Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 10/27/20 9:48 AM, Ned Freed wrote:

Michael Thomas <mike@xxxxxxxx> wrote:


So coming in here a bit late, but isn't the basic problem is that
working groups don't want to hear criticism or take it seriously? So if
you figure out problems with the protocol it's pushing on string at best
and snarl inducing at worst.
I've been on both the sending and receiving end of many security concerns, both here and elsewhere. This includes, but is not limited to, my work as a media types reviewer for 20+ years, where I've written dozens of responses, including responses to working groups, pointing out inadequate security considerations.
In all of that, I can count the number of times where my concerns were ignored or not taken seriously on the fingers of one hand. And while I'm obviously not the best judge when I'm on the receiving end, I can't think of a time when I've 
observed the sort of behavior you describe in a working group.
The most recent was with the STIR wg. I found some problems and brought it up on the working group list and was ignored. This was after they had issued RFC 8226 so I interpreted it at the time as just not wanting revisit anything. I started writing a blog post about the things I found, but ended giving up because there were so many things wrong/underspecified. I then went through the wg archives and saw that Dave Crocker had written a list of about 100 things that were wrong/questionable at last call almost all of which were ignored. Worse: there wasn't much intersection between our lists. So that reads to me as a wg that isn't interested in hearing about problems. The same thing happened to me commenting on OAUTH which caused the then editor to go ballistic. None of this should be especially surprising: nobody likes somebody attacking (literally in the case of security) their baby.
What does happen sometimes is someone raises what is effectively a nonissue: It's either already been dealt with, so trivial it's not worth the bits to describe, out of scope, or simply nonsense. And when they are told as much, 
sometimes they get upset.
In the OAUTH case it was -- and is -- a critical problem in the applicability of when you can safely use OAUTH. Browser, groovy. Native apps, bad. How many native apps use OAUTH these days? Lots? It got one sentence buried in the security considerations for my effort. It manifestly didn't change (m)any outcomes. 

Mike
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux