Re: Escalation: time commitment to fix *production* security bugs for BLS RFC v4?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Quan,

I think you are misunderstanding something here. Yes, of course, bugs and weaknesses in draft documents need to be fixed. Actually that is a very large part of what happens in all IETF mailing lists and meetings. But authors only fix their drafts when they have time or when there is deadline pressure. There's no direction from above, only requests. And as others have said, *nothing* is a "standard" or even a "draft standard" until it is duly approved and published as an RFC with an RFC number. (Since you mentioned that you are new to our lists, I suggest starting at https://www.ietf.org/about/participate/get-started/ for a detailed introduction.)

If people make early implementations based on drafts, bugs and vulnerabilities are to be expected.

But there is more. I gather that you are referring to an issue in draft-irtf-cfrg-bls-signature-04. That is not even an IETF draft; it's an IRTF draft, apparently being discussed in an IRTF Research Group. So it is not even remotely under consideration to become an IETF standard, so raising an issue here is completely beside the point and can have no possible results.

But there is even more. The draft is more than 6 months old and has therefore formally expired. Its own text says so: "Internet-Drafts are draft documents valid for a maximum of six months."

To be frank, anyone who runs code based on an expired research draft outside a testbed is asking for trouble. But since this is not an IETF issue, we should probably end this thread now.

Regards
   Brian Carpenter

On 27-Apr-21 03:46, Quan Thoi Minh Nguyen wrote:
> 
> 
> On Mon, Apr 26, 2021 at 8:24 AM Salz, Rich <rsalz@xxxxxxxxxx <mailto:rsalz@xxxxxxxxxx>> wrote:
> 
>       * It doesn't matter to you, but it does matter to other people like me. ____
> 
>     __ __
> 
>     You have been told several times, by several people, that a draft is not a standard.  No matter what vendors do, no matter what emails say about it. Even if the subject of the document says “A Standard BLS Mechanism,” until it is an RFC it is not a standard.____
> 
>     __ __
> 
>     People within the IETF often use the word standard in a number of ways.  That doesn’t mean the document IS a standard.____
> 
>     __ __
> 
>     I unmderstand this is frustrating to you, but just because some vendors implemented a draft, and you found a bug, that doesn’t mean the draft authors have to push out an update immediately.
> 
> 
> Not immediately. I reported the bugs privately a long time ago by a responsible disclosure mechanism, no fixing action and then I reported it publicly, no fixing action, no time commitment. I have been reporting security bugs many time (e.g. I reported most bugs (mine and on behalf of other people) in https://github.com/google/wycheproof/blob/master/doc/bugs.md), but this is the 1st time there is a strange deadlock. I understand BLS Internet-Draft authors' perspectives and I understand libraries authors' perspectives. I tried but failed in convincing everyone to compromise in moving and fixing it :(
> 
>     There is a reason, after all, why the document is called a **draft**____
> 
>     __ __
> 





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux