On Thu, 26 Dec 2002 01:18:07 -1000, Jason Coombs said: > Thanks for the replies, those of you who have already provided feedback on > my inquiry into currently-accepted best practices for responsible disclosure > considering the disappearance of > draft-christey-wysopal-vuln-disclosure-00.txt ... Enclosed below is a > security alert issued today that includes a revised Responsible Disclosure > section that I think would make a good starting point for a new Internet > Draft.
Jason - I think you misunderstood something in a very major way...
> Neither its authors nor any other party chose to advance a responsible
> disclosure standard through any IETF working group due to lack of interest.
> Therefore the following observations take priority as de facto "best
> practices" for information security and encryption research and responsible
> communication of security- and cryptography-related vulnerability findings:
The general consensus as I read it was that the christey-wysopal draft was
generally considered a very good and reasonable document.
The only reason it did not get progressed through the IETF process was that
there was a general belief that the *subject matter* was not an IETF issue.
It's important, but it's not a topic we write RFC's about.
This is something that probably some other group should be running with.
I've taken the liberty of cc:ing some of the people at SANS and the
Center for Internet Security in hopes that they'll either pick it up or
know who should be doing it.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
msg09856/pgp00000.pgp
Description: PGP signature
