Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Benjamin Kaduk <kaduk@mit.edu> Wed, 28 October 2020 18:57 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ECA03A0B73 for <ietf@ietfa.amsl.com>; Wed, 28 Oct 2020 11:57:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SZPg4a6Sxxa5 for <ietf@ietfa.amsl.com>; Wed, 28 Oct 2020 11:57:57 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ECA43A0B6F for <ietf@ietf.org>; Wed, 28 Oct 2020 11:57:56 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 09SIvouR003942 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 28 Oct 2020 14:57:54 -0400
Date: Wed, 28 Oct 2020 11:57:50 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
Cc: Michael Thomas <mike@mtcc.com>, The IETF List <ietf@ietf.org>
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Message-ID: <20201028185750.GI39170@kduck.mit.edu>
References: <09B0A1A1-6534-4A44-A162-9962FFF8D8B8@cisco.com> <362d68dd6117452f925322f8180de423@cert.org> <B864FFAE-3E3E-4CEF-B832-4552C8BAE70B@cisco.com> <61d17bb9-9056-ecbd-e7f8-e7bd5bd27d97@mtcc.com> <01RRASWVT8OO005PTU@mauve.mrochek.com> <3552cbcd-2d6e-da06-5d66-d0218f6c57ac@mtcc.com> <F8E98E25-CAEE-43CF-B65C-3186844F4A29@cisco.com> <5d4bc8a9-4955-dde3-6022-7bdb2f5dc7ae@mtcc.com> <20201028184208.GF39170@kduck.mit.edu> <f7e0ec4a-4d61-076c-4638-5e9683f7b505@joelhalpern.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <f7e0ec4a-4d61-076c-4638-5e9683f7b505@joelhalpern.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/vGX_KAqOaAovGhW7jpTh3hDib1w>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 18:57:59 -0000
On Wed, Oct 28, 2020 at 02:53:56PM -0400, Joel M. Halpern wrote: > I hope I am missing something. > I have trouble thinking of a case where a security vulnerability in our > work could be reasoanbly captured in an erratta that is anything other > than "held for future update". Yes, I was assuming these errata would end up in HFDU. -Ben > The errata system is not an issue tracker for RFCs. Accepted errata are > not supposed to be changes to the WG agreement, even if the WG got it > wrong. They are supposed to be cases where the words on the page do not > say what the WG meant. this can be a missing (or added "not", or > verbiage so opaque that anyone not in the room can't figure out what it > means (although most of the time the RPC catches those before RFC > publication.) > > it is not for the cases where the WG agreed on a protocol that has a > security hole, bug, or potential misbehavior. > > Heck, in the case of 8200 I have to agree with the AD that an errata was > not the way to fix ambiguous wording that the WG agreed on, even when > folks later came up with an interpretation that had not been considered > by the WG. Errata simply are not for things that change existing WG > agreements. > > Yours, > Joel > > On 10/28/2020 2:42 PM, Benjamin Kaduk wrote: > > On Tue, Oct 27, 2020 at 11:27:13AM -0700, Michael Thomas wrote: > >> > >> On 10/27/20 11:00 AM, Eliot Lear wrote: > >>> I think what you are pointing out is that maybe it would help if these > >>> things were properly tracked against anything that would update or > >>> obsolete existing work. We might even be able to automate the > >>> response along the lines of: > >>> > >>> * A working group is currently working on an update. Please feel > >>> free to join in the fun at... > >>> * A working group is currently working on a replacement (e.g., > >>> obsolete). Please feel free to join in the fun at ... > >>> * No current update is in progress. In addition to filing an > >>> erratum, we invite you to provide an update through our errata > >>> process, and perhaps through our standards process. You can > >>> contact <insert AD here> for more information. > >>> > >>> > >> My impression is that errata has a pretty high barrier to entry if it's > >> potentially controversial. There doesn't seem to be any easy mechanism > >> to do a one off update that requires wg buy in to get enough eyeballs on > >> the problem to make certain that the fix is correct. it's like you need > >> something similar to a critical security update to your OS, say, which > >> needs to be well vetted by the devs, but doesn't want to wait for the > >> next point release. > > > > There are several WGs where we've had extended discussions over the text to > > put in a potential errata report, before the report gets submitted. > > > >> If errata is that mechanism for something controversial, it's news to > >> me. Mostly what i've seen with errata are minor fixes which the wg chair > >> and/or authors can sign off easily. > > > > I don't think that errata are the definitive mechanism for potentially > > controversial things or things that require intrusive changes to resolve, > > but they can be an appropriate tool. A drive-by errata report without > > additional discussion is probably not going to be the most effective way to > > make progress on such issues, but it can definitely be useful to have the > > issue documented in an errata report, even as a revision to the RFC is > > underway to fix the issue. > > > > -Ben > >
- Call for Community Feedback: Guidance on Reportin… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Dan Harkins
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Töma Gavrichenkov
- Re: Call for Community Feedback: Guidance on Repo… Michael Richardson
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Loganaden Velvindron
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Richardson
- Re: Call for Community Feedback: Guidance on Repo… Phillip Hallam-Baker
- Re: Call for Community Feedback: Guidance on Repo… ned+ietf
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… ned+ietf
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Joel M. Halpern
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Jay Daley
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Dan Harkins