On 03/14/2010 10:09 AM, David Morris wrote: > > I sense from the earlier comments that there may be hesitation to > document the flaw for fear that such documentation would facilitate > exploitation before remediation is in place. If one person can find it others will too... > It that is a possiblity, public documentation should wait until some form > of private peer review can occur. I'm not speaking beyond my experience, > by my impression is that CERT provides a mechanism for recording these > sorts of issues allowing for review, etc. It's likely that remediation would have to proceed prior to revision of docs, consider openssl, rh0, bgp ttl hack, tcp md5 protecting bgp etc. > My second suggestion, if the flaw is known to be implemented in released > software, contact the security departments of the distributors of such > software. The would be good form. Of course when the number of people in a know increases the likelyhood that someone malicious is likely to have that information. Timely public exposure is important, the people with the most exposure are not the vendors. _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf