Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities Wed, 28 October 2020 00:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2B4F93A09F1 for <>; Tue, 27 Oct 2020 17:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pkjpJ7xvwIu7 for <>; Tue, 27 Oct 2020 17:31:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D4F7C3A09EF for <>; Tue, 27 Oct 2020 17:31:37 -0700 (PDT)
Received: from by (PMDF V6.1-1 #35243) id <> for; Tue, 27 Oct 2020 17:26:34 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: TEXT/PLAIN; CHARSET=US-ASCII; format=flowed
Received: from by (PMDF V6.1-1 #35243) id <> (original mail from for; Tue, 27 Oct 2020 17:26:31 -0700 (PDT)
Cc: Michael Thomas <>, Pete Resnick <>
Message-id: <>
Date: Tue, 27 Oct 2020 16:29:51 -0700 (PDT)
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
In-reply-to: "Your message dated Tue, 27 Oct 2020 14:16:48 -0700" <>
References: <> <> <> <> <> <> <> <> <>
To: IETF <>
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Oct 2020 00:31:39 -0000

Michael Thomas <> wrote:

> On 10/27/20 1:27 PM, Pete Resnick wrote:
> > On 27 Oct 2020, at 12:48, Michael Thomas wrote:
> >
> >> The most recent was with the STIR wg. I found some problems and
> >> brought it up on the working group list and was ignored. This was
> >> after they had issued RFC 8226 so I interpreted it at the time as
> >> just not wanting revisit anything.

RFC publication removes the work item from the WG's to-do list. Even if it
wanted to the WG cannot change the RFC willy-nilly; the WG would have to be
rechartered in order to do the work. That's intentionally a very substantial
bar to doing that.

> >> I started writing a blog post
> >> about the things I found, but ended giving up because there were so
> >> many things wrong/underspecified.

The document is 26 pages long. I find it hard to believe it's impossible to
list all the problems you found.

> >> I then went through the wg archives
> >> and saw that Dave Crocker had written a list of about 100 things that
> >> were wrong/questionable at last call almost all of which were
> >> ignored.

I tracked down what I think is the message you're referring to - which was sent
back back in 2016:

I'm afaid your claim that the issues raised were all ignored is simply false.
Sean Turner responded point by point to Dave's message here:

Now, you may not agree with that response. You may think that Dave was correct
in every point and Sean was wrong, and it may be the case that none of the
points were ever addressed to Dave's satisfaction. But this is all beside the
point: There's a big difference between not getting what you want and being

I note in passing that there was enough wrong with the document that it went
through another two years of work and another last call. So it's not at all
like it didn't undergo signiicant review and revision after that.

> >> Worse: there wasn't much intersection between our lists. So
> >> that reads to me as a wg that isn't interested in hearing about
> >> problems.

Whereas it reads to me like a WG that didn't agree with the issues raised by
one participant, and that you were late to the party and decided not to avail
yourself of the processes used to report problems with an RFC.

> >> The same thing happened to me commenting on OAUTH which
> >> caused the then editor to go ballistic. None of this should be
> >> especially surprising: nobody likes somebody attacking (literally in
> >> the case of security) their baby.

Your choice of words here speaks volumes... Of course nobody like being
attacked; why on earth would thay? But only a fool rejects valid constructive
criticism, especially when doing so will sifnificantly improve the result.

Now FWIW, I think the right thing to do with attacks - and I've been on the
receiving end of some real doozies - is to ignore the vitriol and look for the
actual critique, assuming there is one. And if it is valid, deal with it
appropriately, even if you don't respond directly.

> > So I presume you walked through the conflict resolution and appeals
> > process, in the case of STIR starting with the STIR Chair, the ART
> > Area Director, and/or the IESG as per RFC 2026 6.5.1, and in the case
> > of OAUTH with the OAUTH Chair, the SEC Area Director and/or the IESG?

> Why on earth would I want to be a drama queen? Especially since I had no
> dog in either fight?

So what you're saying is that only drama queens avail themselves of the 
processes put in place to deal with exactly the isues you say you had?
Processes that a lot of people worked very hard to devise and who many, myself
included, take very seriously?

Of course you have a right to believe whatever you want, even if that belief
limits your own options. But doing so is entirely your choice.