On 31/03/2022 02:08, John C Klensin wrote:
--On Thursday, March 31, 2022 00:57 +0200 Robert Raszuk
<robert@xxxxxxxxxx> wrote:
Hi,
We are observing more and more bogus RFC Errata submissions
which makes no sense technically.
Some of them look like phishing attempts to get valid email
addresses of those kind enough to respond to the author.
Perhaps its time to require IETF login authentication before
submitting RFC errata ? Interestingly the email addresses of
folks reporting it are also never seen on any IETF WG list so
that could also be a perhaps valid auto check.
I suggested this (after getting tangled up in one of those
submissions) some days ago. To summarize John Levine's response
and our discussion in the hope of saving time:
* An effort is in progress to get a CAPCHA into the submission
process.
* If changes such as requiring an IETF login (as both you and I
proposed) are desired, they probably have to await complete
rebuilding of the RPC's tool set for which there is now an RFP
in progress.
* The RPC does try to remove these bogus submissions down after
a few days so they don't clutter the permanent errata record.
That suggests to me that waiting several days before responding
to an errata report might represent good judgment and some
protection against attacks (if they actually are attacks).
My experience is that they are removed much more quickly than that and
so are not much of a problem for users. I would resist the idea of a
login, as Brian says. A three-way handshake would do, as would a
CAPTCHA although I did see a report a few years ago that hackers could
now defeat them.
Tom Petch
best,
john
.
