[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Well known vulnerabilities (was RE: Final pass on BOF issues for-01)

To: "Budd, Fred" <Fred.Budd@wiltel.com>
Subject: Well known vulnerabilities (was RE: Final pass on BOF issues for-01)
From: George Jones <gmj@pobox.com>
Date: Wed, 20 Aug 2003 10:49:04 -0400 (EDT)
Cc: opsec@ops.ietf.org
In-reply-to: <EC0BF05B9ABDCD4FB1439B1B9F591BAA113A33@EXCHANGE2.ad.wcg.com>
References: <EC0BF05B9ABDCD4FB1439B1B9F591BAA113A33@EXCHANGE2.ad.wcg.com>
Reply-to: gmj@pobox.com

> If the language is left in, I'd prefer the following change:
> Vendors MUST provide fixes for e.g. CERT exploits for all systems
> supported at the time the exploit is discovered. Vendors MUST NOT
                                    ^^^^^^^^^^^^^

Discovered by whom ?

How about "becomes well known" per the definition of well known later
in the requirement.

BTW, even though this reqs is slated (for now) to be move from the
BCP doc to the info doc, I think it's worth discussing and documenting
the issues to assist in later debates.  Going into the info/non-BCP
doc will also give more freedom to capture some of the issues/ideas
that would be questionable for a BCP (e.g. things that touch on
financial, contractual issues).

Thanks,
---George

References:
- RE: Final pass on BOF issues for -01
  - From: "Budd, Fred" <Fred.Budd@wiltel.com>

Prev by Date: Less is more
Next by Date: Re: Less is more
Previous by thread: RE: Final pass on BOF issues for -01
Next by thread: Re: Final pass on BOF issues for -01
Index(es):
- Date
- Thread