On 11 Jan 2016, at 12:11, IETF Secretariat wrote:
A new IETF non-working group email list has been created.
List address: oauth-security-reports@xxxxxxxx
Archive:
https://mailarchive.ietf.org/arch/search/?email_list=oauth-security-reports
To subscribe:
https://www.ietf.org/mailman/listinfo/oauth-security-reports
[...]
This list was created to allow security researchers and other parties
to submitting information related to discovered security
vulnerabilities concerning the OAuth specifications and OAuth
implementations.
Seeing that and reading the full description both in the provided
"Purpose" section as well as in the "About" on the mailing-list signup
page, I had the following comments/questions:
. The text explicitly says confidentiality is a goal, but seemingly
invites membership subscription requests,
. The (currently empty) archives look to be publicly readable,
. If the list is to be open (both to subscriptions and archive viewing),
should the description be amended?
. If the description indicates the list is indended to be closed but
advertised as a place to blindly send reports, should the list configs
and archive access be modified and is there a list of who the final
recipients might be or a page with expected turn-around time or
consequences?
Curious,
Philip