|
Information Security News
mailing list archives
Re: Security Bug Disclosure Standard Dead In The Water
From: InfoSec News <isn () c4i org>
Date: Fri, 22 Mar 2002 02:06:20 -0600 (CST)
Forwarded from: security curmudgeon <jericho () attrition org>
http://www.newsbytes.com/news/02/175273.html
By Brian McWilliams, Newsbytes
BURLINGTON, MASSACHUSETTS, U.S.A.,
18 Mar 2002, 2:26 PM CST
Proponents of an effort to standardize the handling of computer
security vulnerabilities today aborted the effort after receiving
critical comments from reviewers.
In a message today to members of the Internet Engineering Task
Force's Security Area Advisory Group, the authors announced they
were withdrawing the draft in response to feedback from members who
felt the document was not appropriate for the IETF "since it does
not deal with technical protocols."
Wonder if they had any other valid reason for rejecting this proposed
RFC. I was quite vocal about the document, primarily arguing against
many aspects (at least the wording of it) and shared some concerns
that Guninski and others had. Despite that, there is a need for such a
guidelines to help bug finders AND vendors in their handling of
security issues.
That said, I would love to know how this could be shot down on the
grounds of it "not dealing with technical protocols" when other recent
RFCs certainly don't deal with technical protocols either. What,
scared to handle a topic that isn't "safe" and may cause debate?
Sissies.
RFC 3233 - Defining the IETF
This document gives a more concrete definition of "the IETF" as it
understood today. Many RFCs refer to "the IETF". Many important
IETF documents speak of the IETF as if it were an already-defined
entity. However, no IETF document correctly defines what the IETF
is.
RFC 3227 - Guidelines for Evidence Collection and Archiving
A "security incident" as defined in the "Internet Security Glossary",
RFC 2828, is a security-relevant system event in which the system's
security policy is disobeyed or otherwise breached. The purpose of
this document is to provide System Administrators with guidelines on
the collection and archiving of evidence relevant to such a security
incident.
If evidence collection is done correctly, it is much more useful in
apprehending the attacker, and stands a much greater chance of being
admissible in the event of a prosecution.
RFC 3198 - Terminology for Policy-Based Management
This document is a glossary of policy-related terms. It provides
abbreviations, explanations, and recommendations for use of these
terms. The document takes the approach and format of RFC 2828, which
defines an Internet Security Glossary. The intent is to improve the
comprehensibility and consistency of writing that deals with network
policy, particularly Internet Standards documents (ISDs).
RFC 3184 - IETF Guidelines for Conduct
This document provides a set of guidelines for personal interaction
in the Internet Engineering Task Force. The Guidelines recognize the
diversity of IETF participants, emphasize the value of mutual
respect, and stress the broad applicability of our work.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
 By Date 
By Thread
Current thread:
|
Intro
