IETF Logo Mail Archive

Re: Status of draft-christey-wysopal-vuln-disclosure-00.txt

Valdis.Kletnieks@vt.edu Thu, 26 December 2002 18:42 UTC

Received: from ran.ietf.org (ran.ietf.org [10.27.6.60]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA13848; Thu, 26 Dec 2002 13:42:17 -0500 (EST)
Received: from majordomo by ran.ietf.org with local (Exim 4.10) id 18RcrY-0000xZ-00 for ietf-list@ran.ietf.org; Thu, 26 Dec 2002 13:36:08 -0500
Received: from odin.ietf.org ([10.27.2.28] helo=ietf.org) by ran.ietf.org with esmtp (Exim 4.10) id 18RcrL-0000x3-00 for ietf@ran.ietf.org; Thu, 26 Dec 2002 13:35:56 -0500
Received: from turing-police.cc.vt.edu (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA13766 for <ietf@ietf.org>; Thu, 26 Dec 2002 13:30:24 -0500 (EST)
From: Valdis.Kletnieks@vt.edu
Received: from turing-police.cc.vt.edu (localhost [127.0.0.1]) by turing-police.cc.vt.edu (8.12.7.Beta0/8.12.7.Beta0) with ESMTP id gBQIXCb1003620; Thu, 26 Dec 2002 13:33:12 -0500
Message-Id: <200212261833.gBQIXCb1003620@turing-police.cc.vt.edu>
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4+dev
To: jasonc@science.org
Cc: cwysopal@atstake.com, coley@mitre.org, fw@deneb.enyo.de, dee3@torque.pothole.com, ietf@ietf.org, kre@munnari.OZ.AU, info@knowngoods.org, Bruce Schneier <schneier@counterpane.com>, cert@cert.org, Clinton Kreitner <kreitner@home.com>, Alan Paller <AlanPaller@aol.com>, Hal Pomeranz <hal@deer-run.com>
Subject: Re: Status of draft-christey-wysopal-vuln-disclosure-00.txt
In-Reply-To: Your message of "Thu, 26 Dec 2002 01:18:07 -1000." <ILEPILDHBOLAHHEIMALBIEDAEHAA.jasonc@science.org>
References: <ILEPILDHBOLAHHEIMALBIEDAEHAA.jasonc@science.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_1178028736P"; micalg="pgp-sha1"; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Thu, 26 Dec 2002 13:33:12 -0500
Sender: owner-ietf@ietf.org
Precedence: bulk

On Thu, 26 Dec 2002 01:18:07 -1000, Jason Coombs said:
> Thanks for the replies, those of you who have already provided feedback on
> my inquiry into currently-accepted best practices for responsible disclosure
> considering the disappearance of
> draft-christey-wysopal-vuln-disclosure-00.txt ... Enclosed below is a
> security alert issued today that includes a revised Responsible Disclosure
> section that I think would make a good starting point for a new Internet
> Draft.

Jason - I think you misunderstood something in a very major way...

> Neither its authors nor any other party chose to advance a responsible
> disclosure standard through any IETF working group due to lack of interest.
> Therefore the following observations take priority as de facto "best
> practices" for information security and encryption research and responsible
> communication of security- and cryptography-related vulnerability findings:

The general consensus as I read it was that the christey-wysopal draft was
generally considered a very good and reasonable document.

The only reason it did not get progressed through the IETF process was that
there was a general belief that the *subject matter* was not an IETF issue.
It's important, but it's not a topic we write RFC's about.

This is something that probably some other group should be running with.
I've taken the liberty of cc:ing some of the people at SANS and the
Center for Internet Security in hopes that they'll either pick it up or
know who should be doing it.
-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

v2.23.0 | Report a Bug | By Email