Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Bug Disclosure Standard Dead In The Water

From: InfoSec News <isn () c4i org>
Date: Fri, 22 Mar 2002 02:06:20 -0600 (CST)
Forwarded from: security curmudgeon <jericho () attrition org>


http://www.newsbytes.com/news/02/175273.html

By Brian McWilliams, Newsbytes
BURLINGTON, MASSACHUSETTS, U.S.A.,
18 Mar 2002, 2:26 PM CST

Proponents of an effort to standardize the handling of computer
security vulnerabilities today aborted the effort after receiving
critical comments from reviewers.

In a message today to members of the Internet Engineering Task
Force's Security Area Advisory Group, the authors announced they
were withdrawing the draft in response to feedback from members who
felt the document was not appropriate for the IETF "since it does
not deal with technical protocols."


Wonder if they had any other valid reason for rejecting this proposed
RFC.  I was quite vocal about the document, primarily arguing against
many aspects (at least the wording of it) and shared some concerns
that Guninski and others had. Despite that, there is a need for such a
guidelines to help bug finders AND vendors in their handling of
security issues.

That said, I would love to know how this could be shot down on the
grounds of it "not dealing with technical protocols" when other recent
RFCs certainly don't deal with technical protocols either. What,
scared to handle a topic that isn't "safe" and may cause debate?
Sissies.


RFC 3233 - Defining the IETF
   This document gives a more concrete definition of "the IETF" as it
   understood today.  Many RFCs refer to "the IETF".  Many important
   IETF documents speak of the IETF as if it were an already-defined
   entity.  However, no IETF document correctly defines what the IETF
   is.

RFC 3227 - Guidelines for Evidence Collection and Archiving
   A "security incident" as defined in the "Internet Security Glossary",
   RFC 2828, is a security-relevant system event in which the system's
   security policy is disobeyed or otherwise breached.  The purpose of
   this document is to provide System Administrators with guidelines on
   the collection and archiving of evidence relevant to such a security
   incident.    

   If evidence collection is done correctly, it is much more useful in
   apprehending the attacker, and stands a much greater chance of being
   admissible in the event of a prosecution.

RFC 3198 - Terminology for Policy-Based Management
   This document is a glossary of policy-related terms.  It provides
   abbreviations, explanations, and recommendations for use of these
   terms.  The document takes the approach and format of RFC 2828, which
   defines an Internet Security Glossary. The intent is to improve the
   comprehensibility and consistency of writing that deals with network
   policy, particularly Internet Standards documents (ISDs).

RFC 3184 - IETF Guidelines for Conduct
   This document provides a set of guidelines for personal interaction
   in the Internet Engineering Task Force.  The Guidelines recognize the
   diversity of IETF participants, emphasize the value of mutual
   respect, and stress the broad applicability of our work.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: