On 3/14/2010 9:16 AM, Russ Housley wrote:
An errata is the best way to have this type of change documented. At
least it will be captured for people to consider, and if the document is
ever updated, it will serve as a reminder.
Russ
Isn't this one of the risks with creating standards which authorize
their use in any form or any level of completeness???
I bring this up because people who are going to build evil code per se
are just going to do that and the IETF license will not stop them.
However those who just implement partial functionality under a lot of
IETF protocols have caused huge amounts of damage IMHO to both the state
of the security in IETF offerings and in other IP which is leveraged
against it.
Another issue is coming to light now and that is the standard-of-care
for the use of a protocol in production of anything. These are things
we still laugh at here in the IETF but in places like a couple of the
Communications and CDE vendor's Legal departments they are not laughing
so loudly anymore.
This is reality - accountability is important and the integrity of the
standards process is equally important to the work that is created as a
joint engineering work project between those pursuing the standard.
Its about accountability in the bigger picture because things happening
inside the IETF standards process for better or worse, do directly
effect the world around them.
I have brought this up before that there should be in each RFC a
Statement of Use and a "Minimum Competency" (in regard to the minimum
set of features) as a requirement for use of the IP in the RFC to
implement a protocol.
On 3/13/2010 3:35 AM, Florian Weimer wrote:
I've come across a RFC which basically says, "in order to do X safely,
perform checks Y before you do X". It turns out that it's possible to
evade those checks.
To fix this you would have to submit a protocol to the IETF with a
specific set of constraints on it saying that "Any 3rd party
implementations of this Protocol Standard must implement the specified
minimum functionality to be licensed from the IETF"
What should I do about it? I've already
contacted the author, and he says that no update to the RFC is
planned. Should i just file an errata? The problem is not really
critical, fortunately.
(The nature of the protocol makes it pretty much impossible to notify
implementers privately.)
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
tglassey.vcf
Description: Vcard
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf