Re: NMRC Advisory - KeyManager Issue in ISS RealSecure on Nokia Appliances

[Georgi Guninski <guninski () guninski com>]

hellNbak wrote:

..snip..
> Comments/Rants
> --------------
>
> No NMRC advisory, let alone one written by me would be complete without
> some sort of rant so here it goes;
>
> Responsible Disclosure and the IETF:  I applaud Chris Wysopal and Steve
> Christey for their efforts in attempting to bring a standard to
> vulnerability disclosure.  I may not have agreed with the entire document
> but at least these two guys were willing to take input from the community
> as a whole.  I hope the standard finds a home and eventually evolves to
> something acceptable by the research community as a whole.  Trust me folks
> -- we do not want government, or any vendor to do this for us.  Too bad
> the IETF doesn't have the balls or brains to deal with this issue.
..snip..

I disagree with you.
This RFC was quite a bad idea.
I like it that according to this
http://jis.mit.edu/pipermail/saag/2002q1/000568.html
the IETF is currently quiting from this project.
My thoughts on the subject are available at:
http://jis.mit.edu/pipermail/saag/2002q1/000498.html
http://www.guninski.com/rfcsec.html

For me this draft RFC was quite driven by at least one large corporation.

Sure, if large corporations buy enough politicians they may pass laws
in some countries which outlaw even thinking about bugs in their "supreme warez".

But this won't help at all, the most it can do is drive people who disclose bugs
underground, which IMHO will be much worse for users than the current situation.

So my advice to the future of this draft RFC is "be carefull what you wish for".

Just my 2 stotinki,
Georgi Guninski