Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Michael Thomas <mike@mtcc.com> Tue, 27 October 2020 18:27 UTC
Return-Path: <mike@fresheez.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A1533A144B for <ietf@ietfa.amsl.com>; Tue, 27 Oct 2020 11:27:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lYu_ZK3N7TRy for <ietf@ietfa.amsl.com>; Tue, 27 Oct 2020 11:27:16 -0700 (PDT)
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFFB83A1453 for <ietf@ietf.org>; Tue, 27 Oct 2020 11:27:16 -0700 (PDT)
Received: by mail-pj1-x1034.google.com with SMTP id h4so1174882pjk.0 for <ietf@ietf.org>; Tue, 27 Oct 2020 11:27:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=kWrIqH4Lv6ZcqPioPUsWtoWpTnGbLoAGymz8dMCbcz8=; b=KWKxIXPZBKXY3P9Zs+4vSPZ0lJrngpt8OT49po4C6wxZoxk6H+RgLzZXDzyL8p9ioE qorzkY67SjRlX8lUIILKjUFnp+YvlIoBEHHoYbBOQ93itfAlaMqtPpEFBW7TM+iOHjwC lea6h903Z1nhO6zqhgJvoAd3RUkxGnI9SlFDYjCM+omsAFNlr5fWmTgfWbGWMZKexvVj MRCMnSpQ0S7IWHUxD1Nn7qW7lL3aoDDILUhxWLUvy+YCVbcOBdE9qzcK5k1+m2G0xa1U Jf2TG95AUPtIKXiQ77jrsGHyk3yb3A8sM33LMe+C6CwmuZpPQIfDruS0RPSaTexiKycj 6zwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=kWrIqH4Lv6ZcqPioPUsWtoWpTnGbLoAGymz8dMCbcz8=; b=MC78OyU3lMzcLxXbs9x1flj5XHOBKm2t9ud6ZxH0stXWLgPVyoUhPWrMlIFtp/fIdU 9CY4XFW8L+c4MobfX5wUAJ4NEMqPDKK7FKN4cYF1fULxZRgzzjVq9GiWJ9aDlt8nTxVD ZXKx0E+/QUzmv9xiYn/+WqsmcEwaz7i6d+cGIJPdJuzIddl1n4d8Kb5AekrTpzOEnN4i PoW28heJO0EOHPYjLGBJn8SGOSu3gTZDo6QN1hUBiiFxZs3C7dqXkeUnj3HR2FxUw0c+ 4VDC9Jwb29ZeSXatyVgJ5bXirME1V2ls3IApI0h6YskXOxG0jhT+rURVMQgRmMgKynqK 1G+w==
X-Gm-Message-State: AOAM531s4ms0hYMmJAu1Hi4Pn1wXvVuuNBC0+gqiuI5uYZmSXv9ImdKj lwgdS8Mpa4Lf5AVmYkvYFqWZc6CqYM0bdQ==
X-Google-Smtp-Source: ABdhPJxACZfp5NL4B/2Z8XVbfC1kRZ3Fk9IDIti5c1J4ecBvMergtVjxmco3Ty17KsD8qqfq+EUlXA==
X-Received: by 2002:a17:902:82c8:b029:d5:af76:e447 with SMTP id u8-20020a17090282c8b02900d5af76e447mr3861287plz.42.1603823235597; Tue, 27 Oct 2020 11:27:15 -0700 (PDT)
Received: from mike-mac.lan (107-182-35-32.volcanocom.com. [107.182.35.32]) by smtp.gmail.com with ESMTPSA id 186sm3046075pfv.154.2020.10.27.11.27.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 27 Oct 2020 11:27:14 -0700 (PDT)
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
To: Eliot Lear <lear@cisco.com>
Cc: Ned Freed <ned.freed@mrochek.com>, The IETF List <ietf@ietf.org>
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <09B0A1A1-6534-4A44-A162-9962FFF8D8B8@cisco.com> <362d68dd6117452f925322f8180de423@cert.org> <B864FFAE-3E3E-4CEF-B832-4552C8BAE70B@cisco.com> <61d17bb9-9056-ecbd-e7f8-e7bd5bd27d97@mtcc.com> <01RRASWVT8OO005PTU@mauve.mrochek.com> <3552cbcd-2d6e-da06-5d66-d0218f6c57ac@mtcc.com> <F8E98E25-CAEE-43CF-B65C-3186844F4A29@cisco.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <5d4bc8a9-4955-dde3-6022-7bdb2f5dc7ae@mtcc.com>
Date: Tue, 27 Oct 2020 11:27:13 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <F8E98E25-CAEE-43CF-B65C-3186844F4A29@cisco.com>
Content-Type: multipart/alternative; boundary="------------BE043DAFD54EAB4A0BB4FF13"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/TByjCLwJnvgB4OqT7wpYgFyAMe0>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 18:27:18 -0000
On 10/27/20 11:00 AM, Eliot Lear wrote: > I think what you are pointing out is that maybe it would help if these > things were properly tracked against anything that would update or > obsolete existing work. We might even be able to automate the > response along the lines of: > > * A working group is currently working on an update. Please feel > free to join in the fun at... > * A working group is currently working on a replacement (e.g., > obsolete). Please feel free to join in the fun at ... > * No current update is in progress. In addition to filing an > erratum, we invite you to provide an update through our errata > process, and perhaps through our standards process. You can > contact <insert AD here> for more information. > > My impression is that errata has a pretty high barrier to entry if it's potentially controversial. There doesn't seem to be any easy mechanism to do a one off update that requires wg buy in to get enough eyeballs on the problem to make certain that the fix is correct. it's like you need something similar to a critical security update to your OS, say, which needs to be well vetted by the devs, but doesn't want to wait for the next point release. If errata is that mechanism for something controversial, it's news to me. Mostly what i've seen with errata are minor fixes which the wg chair and/or authors can sign off easily. Mike
- Call for Community Feedback: Guidance on Reportin… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Dan Harkins
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Töma Gavrichenkov
- Re: Call for Community Feedback: Guidance on Repo… Michael Richardson
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Loganaden Velvindron
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Richardson
- Re: Call for Community Feedback: Guidance on Repo… Phillip Hallam-Baker
- Re: Call for Community Feedback: Guidance on Repo… ned+ietf
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… ned+ietf
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Joel M. Halpern
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Jay Daley
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Dan Harkins