Re: Method of Contact - Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement

Jay Daley <jay@xxxxxxxx> · Fri, 7 Aug 2020 07:19:49 +1200

On 7/08/2020, at 2:59 AM, Livingood, Jason <Jason_Livingood@xxxxxxxxxxx> wrote:

I would love to see comment on these 2 key questions:

(1) >   * The proposed mechanism for reporting a vulnerability.

When I originally thought about this I was concerned at the default to use email, acknowledging that this is something with which most IETF participants are quite comfortable. I wondered if it might be better to specify that a web interface was the reporting method, which would automatically generate a report ID number on submission that a bug reporter could use for their reference later on. In contrast, an email may not arrive or may be delayed and automatically generating an acknowledgement response with a ticket/tracking number would rely on an additional system that may have communications issues with the email system.

It seems like a web-based reporting system may also provide a better level of security protection by encrypting the channel & contents of the communication vs. less secure email.

Just a reminder that a PGP key will be published as part of this policy and referenced in the policy as the means for securing email.  This is again in line with common practice.

(2) >  * What the email address should be for reports to be sent to.

@Jay - Can you list the options being considered here to help aid the discussion?

The well known address is security@ but in the IETF context there are concerns about using security@xxxxxxxx as that might be misinterpreted as referring to the SEC area or the general subject of security in the IETF and so the alternative of security@xxxxxxxxxxxx has been suggested.

Jay

Thanks
Jason

-- 
Jay Daley
IETF Executive Director
jay@xxxxxxxx