"This is not the vulnerability you are looking for. Move along"

With respect to the IDN security issue announced at Shmoocon, I see that Paul Hoffman has a blog on this. (Paul Hoffman, of the VPNC, was an IETF author on the IDN standard. Eric Johanson is the Shmoo who announced the IDN issue.)

I never contacted him about this problem because I thought it was an implementation issue. I was busy, and it didn't occur to me that getting Eric Johanson and Paul Hoffman in touch with each other would make sense. In retrospect, it in fact violates the letter of the policy the Shmoo had in place, which was to not discuss this externally until a conclusion had been reached. Since Paul's not a vendor, that means we shouldn't have talked to him beforehand. As a specific example, Apple's response asked Eric to not discuss this with "anyone else", and that would presumably include Paul.

Standard dogma, even though I think it's wrong, is that "IETF does not discuss implementation issues". So, I considered this an implementation issue. I watched, on the closed peer review list, as Eric tried to talk to the various vendors, who either went into denial, refused feedback, or declared it a non-problem.

So I didn't think Eric needed to talk to Paul, since Paul doesn't own any code that was in question.

By the way, I find it fascinating that we have the vendors shouting that it's a non-problem and members of the community scolding Eric for having announced this problem. It can't be both a problem and an non-problem at the same time.

I am not trying to promote either side of the IDN issue itself. I do think it's worth observing what happens when you get someone trying to report a vulnerability and the vendor/implementors are in denial.