I sense from the earlier comments that there may be hesitation to document the flaw for fear that such documentation would facilitate exploitation before remediation is in place. It that is a possiblity, public documentation should wait until some form of private peer review can occur. I'm not speaking beyond my experience, by my impression is that CERT provides a mechanism for recording these sorts of issues allowing for review, etc. My second suggestion, if the flaw is known to be implemented in released software, contact the security departments of the distributors of such software. _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf