IETF Logo Mail Archive

Re: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement

Randy Bush <randy@psg.com> Wed, 05 August 2020 20:22 UTC

Return-Path: <randy@psg.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C4FE3A0F3F; Wed, 5 Aug 2020 13:22:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npMIW5VRW1tJ; Wed, 5 Aug 2020 13:22:56 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09E323A0F3D; Wed, 5 Aug 2020 13:22:55 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1k3Pw5-0007BV-VJ; Wed, 05 Aug 2020 20:22:54 +0000
Date: Wed, 05 Aug 2020 13:22:53 -0700
Message-ID: <m2tuxgn8pu.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Jay Daley <jay@ietf.org>
Cc: IETF Rinse Repeat <ietf@ietf.org>
Subject: Re: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
In-Reply-To: <DCA840AE-5620-40E7-AD24-E1CC0C7BF8C7@ietf.org>
References: <159651200228.24262.1827308624474280314@ietfa.amsl.com> <m2k0yeca1a.wl-randy@psg.com> <793241C9-C75C-407D-AD98-06E13C789154@ietf.org> <m28seuc4po.wl-randy@psg.com> <DCA840AE-5620-40E7-AD24-E1CC0C7BF8C7@ietf.org>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/f86WXLTGfe7dZ7PBR8_rQFaQ0PA>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2020 20:22:58 -0000

i had planned to drop the thread, but mirja beat me up for being
obscure.  so my apologies for trying again.

first, i am an amateur here.  i do some opsec, have taught, but am not
an expert.  which is why i passed it to a friend with deeper expertise.

embargo periods seem to vary.  but my amateur observation is that the
mode seems to be 90 days.  as long as it is not ridiculous, i would
prefer not to have a dog in this fight.

but the issue my friend raised which concerns me more is adding more a
restrictive "Limitations" section than already covered by law and custom.
i am a researcher.  i have dabbled in opsec research, and conducted
attacks on the live global internet for that purpose, e.g. see [0].
real researchers act responsibly.  attackers do not.  do not deter and
further complicate the lives of the researchers who are trying to help
you deter the attackers.

the ietf is not a special snowflake, just a noisy one.

randy


[0] - https://archive.psg.com/181101.imc-communities.pdf

v2.23.0 | Report a Bug | By Email