From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Jackson Subject: Re: Security policy ambiguities - XSA-108 process post-mortem Date: Mon, 10 Nov 2014 17:42:53 +0000 Message-ID: <21600.63773.32400.553359@chiark.greenend.org.uk> References: <21557.24142.873029.148164@mariner.uk.xensource.com> <21557.50031.783473.873273@chiark.greenend.org.uk> <20141022232354.GA27437@mail.waldi.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20141022232354.GA27437@mail.waldi.eu.org> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Bastian Blank Cc: xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org Bastian Blank writes ("Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem"): > On Thu, Oct 09, 2014 at 12:06:23AM +0100, Ian Jackson wrote: > > The -discuss list is moderated by the Xen Project Security Team. > > Announcements of private availability of fixed versions, and > > technical messages about embargoed advisories, will be approved. > > Messages dealing with policy matters will be rejected with a > > reference to the Security Team contact address and/or public Xen > > mailing lists. > > Why do you think such a hypotetical list needs to be moderated? Good question. Primarily because I anticipate two potential failure modes: 1. People posting non-password-protected URLs, or the like. If the list is moderated we can notice this quickly and hopefully have things taken down. 2. Predisclosure list members using the embargoed-information-sharing forum as a venue for political consensus-building, planning, and pressurising. Of these I am most worried about the 2nd. We have already suffered from a few very dramatic incidents, where predisclosure list members used their privileged informational position to try to gain advantage in policymaking and policy interpretation. The idea that the predisclosure list members are somehow the most proper or most real stakeholders and that it is their opinion which ought to count is distressingly prevalent - especially, it appears, amongst some of the senior management of some predisclosure list members. When a security crisis is in full swing, such management often becomes involved. As I say we have had multiple occasions where intense political pressure was applied. It would be a very bad idea to explicitly provide a forum which predisclosure list members - whose interests are ill-aligned with those of the public at large - could use for confidential lobbying, political coordination, and networking. (It might even be illegal; private collusion by predisclosure list members to manipulate policymaking might well sometimes be illegal in any case.) If the list is to be unmoderated, at the very least, we would need an automatic mechanism which would publish all of the exchanges on a particular issue at the end of its embargo. ATM we don't have software to do that. > > List members who are service providers may deploy fixed versions > > during the embargo, PROVIDED THAT any action taken by the service > > provider gives no indication (to their users or anyone else) as to > > the nature of the vulnerability. > > Why this constraint to "who are service providers"? Thanks for pointing out this problem. This was not intended to be a constraint; it was intended to mean `_even_ those who are service providers'. Since it was previously `obvious' that people with private Xen deployments can deploy fixes when they get them. I will make a revised proposal for wording in this area. > > The Security Team should be forbidden from trying to hunt down > > eligibility information etc. and should instead be mandated to reject > > incomplete requests. > > The Security Team has no discretion to accept applications which do > > not provide all of the information required above. > > Is there are particular reason why do you want to restrict them? As a member of the Security Team I would like to be able to say `sorry your application did not qualify'. I don't want to have to say `sorry your application didn't quite meet the criteria and we have chosen not to exercise our discretion'. Thanks, Ian.