Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 10/27/20 1:27 PM, Pete Resnick wrote:
On 27 Oct 2020, at 12:48, Michael Thomas wrote:

The most recent was with the STIR wg. I found some problems and brought it up on the working group list and was ignored. This was after they had issued RFC 8226 so I interpreted it at the time as just not wanting revisit anything. I started writing a blog post about the things I found, but ended giving up because there were so many things wrong/underspecified. I then went through the wg archives and saw that Dave Crocker had written a list of about 100 things that were wrong/questionable at last call almost all of which were ignored. Worse: there wasn't much intersection between our lists. So that reads to me as a wg that isn't interested in hearing about problems. The same thing happened to me commenting on OAUTH which caused the then editor to go ballistic. None of this should be especially surprising: nobody likes somebody attacking (literally in the case of security) their baby.

So I presume you walked through the conflict resolution and appeals process, in the case of STIR starting with the STIR Chair, the ART Area Director, and/or the IESG as per RFC 2026 6.5.1, and in the case of OAUTH with the OAUTH Chair, the SEC Area Director and/or the IESG?

Why on earth would I want to be a drama queen? Especially since I had no dog in either fight?


Particularly in the case of OAUTH, if a document editor is misbehaving, then that needs to be dealt with. All it takes is an email message to start.

Barry handled the author fine, iirc. It's just that wg as a whole dismissed the problem even though what I predicted is exactly what happened. They wrote my concern into the security requirements with like a one sentence dismissal and everybody ignored it.



Unless you actually engaged with the process and actually made leadership aware that something was going pear-shaped, I'm not terribly sympathetic.

Isn't this thread about getting outside clue to the attention of the working groups more seamlessly? Your quoted process and sympathy is exactly the wrong way to foster that.


People seem very unwilling to walk through the conflict resolution and appeals process, and it's absolutely essential to the good functioning of the IETF that people use it from time to time. Again, the start of it is simply an email message to the chair saying "My comments are being ignored" or "The WG screwed up and made a bad technical choice". If you don't like the answers you get, well that's a different thing, but if you haven't actually engaged, you have only yourself to blame.


In OAUTH's case I did talk to Barry. For STIR after seeing what they did to Crocker at last call it was apparent that it would fall on deaf ears so why bother? I did bring it up my concern on their mailing list before I read the archives, but crickets. The flip side of this that nobody wants to be seen as an insane Casandra in case you are actually wrong.

If you want outside clue but the reality is that they treat you as the enemy, you're not going to get the desired result. Any fix for this needs to account for that.

Mike




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux