Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Eliot Lear <lear@cisco.com> Tue, 27 October 2020 12:20 UTC

Return-Path: <lear@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C580F3A03EE for <ietf@ietfa.amsl.com>; Tue, 27 Oct 2020 05:20:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5XualAJ89Kof for <ietf@ietfa.amsl.com>; Tue, 27 Oct 2020 05:20:24 -0700 (PDT)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6E773A03C9 for <ietf@ietf.org>; Tue, 27 Oct 2020 05:20:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3979; q=dns/txt; s=iport; t=1603801223; x=1605010823; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=c/hfsl4yY+fmpGwtdeivywJ/wpH7vQHwQa3/2604+Z8=; b=ZybU73/koDy2UKPv5eo/UJQ5ZFoGV9KfPSh27G1dexcV2YOaIsh7aVro R32obHJC5/UmDcgyiTCmZvC6MEIsYHnhUm4KbIa6f2YO56gWtFw4+G27U spzTdSNRGYsfVIc/cxYAiY1W1X4YN0H64DiBqMDfyzDh4zdWUyAEV+SlB Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D8AAB7D5hf/xbLJq1gHQEBAQEJARIBBQUBgX4FAQsBgSKCTAEgEiyEPIkFiA6UC4YxgWkLAQEBDQEBLwQBAYRKAoIFJjcGDgIDAQELAQEFAQEBAgEGBG2FbYVyAQEBAQIBHQZLCwULCwQKCioCAlcGExQBgxGCXSCmMnaBMoVXhH6BOAGNU4IAgREnHIJNPoQIARIBgzgzgiwEuAaCdYMXl2UDH6FesBmDXwIEBgUCFYFqJGdwMxoIGxU7KgGCPj4SGQ2cZ0ADMDgCBgEJAQEDCY5IAQE
X-IronPort-AV: E=Sophos; i="5.77,423,1596499200"; d="scan'208,217"; a="30669339"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 Oct 2020 12:20:19 +0000
Received: from ams3-vpn-dhcp5230.cisco.com (ams3-vpn-dhcp5230.cisco.com [10.61.84.109]) by aer-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 09RCKIi2002312 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 27 Oct 2020 12:20:19 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <B864FFAE-3E3E-4CEF-B832-4552C8BAE70B@cisco.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DDCAED08-F4EF-4BE0-B678-F0520772F4B1"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Date: Tue, 27 Oct 2020 13:20:18 +0100
In-Reply-To: <362d68dd6117452f925322f8180de423@cert.org>
Cc: The IETF List <ietf@ietf.org>
To: Roman Danyliw <rdd@cert.org>
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <09B0A1A1-6534-4A44-A162-9962FFF8D8B8@cisco.com> <362d68dd6117452f925322f8180de423@cert.org>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Outbound-SMTP-Client: 10.61.84.109, ams3-vpn-dhcp5230.cisco.com
X-Outbound-Node: aer-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/qwzSfI8iyXqv1bhX3vsAr4l5FEU>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 12:20:26 -0000

Hi Roman and thanks for the feedback.  Just on this point…

> On 27 Oct 2020, at 12:56, Roman Danyliw <rdd@cert.org> wrote:
> 
> [Roman] The text proposed for the vulnerability reporting web page is longer (and more complex and certainly not KISS), but significantly less ambitious than yours in scope.  It appear that your concise text would redefine the IETF culture and process about handling a certain class of information.  That’s a big step that would require a comprehensive discussion and deliberate consensus process around it.  What’s being proposed instead is an initial outreach step with a “Tao of the IETF”-style prose which explains the as-is process to an IETF newcomer on reporting vulnerability information – almost no new process/culture invented (there will be a new email alias which will act as a final catch all).


I certainly didn’t set out to change culture OR process.  How do you think I’ve done that?  Perhaps it sounded as if the mailing list is intended to gate keep?  Certainly not what I had in mind.  Just to route. All the usual processes would still apply to what happens next, and the routing function should not be lossy.

Eliot