On 03/14/2010 10:09 AM, David Morris wrote:
I sense from the earlier comments that there may be hesitation to
document the flaw for fear that such documentation would facilitate
exploitation before remediation is in place.
If one person can find it others will too...
It that is a possiblity, public documentation should wait until some form
of private peer review can occur. I'm not speaking beyond my experience,
by my impression is that CERT provides a mechanism for recording these
sorts of issues allowing for review, etc.
It's likely that remediation would have to proceed prior to revision of
docs, consider openssl, rh0, bgp ttl hack, tcp md5 protecting bgp etc.
My second suggestion, if the flaw is known to be implemented in released
software, contact the security departments of the distributors of such
software.
The would be good form. Of course when the number of people in a know
increases the likelyhood that someone malicious is likely to have that
information. Timely public exposure is important, the people with the
most exposure are not the vendors.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf