Re: Error in Security Considerations in an RFC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/14/2010 9:16 AM, Russ Housley wrote:
> An errata is the best way to have this type of change documented.  At
> least it will be captured for people to consider, and if the document is
> ever updated, it will serve as a reminder.
> 
> Russ

Isn't this one of the risks with creating standards which authorize
their use in any form or any level of completeness???

I bring this up because people who are going to build evil code per se
are just going to do that and the IETF license will not stop them.
However those who just implement partial functionality under a lot of
IETF protocols have caused huge amounts of damage IMHO to both the state
of the security in IETF offerings and in other IP which is leveraged
against it.

Another issue is coming to light now and that is the standard-of-care
for the use of a protocol in production of anything.  These are things
we still laugh at here in the IETF but in places like a couple of the
Communications and CDE vendor's Legal departments they are not laughing
so loudly anymore.

This is reality - accountability is important and the integrity of the
standards process is equally important to the work that is created as a
joint engineering work project between those pursuing the standard.

Its about accountability in the bigger picture because things happening
inside the IETF standards process for better or worse, do directly
effect the world around them.

I have brought this up before that there should be in each RFC a
Statement of Use and a "Minimum Competency" (in regard to the minimum
set of features) as a requirement for use of the IP in the RFC to
implement a protocol.
> 
> On 3/13/2010 3:35 AM, Florian Weimer wrote:
>> I've come across a RFC which basically says, "in order to do X safely,
>> perform checks Y before you do X".  It turns out that it's possible to
>> evade those checks. 

To fix this you would have to submit a protocol to the IETF with a
specific set of constraints on it saying that "Any 3rd party
implementations of this Protocol Standard must implement the specified
minimum functionality to be licensed from the IETF"

>> What should I do about it?  I've already
>> contacted the author, and he says that no update to the RFC is
>> planned.  Should i just file an errata?  The problem is not really
>> critical, fortunately.
>>
>> (The nature of the protocol makes it pretty much impossible to notify
>> implementers privately.)
>> _______________________________________________
>> Ietf mailing list
>> Ietf@xxxxxxxx
>> https://www.ietf.org/mailman/listinfo/ietf
>>
> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/ietf
> 

begin:vcard
fn:Todd Glassey
n:Glassey;Todd
email;internet:TGlassey@xxxxxxxxxxxxx
x-mozilla-html:FALSE
version:2.1
end:vcard

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]