On Thu, 26 Dec 2002 01:18:07 -1000, Jason Coombs said: > Thanks for the replies, those of you who have already provided feedback on > my inquiry into currently-accepted best practices for responsible disclosure > considering the disappearance of > draft-christey-wysopal-vuln-disclosure-00.txt ... Enclosed below is a > security alert issued today that includes a revised Responsible Disclosure > section that I think would make a good starting point for a new Internet > Draft. Jason - I think you misunderstood something in a very major way... > Neither its authors nor any other party chose to advance a responsible > disclosure standard through any IETF working group due to lack of interest. > Therefore the following observations take priority as de facto "best > practices" for information security and encryption research and responsible > communication of security- and cryptography-related vulnerability findings: The general consensus as I read it was that the christey-wysopal draft was generally considered a very good and reasonable document. The only reason it did not get progressed through the IETF process was that there was a general belief that the *subject matter* was not an IETF issue. It's important, but it's not a topic we write RFC's about. This is something that probably some other group should be running with. I've taken the liberty of cc:ing some of the people at SANS and the Center for Internet Security in hopes that they'll either pick it up or know who should be doing it. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
pgp00176.pgp
Description: PGP signature