Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Michael Thomas <mike@mtcc.com> Tue, 27 October 2020 18:27 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A1533A144B for <ietf@ietfa.amsl.com>; Tue, 27 Oct 2020 11:27:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lYu_ZK3N7TRy for <ietf@ietfa.amsl.com>; Tue, 27 Oct 2020 11:27:16 -0700 (PDT)
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFFB83A1453 for <ietf@ietf.org>; Tue, 27 Oct 2020 11:27:16 -0700 (PDT)
Received: by mail-pj1-x1034.google.com with SMTP id h4so1174882pjk.0 for <ietf@ietf.org>; Tue, 27 Oct 2020 11:27:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=kWrIqH4Lv6ZcqPioPUsWtoWpTnGbLoAGymz8dMCbcz8=; b=KWKxIXPZBKXY3P9Zs+4vSPZ0lJrngpt8OT49po4C6wxZoxk6H+RgLzZXDzyL8p9ioE qorzkY67SjRlX8lUIILKjUFnp+YvlIoBEHHoYbBOQ93itfAlaMqtPpEFBW7TM+iOHjwC lea6h903Z1nhO6zqhgJvoAd3RUkxGnI9SlFDYjCM+omsAFNlr5fWmTgfWbGWMZKexvVj MRCMnSpQ0S7IWHUxD1Nn7qW7lL3aoDDILUhxWLUvy+YCVbcOBdE9qzcK5k1+m2G0xa1U Jf2TG95AUPtIKXiQ77jrsGHyk3yb3A8sM33LMe+C6CwmuZpPQIfDruS0RPSaTexiKycj 6zwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=kWrIqH4Lv6ZcqPioPUsWtoWpTnGbLoAGymz8dMCbcz8=; b=MC78OyU3lMzcLxXbs9x1flj5XHOBKm2t9ud6ZxH0stXWLgPVyoUhPWrMlIFtp/fIdU 9CY4XFW8L+c4MobfX5wUAJ4NEMqPDKK7FKN4cYF1fULxZRgzzjVq9GiWJ9aDlt8nTxVD ZXKx0E+/QUzmv9xiYn/+WqsmcEwaz7i6d+cGIJPdJuzIddl1n4d8Kb5AekrTpzOEnN4i PoW28heJO0EOHPYjLGBJn8SGOSu3gTZDo6QN1hUBiiFxZs3C7dqXkeUnj3HR2FxUw0c+ 4VDC9Jwb29ZeSXatyVgJ5bXirME1V2ls3IApI0h6YskXOxG0jhT+rURVMQgRmMgKynqK 1G+w==
X-Gm-Message-State: AOAM531s4ms0hYMmJAu1Hi4Pn1wXvVuuNBC0+gqiuI5uYZmSXv9ImdKj lwgdS8Mpa4Lf5AVmYkvYFqWZc6CqYM0bdQ==
X-Google-Smtp-Source: ABdhPJxACZfp5NL4B/2Z8XVbfC1kRZ3Fk9IDIti5c1J4ecBvMergtVjxmco3Ty17KsD8qqfq+EUlXA==
X-Received: by 2002:a17:902:82c8:b029:d5:af76:e447 with SMTP id u8-20020a17090282c8b02900d5af76e447mr3861287plz.42.1603823235597; Tue, 27 Oct 2020 11:27:15 -0700 (PDT)
Received: from mike-mac.lan (107-182-35-32.volcanocom.com. [107.182.35.32]) by smtp.gmail.com with ESMTPSA id 186sm3046075pfv.154.2020.10.27.11.27.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 27 Oct 2020 11:27:14 -0700 (PDT)
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
To: Eliot Lear <lear@cisco.com>
Cc: Ned Freed <ned.freed@mrochek.com>, The IETF List <ietf@ietf.org>
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <09B0A1A1-6534-4A44-A162-9962FFF8D8B8@cisco.com> <362d68dd6117452f925322f8180de423@cert.org> <B864FFAE-3E3E-4CEF-B832-4552C8BAE70B@cisco.com> <61d17bb9-9056-ecbd-e7f8-e7bd5bd27d97@mtcc.com> <01RRASWVT8OO005PTU@mauve.mrochek.com> <3552cbcd-2d6e-da06-5d66-d0218f6c57ac@mtcc.com> <F8E98E25-CAEE-43CF-B65C-3186844F4A29@cisco.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <5d4bc8a9-4955-dde3-6022-7bdb2f5dc7ae@mtcc.com>
Date: Tue, 27 Oct 2020 11:27:13 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <F8E98E25-CAEE-43CF-B65C-3186844F4A29@cisco.com>
Content-Type: multipart/alternative; boundary="------------BE043DAFD54EAB4A0BB4FF13"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/TByjCLwJnvgB4OqT7wpYgFyAMe0>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 18:27:18 -0000

On 10/27/20 11:00 AM, Eliot Lear wrote:
> I think what you are pointing out is that maybe it would help if these 
> things were properly tracked against anything that would update or 
> obsolete existing work.  We might even be able to automate the 
> response along the lines of:
>
>   * A working group is currently working on an update.  Please feel
>     free to join in the fun at...
>   * A working group is currently working on a replacement (e.g.,
>     obsolete). Please feel free to join in the fun at ...
>   * No current update is in progress.  In addition to filing an
>     erratum, we invite you to provide an update through our errata
>     process, and perhaps through our standards process.  You can
>     contact <insert AD here> for more information.
>
>
My impression is that errata has a pretty high barrier to entry if it's 
potentially controversial. There doesn't seem to be any easy mechanism 
to do a one off update that requires wg buy in to get enough eyeballs on 
the problem to make certain that the fix is correct. it's like you need 
something similar to a critical security update to your OS, say, which 
needs to be well vetted by the devs, but doesn't want to wait for the 
next point release.

If errata is that mechanism for something controversial, it's news to 
me. Mostly what i've seen with errata are minor fixes which the wg chair 
and/or authors can sign off easily.

Mike