[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Final pass on BOF issues for -01
Donald.Smith@qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
(coffee != sleep) & (!coffee == sleep)
> -----Original Message-----
> From: Dan Hollis [mailto:goemon@anime.net]
> Sent: Friday, August 15, 2003 3:00 PM
> To: George Jones
> Cc: opsec@ops.ietf.org
> Subject: Re: Final pass on BOF issues for -01
>
>
> On Fri, 8 Aug 2003, George Jones wrote:
> > Below is the final pass/feedback on the BoF issues for -01. Also
> > includes a summary of USENIX securtiy symposium BoF on logging
> > (relevent to/overlap with opsec).
> > The work-in-progress draft is available at
> > http://www.port111.com/opsec/draft-jones-opsec-00a.txt
> > speak SOON if you want to see something changed in -01
> > ---George
>
> Addition to 4.2
>
> Vendors MUST provide fixes for e.g. CERT exploits free of
> charge. Vendors
> MUST NOT require customers to purchase support (or other)
> contracts in
> order to obtain exploit fixes. Exploit fixes MUST NOT result in a
> reduced REQUIRED feature set - except in cases where removing a
> feature entirely
> is the ONLY way to stop the exploit.
>
> -Dan
If a vendor adds ssh to their product, I would be happy to see them
disable/remove telnet at the same time.
Agreed?
<\humor on
Also Im pretty sure this requirements eliminates one vendor entirely (the
"fix" for 95 was 98, fix for 98 was me ...)
humor off/>
Seriously what about support for end of life systems. Some vendors will
support at a bug fix level for a year or
so afterwards.
>
>