IETF Logo Mail Archive

Re: [secdir] [Last-Call] Secdir last call review of draft-foudil-securitytxt-08

Randy Bush <randy@psg.com> Sun, 29 December 2019 05:38 UTC

Return-Path: <randy@psg.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A4D412018D; Sat, 28 Dec 2019 21:38:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDlIcvxRiPXV; Sat, 28 Dec 2019 21:38:42 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62C6D120018; Sat, 28 Dec 2019 21:38:42 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1ilRHk-0001ic-Bp; Sun, 29 Dec 2019 05:38:40 +0000
Date: Sat, 28 Dec 2019 21:38:36 -0800
Message-ID: <m2lfqvitcz.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: last-call@ietf.org, secdir@ietf.org
In-Reply-To: <20191229033101.GE35479@kduck.mit.edu>
References: <157720267698.19361.11750709876624228448@ietfa.amsl.com> <CAAyEnSOx-MH0Ua6o9j-zMKwLktvYGXzBUw1ZkuO49BWD+1yxRQ@mail.gmail.com> <24070.38156.658126.30539@fireball.acr.fi> <760F7FE4-B10B-42FA-B3FF-0F73BEFEC953@akamai.com> <F73568E4-2AD0-4C9F-AD03-EBA831D569AB@nohats.ca> <CACsn0c=KkDzwXYMzWW88_OcX8GpJ92e3yrXeWR=v0SdQRYzxFQ@mail.gmail.com> <m2sgl4i92o.wl-randy@psg.com> <20191229033101.GE35479@kduck.mit.edu>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.2 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/oVwxZsWAMsjg7y7n0cp0ZvORazc>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-foudil-securitytxt-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Dec 2019 05:38:46 -0000

>>> Right now the standard is begging on twitter for a chain of
>>> introductions.
>> 
>> and it works, i am embarrassed to say.  and one hears about outages
>> on the ops lists before one sees the automatic outage detector
>> reports.  sitting across the hudson, i heard of the wtc attack on
>> nanog almost two minutes before it came on television.
> 
> I do hear many stories about twitter letting people get in touch with
> the right organizational contact; a lot of them even "make the news"
> for some definition of "news".  I wonder if they remain newsworthy
> because achieving success is far from guaranteed, whether by
> "traditional" methods or by twitter.

probably because, as with 47.2% of what the press publishes, it sells
papers.

but no, i am not pleased that the most used sources of security and net
failure notifications are twitter and a few mailing lists.  and don't
get me started about the certs as information hoarders.

>> these half-assed "the market demands something" panaceas provide
>> false solutions we have to clean up later; emphasis on that last
>> clause.  rwhois anyone?  the highway is littered with whitepages
>> roadkill.  today there is a massive problem with authority in the IRR
>> (which some RIRs throw in with whois); and retrofitting a solution is
>> now years in blah blah blah.
>> 
>> no one is asking for the perfect over the good.  but it is our
>> obligation, before putting the ietf stamp on it, for it to be as good
>> as we can reasonably get for the time.  this proposal is not, as has
>> been enumerated time and again as it has been shoved through the
>> process over objections.
>> 
>> imiho, tero's review stands.
> 
> I do note the second 'i', but I have to say that to me, "shoved
> through the process over objections" sounds like a pretty serious
> process violation that ought to be remedied.

that may be what you heard, but that is not what i said, or at least
meant to say.

> I'd like to better understand what you see as the process violation
> (if any) here, so that I can try to remedy it.

if i had a process objection, i would say it quite clearly.  i have a
reputation to maintain :)

technical objections have been raised all along the path of this
document.  many of them ignored and repeated, many covered in tero's
most excellent secdir review.  but the draft marched on.  today sm
raised new issues.

but you're a security guy, have the badge and all, even if your name is
not steve.  read the darn thing and tell us what you think of it as
reasonable and prudent secops practice.

randy

v2.23.0 | Report a Bug | By Email