On Thu, 26 Dec 2002 01:18:07 -1000, Jason Coombs said:
Thanks for the replies, those of you who have already provided feedback on
my inquiry into currently-accepted best practices for responsible disclosure
considering the disappearance of
draft-christey-wysopal-vuln-disclosure-00.txt ... Enclosed below is a
security alert issued today that includes a revised Responsible Disclosure
section that I think would make a good starting point for a new Internet
Draft.
Jason - I think you misunderstood something in a very major way...
Neither its authors nor any other party chose to advance a responsible
disclosure standard through any IETF working group due to lack of interest.
Therefore the following observations take priority as de facto "best
practices" for information security and encryption research and responsible
communication of security- and cryptography-related vulnerability findings:
The general consensus as I read it was that the christey-wysopal draft was
generally considered a very good and reasonable document.
The only reason it did not get progressed through the IETF process was that
there was a general belief that the *subject matter* was not an IETF issue.
It's important, but it's not a topic we write RFC's about.
This is something that probably some other group should be running with.
I've taken the liberty of cc:ing some of the people at SANS and the
Center for Internet Security in hopes that they'll either pick it up or
know who should be doing it.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
pgpxIBDPO4oPp.pgp
Description: PGP signature