Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Benjamin Kaduk <> Wed, 28 October 2020 18:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 94B483A0A8F for <>; Wed, 28 Oct 2020 11:39:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SQilH29NV-GX for <>; Wed, 28 Oct 2020 11:39:34 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5E31F3A0A8D for <>; Wed, 28 Oct 2020 11:39:34 -0700 (PDT)
Received: from ([]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id 09SIdRvq029250 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 28 Oct 2020 14:39:32 -0400
Date: Wed, 28 Oct 2020 11:39:27 -0700
From: Benjamin Kaduk <>
To: Michael Thomas <>
Cc: IETF <>
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Oct 2020 18:39:36 -0000

Hi Mike,

On Tue, Oct 27, 2020 at 06:26:03PM -0700, Michael Thomas wrote:
> PS: i hope that this doesn't turn into a prosecution of whether my 
> examples are right or wrong because that utterly misses the point. The 
> issue here is that working groups are tribalistic and people who upset 
> that tribalism are the enemy. until you deal with that problem, nothing 
> will happen.

I don't want to prosecute your examples, and I do believe that your
examples happened roughly as you describe.  But I do want to ask whether we
might have already improved since your experiences occurred -- for example,
I am failing to find anything in the OAuth archives from you more recently
than 2012.  While the OAuth WG is not always a shining example of comity, I
can think of several recent cases where someone who is not part of the WG
mainstream comes in and attempts to raise some issues with one document or
another.  Yes, some participants ignored or tried to reject these points,
but others (myself included) did engage with the reporter to tease out
where the actual issues lie, whether there is a prerequisite for the
perceived issues that is explicitly out of scope for the work, whether the
proposed mitigation violates protocol invariants, etc.  So, I am hopeful
that the current situation is not as dire as the picture you have painted
(and we will, of course, work to improve in the future).