Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Pete Resnick <resnick@episteme.net> Wed, 28 October 2020 17:27 UTC

Return-Path: <resnick@episteme.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C61E3A0A4F for <ietf@ietfa.amsl.com>; Wed, 28 Oct 2020 10:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fHVyPvUYhxZ5 for <ietf@ietfa.amsl.com>; Wed, 28 Oct 2020 10:27:25 -0700 (PDT)
Received: from episteme.net (episteme.net [216.169.5.102]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFBBA3A0A49 for <ietf@ietf.org>; Wed, 28 Oct 2020 10:27:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by episteme.net (Postfix) with ESMTP id AF30AC39D1C8; Wed, 28 Oct 2020 12:27:21 -0500 (CDT)
Received: from episteme.net ([127.0.0.1]) by localhost (episteme.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oxbQTZdYDyUv; Wed, 28 Oct 2020 12:27:18 -0500 (CDT)
Received: from [172.16.1.6] (episteme.net [216.169.5.102]) by episteme.net (Postfix) with ESMTPSA id 4AE2AC39D1A9; Wed, 28 Oct 2020 12:27:18 -0500 (CDT)
From: "Pete Resnick" <resnick@episteme.net>
To: "Eliot Lear" <lear@cisco.com>
Cc: "Michael Thomas" <mike@mtcc.com>, "Ned Freed" <ned.freed@mrochek.com>, "The IETF List" <ietf@ietf.org>
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Date: Wed, 28 Oct 2020 12:27:17 -0500
X-Mailer: MailMate (1.13.2r5726)
Message-ID: <3528B052-94BB-4865-A53F-908F65273DA3@episteme.net>
In-Reply-To: <043890FA-0954-41D0-9E4E-AEBB456FB158@cisco.com>
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <09B0A1A1-6534-4A44-A162-9962FFF8D8B8@cisco.com> <362d68dd6117452f925322f8180de423@cert.org> <B864FFAE-3E3E-4CEF-B832-4552C8BAE70B@cisco.com> <61d17bb9-9056-ecbd-e7f8-e7bd5bd27d97@mtcc.com> <01RRASWVT8OO005PTU@mauve.mrochek.com> <3552cbcd-2d6e-da06-5d66-d0218f6c57ac@mtcc.com> <4679D0DD-7EBB-48BF-973B-6BCA9C4D5F8D@episteme.net> <18e2e799-cf48-9a4f-c324-29533800b2cf@mtcc.com> <01RRB7O4NQ0S005PTU@mauve.mrochek.com> <ec504816-a90c-f551-1ded-1866119ec2c5@mtcc.com> <47EC23B7-2B5A-4C79-9B1A-FC5F5CB75631@episteme.net> <043890FA-0954-41D0-9E4E-AEBB456FB158@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/Yt50f66NnHEl5rh5XxtYCzBgChA>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 17:27:27 -0000

On 28 Oct 2020, at 12:00, Eliot Lear wrote:

> This is where I think there may be some subtle issue, and I don’t 
> want to make this all about Mike.  Many researchers have no equities 
> in our organization.  They may not even have a fix available for the 
> very problem that they have found.  We have red teams for a reason: 
> it’s just a different muscle.  So they see their job as finished 
> when they’ve reported.  And then they’re on to the next thing. 
>  That’s their incentive model.  Mike just happens to care more 
> than most, but we shouldn’t optimize around him.

Lest there be any question: I completely agree with you on the above 
Eliot. The proposal on the table from the IESG that Roman posted is a 
great start into how to deal with exactly those researchers you are 
talking about, and I fully support the idea. I don't want those folks to 
have to wade through the rest of IETF process if they have no intention 
to be part of the whole kit and caboodle of WG protocol development. The 
one and only thing I was responding to was Mike's analysis of the core 
problem based on his personal experiences. He is not like one of those 
researchers in that he does participate in the IETF as a regular 
participant, and we should absolutely not be optimizing around the cases 
he's concerned with.

pr
-- 
Pete Resnick https://www.episteme.net/
All connections to the world are tenuous at best