Forwarded from: security curmudgeon <jerichoat_private> > http://www.newsbytes.com/news/02/175273.html > > By Brian McWilliams, Newsbytes > BURLINGTON, MASSACHUSETTS, U.S.A., > 18 Mar 2002, 2:26 PM CST > > Proponents of an effort to standardize the handling of computer > security vulnerabilities today aborted the effort after receiving > critical comments from reviewers. > > In a message today to members of the Internet Engineering Task > Force's Security Area Advisory Group, the authors announced they > were withdrawing the draft in response to feedback from members who > felt the document was not appropriate for the IETF "since it does > not deal with technical protocols." Wonder if they had any other valid reason for rejecting this proposed RFC. I was quite vocal about the document, primarily arguing against many aspects (at least the wording of it) and shared some concerns that Guninski and others had. Despite that, there is a need for such a guidelines to help bug finders AND vendors in their handling of security issues. That said, I would love to know how this could be shot down on the grounds of it "not dealing with technical protocols" when other recent RFCs certainly don't deal with technical protocols either. What, scared to handle a topic that isn't "safe" and may cause debate? Sissies. RFC 3233 - Defining the IETF This document gives a more concrete definition of "the IETF" as it understood today. Many RFCs refer to "the IETF". Many important IETF documents speak of the IETF as if it were an already-defined entity. However, no IETF document correctly defines what the IETF is. RFC 3227 - Guidelines for Evidence Collection and Archiving A "security incident" as defined in the "Internet Security Glossary", RFC 2828, is a security-relevant system event in which the system's security policy is disobeyed or otherwise breached. The purpose of this document is to provide System Administrators with guidelines on the collection and archiving of evidence relevant to such a security incident. If evidence collection is done correctly, it is much more useful in apprehending the attacker, and stands a much greater chance of being admissible in the event of a prosecution. RFC 3198 - Terminology for Policy-Based Management This document is a glossary of policy-related terms. It provides abbreviations, explanations, and recommendations for use of these terms. The document takes the approach and format of RFC 2828, which defines an Internet Security Glossary. The intent is to improve the comprehensibility and consistency of writing that deals with network policy, particularly Internet Standards documents (ISDs). RFC 3184 - IETF Guidelines for Conduct This document provides a set of guidelines for personal interaction in the Internet Engineering Task Force. The Guidelines recognize the diversity of IETF participants, emphasize the value of mutual respect, and stress the broad applicability of our work. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 04:20:54 PST