Information Security News mailing list archives
Re: Security Bug Disclosure Standard Dead In The Water
From: InfoSec News <isn () c4i org>
Date: Fri, 22 Mar 2002 02:06:20 -0600 (CST)
Forwarded from: security curmudgeon <jericho () attrition org>
http://www.newsbytes.com/news/02/175273.html By Brian McWilliams, Newsbytes BURLINGTON, MASSACHUSETTS, U.S.A., 18 Mar 2002, 2:26 PM CST Proponents of an effort to standardize the handling of computer security vulnerabilities today aborted the effort after receiving critical comments from reviewers. In a message today to members of the Internet Engineering Task Force's Security Area Advisory Group, the authors announced they were withdrawing the draft in response to feedback from members who felt the document was not appropriate for the IETF "since it does not deal with technical protocols."
Wonder if they had any other valid reason for rejecting this proposed RFC. I was quite vocal about the document, primarily arguing against many aspects (at least the wording of it) and shared some concerns that Guninski and others had. Despite that, there is a need for such a guidelines to help bug finders AND vendors in their handling of security issues. That said, I would love to know how this could be shot down on the grounds of it "not dealing with technical protocols" when other recent RFCs certainly don't deal with technical protocols either. What, scared to handle a topic that isn't "safe" and may cause debate? Sissies. RFC 3233 - Defining the IETF This document gives a more concrete definition of "the IETF" as it understood today. Many RFCs refer to "the IETF". Many important IETF documents speak of the IETF as if it were an already-defined entity. However, no IETF document correctly defines what the IETF is. RFC 3227 - Guidelines for Evidence Collection and Archiving A "security incident" as defined in the "Internet Security Glossary", RFC 2828, is a security-relevant system event in which the system's security policy is disobeyed or otherwise breached. The purpose of this document is to provide System Administrators with guidelines on the collection and archiving of evidence relevant to such a security incident. If evidence collection is done correctly, it is much more useful in apprehending the attacker, and stands a much greater chance of being admissible in the event of a prosecution. RFC 3198 - Terminology for Policy-Based Management This document is a glossary of policy-related terms. It provides abbreviations, explanations, and recommendations for use of these terms. The document takes the approach and format of RFC 2828, which defines an Internet Security Glossary. The intent is to improve the comprehensibility and consistency of writing that deals with network policy, particularly Internet Standards documents (ISDs). RFC 3184 - IETF Guidelines for Conduct This document provides a set of guidelines for personal interaction in the Internet Engineering Task Force. The Guidelines recognize the diversity of IETF participants, emphasize the value of mutual respect, and stress the broad applicability of our work. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Security Bug Disclosure Standard Dead In The Water InfoSec News (Mar 19)
- <Possible follow-ups>
- Re: Security Bug Disclosure Standard Dead In The Water InfoSec News (Mar 20)
- Re: Security Bug Disclosure Standard Dead In The Water InfoSec News (Mar 22)