Re: [TOOLS-DEVELOPMENT] SoW for security review of RPC codebase
Eric Rescorla <ekr@rtfm.com> Tue, 08 January 2019 18:31 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tools-development@ietfa.amsl.com
Delivered-To: tools-development@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42526130F79 for <tools-development@ietfa.amsl.com>; Tue, 8 Jan 2019 10:31:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6BkOia0_r_tm for <tools-development@ietfa.amsl.com>; Tue, 8 Jan 2019 10:31:43 -0800 (PST)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42020130F6D for <tools-development@ietf.org>; Tue, 8 Jan 2019 10:31:42 -0800 (PST)
Received: by mail-lj1-x231.google.com with SMTP id k19-v6so4234850lji.11 for <tools-development@ietf.org>; Tue, 08 Jan 2019 10:31:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EJ4JN+14WDyCUVKRaYY6PUfat+vxreBsznEW5WwjlcQ=; b=cVcbyeUuBU2moLwLM11zEz9+dfR/sseNP+eFIoYirnN9moNBKKiSqthqKwONW2PF5s RIjYkUp48p7GApz8FAQC6XXOcD8ZIQgOGkyhUnWgSGYhAokQWAmyOj2dLNwzAOumP0ZT l9AXjsL06xCPlPOa93cP/LmVD2piIyFzPwE5fF1L1RI0FoZw9LnKIb3I56cRPey5mO1i Fc1QXyNjMWJ41n/YDDqZsQQtxWP61ch/UlbFXJFDj+Sa8r34t+pBxz1Sq8IgeiSQKfcg 2VFcM18x9pN4AkB9q+vQfMkjo0ZbQz6cqdcgnvTANc5g8ubWAf697RYJxTbReIKOJoQd Yt8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EJ4JN+14WDyCUVKRaYY6PUfat+vxreBsznEW5WwjlcQ=; b=H1ICSINIgIn39tOy1PqGSOSjsnQsjJx4wZcaUQ/xh7mv3CCVVdlGzBwc8ydiWJmmDf PG1obr166Qj3xbRaARbh5BSyf/BSdA3HqfTtmuSi4uTUvLQxzTukUSh+o5JGGEMKPl5/ lEhUcAjpYjx3sGxX7hTNkVlxoqi8ziX63YTxjFCpl+Kcd9Dtbj/eOM4TyMhn/kKRUXbQ 0VvJQZv+/qDE3jS0gylmvPNd34EPT8w+QOFZLmMpTSqlGe4stxX1irWi6gD/4IhFnAEI fexkdRdHg3Xl+j2Y7mAutJ68pepJhqSdGheOjwIVorSNo3l2NZb+hnBD1NYicY5HnsLs ztAA==
X-Gm-Message-State: AJcUukfdmXvyw/i0hz9g1ZCJUspjKy3Hd/yrJ0QnbkKxPmgzdy/6Itd0 S0t0x/+p7v756DXTmQEqPIqdodT72NQfD11dFSwaevC+WdLOaQ==
X-Google-Smtp-Source: ALg8bN5CC5u6wNtx+TJb359OTw7liburHbQqMuB/K2DhTa90B8hyEOY/UFKeNmqSfCIQuauvXTKZIHEn6XhMKEI0UCU=
X-Received: by 2002:a2e:5418:: with SMTP id i24-v6mr1848271ljb.51.1546972300327; Tue, 08 Jan 2019 10:31:40 -0800 (PST)
MIME-Version: 1.0
References: <32058a3d-fba2-c4c6-deb1-803b5202d096@nostrum.com>
In-Reply-To: <32058a3d-fba2-c4c6-deb1-803b5202d096@nostrum.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 08 Jan 2019 10:31:02 -0800
Message-ID: <CABcZeBO0BzQskxd8EzPYvp4U38neUQeB=VR3o+qjNK_Bc95iHA@mail.gmail.com>
To: Robert Sparks <rjsparks@nostrum.com>
Cc: IETF Tools Development <tools-development@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007069d7057ef68eb0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tools-development/d0UFF5V5N841x57eDTWV-9RaDVs>
Subject: Re: [TOOLS-DEVELOPMENT] SoW for security review of RPC codebase
X-BeenThere: tools-development@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Tools Development list server <tools-development.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tools-development>, <mailto:tools-development-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tools-development/>
List-Post: <mailto:tools-development@ietf.org>
List-Help: <mailto:tools-development-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tools-development>, <mailto:tools-development-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jan 2019 18:31:45 -0000
Here's the deliverable section from a recent RFP. The first main bullet seems a bit specific, but the rest is pretty generic. 2.3 Deliverables The auditor will privately release a technical report assessing the security of the AUS service from two angles: - Security provided to users of the service - Resistance to an infrastructure breach Each security issue must include the following sections: 1. Attack vector 2. Proof of concept 3. Impact to the target 4. Proposed remediations The report must be released to Mozilla no later than 15 weeks after the start date of the audit. -Ekr On Wed, Dec 19, 2018 at 10:49 AM Robert Sparks <rjsparks@nostrum.com> wrote: > Please review. > > > _______________________________________________ > TOOLS-DEVELOPMENT mailing list > TOOLS-DEVELOPMENT@ietf.org > https://www.ietf.org/mailman/listinfo/tools-development >
- [TOOLS-DEVELOPMENT] SoW for security review of RP… Robert Sparks
- Re: [TOOLS-DEVELOPMENT] SoW for security review o… Russ Housley
- Re: [TOOLS-DEVELOPMENT] SoW for security review o… Eric Rescorla