On Wed, Dec 11, 2019 at 10:26 AM Paul Wouters <paul@xxxxxxxxx> wrote: > > This is one of the reasons I have brought up during the discussion why > this proposal is not a good idea at all. It just provides more places > with more non-standard types of unverified, obsolete or malicious > information that are especially untrustworthy when needing to report a > compromise. The information simply can never really be trusted. > To be clear, the scope of the draft is not about *compromised* servers - rather it is about reporting vulnerabilities. As described in the CERT CVD guide referenced in the draft, these are not the same thing. This point was made earlier during the discussion on the SAAG list: https://mailarchive.ietf.org/arch/msg/saag/zl7ZFk4esY-O-q6qHLgErVThvbE "Incident vs. Vulnerability Response Sometimes the term "Incident Response" is used synonymously with Vulnerability Response. These two concepts are related, but different; Vulnerability Response specifically indicates responding to reports of product vulnerabilities, usually via the CVD process, whereas Incident Response is more general and can also include other security events such as network intrusions. We will generally stick to the Vulnerability Response terminology since this work is specifically about CVD." Thanks -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
