM, Pete Resnick wrote:
> On 27 Oct 2020, at 12:48, Michael Thomas wrote:
>> The most recent was with the STIR wg. I found some problems and 
>> brought it up on the working group list and was ignored. This was 
>> after they had issued RFC 8226 so I interpreted it at the time as 
>> just not wanting revisit anything. I started writing a blog post 
>> about the things I found, but ended giving up because there were so 
>> many things wrong/underspecified. I then went through the wg archives 
>> and saw that Dave Crocker had written a list of about 100 things that 
>> were wrong/questionable at last call almost all of which were 
>> ignored. Worse: there wasn't much intersection between our lists. So 
>> that reads to me as a wg that isn't interested in hearing about 
>> problems. The same thing happened to me commenting on OAUTH which 
>> caused the then editor to go ballistic. None of this should be 
>> especially surprising: nobody likes somebody attacking (literally in 
>> the case of security) their baby.
> So I presume you walked through the conflict resolution and appeals 
> process, in the case of STIR starting with the STIR Chair, the ART 
> Area Director, and/or the IESG as per RFC 2026 6.5.1, and in the case 
> of OAUTH with the OAUTH Chair, the SEC Area Director and/or the IESG?

Why on earth would I want to be a drama queen? Especially since I had no 
dog in either fight?

> Particularly in the case of OAUTH, if a document editor is 
> misbehaving, then that needs to be dealt with. All it takes is an 
> email message to start.

Barry handled the author fine, iirc. It's just that wg as a whole 
dismissed the problem even though what I predicted is exactly what 
happened. They wrote my concern into the security requirements with like 
a one sentence dismissal and everybody ignored it.

> Unless you actually engaged with the process and actually made 
> leadership aware that something was going pear-shaped, I'm not 
> terribly sympathetic.

Isn't this thread about getting outside clue to the attention of the 
working groups more seamlessly? Your quoted process and sympathy is 
exactly the wrong way to foster that.

> People seem very unwilling to walk through the conflict resolution and 
> appeals process, and it's absolutely essential to the good functioning 
> of the IETF that people use it from time to time. Again, the start of 
> it is simply an email message to the chair saying "My comments are 
> being ignored" or "The WG screwed up and made a bad technical choice". 
> If you don't like the answers you get, well that's a different thing, 
> but if you haven't actually engaged, you have only yourself to blame.
In OAUTH's case I did talk to Barry. For STIR after seeing what they did 
to Crocker at last call it was apparent that it would fall on deaf ears 
so why bother? I did bring it up my concern on their mailing list before 
I read the archives, but crickets. The flip side of this that nobody 
wants to be seen as an insane Casandra in case you are actually wrong.

If you want outside clue but the reality is that they treat you as the 
enemy, you're not going to get the desired result. Any fix for this 
needs to account for that.