Re: Final pass on BOF issues for -01

[George Jones <gmj@pobox.com>]

On Fri, 15 Aug 2003, Dan Hollis wrote:

> On Fri, 8 Aug 2003, George Jones wrote:

> > The work-in-progress draft is available at
> >     http://www.port111.com/opsec/draft-jones-opsec-00a.txt
> > speak SOON if you want to see something changed in -01

-01 was submitted last week.  Changes (see below) queued for -02

Still waiting for I-D editor to post -01 on IETF site.  Available now at
http://www.port111.com/opsec/draft-jones-opsec-01.txt

> Addition


> Exploit fixes MUST NOT result in a
> reduced feature set - except in cases where removing a feature entirely
> is the ONLY way to stop the exploit.

No problem here.   Added.

> Vendors MUST provide fixes for e.g. CERT exploits free of charge. Vendors
> MUST NOT require customers to purchase support (or other) contracts in
> order to obtain exploit fixes.

From a customer perspective, I understand and completely agree.  You
purchase functioning product, the environment changes, you expect the
product to keep functioning.

From a vendor perspective, I can see this as a series of open-ended
expenses (read: unprofitable).

From a standards perspective, I'm not sure it's a good idea to write
in non-funtional things which are essentialy contract issues.

The meta issue is: when a vendor releases a product at a given point
in time, is there an implication/expectation/committment that it will
continue to function for a given period of time, even in the presense
of attacks that were not know at the time of release ?  If so, where
should this expectation be codified (standards, contracts, by script
kiddies demonstrating failures...)

What about end-of-lifed products ?

Thanks,
---George