Working Group: GRIP Reported by: Barbara Fraser The GRIP working group met once during the 40th IETF meeting held in Washington D.C. The agenda for the meeting included the following topics: - Review status of the current IRT draft document - Discuss current ISP document - Review status of future product developers document - Suggestion for new document on standardized vulnerability reporting format The IRT document is complete and just waiting for formal action by the IESG/IETF. The group decided that they would like to submit the document for consideration as a BCP, and this will be done immediately after the IETF meeting. Most of the meeting was spent discussing the current -01 draft of the ISP document (draft-ietf-grip-isp-01.txt). They had been discussion on the mailing list concerning two recommendations included in the draft. These were: 1)ingress filtering and 2)open mail relays. There was consensus in the group to accept the current wording of the document with regards to both of these topics. The document editor will solicit comments from the ADs as well as other ISPs and if they can't support the recommendations, he will ask for specific examples of why the recommendations are flawed. The editor will change the phrase "unsoliticted commercial e-mail" to "unsolicited bulk email" to better describe the recommendation since it isn't only commercial organizations who send unsolicited email. One other topic concerning the ISP document came up. A person in the community emailed Barbara about the relationship between this document and the SSE-CMM work going on in the community. Barbara will take the action item to review the SSE-CMM material for relevance and forward to the list any specifics, which Tom can then incorporate into the draft document. The group briefly discussed the technology producer document and two people volunteered to develop a draft from the current outline. This will be ready by the end of January. There was a suggestion to develop a document that would describe a common formatting for vulnerability reports. Computer incident response teams (e.g., CERT/CC), product vendors, and other organizations create their own documents with unique formatting. If these conformed to a set of basic guidelines, software could be written to parse the text to facilitate forwarding pertinent information to those who need it. This is currently a difficult task given the variety of formats. It was decided to encourage the author to write the draft document and the group would decide how to handle it once it existed. Dates: ISP draft -02 from Tom Killelea: week of December 15 Informational RFC/BCP status for ISP document: by January 15 Submit IRT document to IETF last call for BCP action: week of December 15 Updated ISP draft -03: third week of January Final ISP draft: 2nd week February Submit ISP document to IETF last call for BCP action: March 1 Informational RFC/BCP status: by March 31, 1998