Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Michael Thomas <mike@mtcc.com> Wed, 28 October 2020 17:43 UTC
Return-Path: <mike@fresheez.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F43A3A067A for <ietf@ietfa.amsl.com>; Wed, 28 Oct 2020 10:43:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQPD8CER1IvW for <ietf@ietfa.amsl.com>; Wed, 28 Oct 2020 10:43:02 -0700 (PDT)
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DD143A0657 for <ietf@ietf.org>; Wed, 28 Oct 2020 10:43:02 -0700 (PDT)
Received: by mail-pj1-x102a.google.com with SMTP id m17so187686pjz.3 for <ietf@ietf.org>; Wed, 28 Oct 2020 10:43:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=XyhlLlnJVP2DcgdKXO11JKBqXviqzDnTaFvcBTsctaE=; b=g2l2RHfsBiiwbqOwp5+hRqGtKObciw+domXmjmz0WXu6/YS9dqtpR9owrHuimBSsEj FCxRsoamPEiATd+qIMl04KaYBHYZrZVNhj5w4UtgxSIqKZOsXdq/ejL/4WghwLtu9wVi 4phhfLPCm7z/2WuX+mKHPhVIIIT1oguubLJ8OBUlIUvE9SjMIYSuAtmfKqIH1l00YReX 0QNeS4oqlgNvUTSk65m7HB3O+lXtp1hCod/HBxkShzJ4x05jct96qDByWN3CI15fd2ov uqVs7pAst88LLMQCf5jBV6Wa80qbAurYG9ZgUb8EsOO+Rq+uFeYM/u2cuQgmhSzsPh66 eagQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=XyhlLlnJVP2DcgdKXO11JKBqXviqzDnTaFvcBTsctaE=; b=b5Z6malx61nPTUS58P6tpKCm3G0CZOfIOnTKwRzl+ehcOYv5Fp8lutW1eC62iavZUC HIumQUC0vRRnxNKHDO7EePqRKYskWRIlx3HMcWnAsCWsDOCu2KsgUEbimxxoaRAfRM9s 66Uzrmuroelss/WMpoyUYk9nINleF3zQUKYUydK7SVO3JqqOyLKhr//Qv5N01jIlXwJ2 tOpzdI7weMrhBGKBc5Zt3kVE56tjmcR62NmCO5C+yB0+N8+MbpW3Hz6v/HrfyrQ13ySx u4cgJioe4Y6fV4/lP4tWVKHsUjo6hfr0TcHLUi9F/3hnSpFGswzFUMv9W5JSUbs8R0kA Ih8w==
X-Gm-Message-State: AOAM530q1OP2PCuhSlChFOWnXYoDAb9Mc0mzODzD5gjajVGs21yYNSo9 e6Vif2MbMtIE5OsYnHqvAvCoEi/7lHfNvQ==
X-Google-Smtp-Source: ABdhPJzNz8Emewf5twXS2yvOrkrWeT0y7ev7RbqoqOrpSZdvFaj5fVx3HAUsSzMD0TTRfcqf99Y7QA==
X-Received: by 2002:a17:902:b78c:b029:d4:da94:8766 with SMTP id e12-20020a170902b78cb02900d4da948766mr387137pls.31.1603906981213; Wed, 28 Oct 2020 10:43:01 -0700 (PDT)
Received: from mike-mac.lan (107-182-45-196.volcanocom.com. [107.182.45.196]) by smtp.gmail.com with ESMTPSA id y5sm5383pgo.5.2020.10.28.10.42.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Oct 2020 10:43:00 -0700 (PDT)
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
To: Pete Resnick <resnick@episteme.net>, Eliot Lear <lear@cisco.com>
Cc: Ned Freed <ned.freed@mrochek.com>, The IETF List <ietf@ietf.org>
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <09B0A1A1-6534-4A44-A162-9962FFF8D8B8@cisco.com> <362d68dd6117452f925322f8180de423@cert.org> <B864FFAE-3E3E-4CEF-B832-4552C8BAE70B@cisco.com> <61d17bb9-9056-ecbd-e7f8-e7bd5bd27d97@mtcc.com> <01RRASWVT8OO005PTU@mauve.mrochek.com> <3552cbcd-2d6e-da06-5d66-d0218f6c57ac@mtcc.com> <4679D0DD-7EBB-48BF-973B-6BCA9C4D5F8D@episteme.net> <18e2e799-cf48-9a4f-c324-29533800b2cf@mtcc.com> <01RRB7O4NQ0S005PTU@mauve.mrochek.com> <ec504816-a90c-f551-1ded-1866119ec2c5@mtcc.com> <47EC23B7-2B5A-4C79-9B1A-FC5F5CB75631@episteme.net> <043890FA-0954-41D0-9E4E-AEBB456FB158@cisco.com> <3528B052-94BB-4865-A53F-908F65273DA3@episteme.net>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <597b4b06-d0c0-6485-d92c-3a32b9a7ba2f@mtcc.com>
Date: Wed, 28 Oct 2020 10:42:58 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <3528B052-94BB-4865-A53F-908F65273DA3@episteme.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/_npFRyhlqLe5DvKObyspiHHu1is>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 17:43:03 -0000
On 10/28/20 10:27 AM, Pete Resnick wrote: > On 28 Oct 2020, at 12:00, Eliot Lear wrote: > >> This is where I think there may be some subtle issue, and I don’t >> want to make this all about Mike. Many researchers have no equities >> in our organization. They may not even have a fix available for the >> very problem that they have found. We have red teams for a reason: >> it’s just a different muscle. So they see their job as finished when >> they’ve reported. And then they’re on to the next thing. That’s >> their incentive model. Mike just happens to care more than most, but >> we shouldn’t optimize around him. > > Lest there be any question: I completely agree with you on the above > Eliot. The proposal on the table from the IESG that Roman posted is a > great start into how to deal with exactly those researchers you are > talking about, and I fully support the idea. I don't want those folks > to have to wade through the rest of IETF process if they have no > intention to be part of the whole kit and caboodle of WG protocol > development. The one and only thing I was responding to was Mike's > analysis of the core problem based on his personal experiences. He is > not like one of those researchers in that he does participate in the > IETF as a regular participant, and we should absolutely not be > optimizing around the cases he's concerned with. > As I mentioned earlier, security issues can be very subtle and not easy to explain or understand. Lobbing a write-only report over the wall is hardly ideal. They have every right to do that, of course, but if they can be coaxed to participate while it gets digested, that would be a lot better. And then of course, there are the cases where somebody thinks something might be wrong, but isn't sure of it. That more resembles me. Maybe I'm a unicorn though. I'll check for glitter in a bit. Mike
- Call for Community Feedback: Guidance on Reportin… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Dan Harkins
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Töma Gavrichenkov
- Re: Call for Community Feedback: Guidance on Repo… Michael Richardson
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Loganaden Velvindron
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Richardson
- Re: Call for Community Feedback: Guidance on Repo… Phillip Hallam-Baker
- Re: Call for Community Feedback: Guidance on Repo… ned+ietf
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… ned+ietf
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Joel M. Halpern
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Jay Daley
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Dan Harkins