Re: [art] One more thing about draft-foudil-securitytxt

Mark Nottingham <mnot@mnot.net> Thu, 14 May 2020 23:28 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CF213A045B for <art@ietfa.amsl.com>; Thu, 14 May 2020 16:28:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=KANHqMf8; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=umWogtZA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mWL6EnrzHEWh for <art@ietfa.amsl.com>; Thu, 14 May 2020 16:27:58 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CF5E3A0418 for <art@ietf.org>; Thu, 14 May 2020 16:27:58 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 7A8CA5C00C0; Thu, 14 May 2020 19:27:57 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Thu, 14 May 2020 19:27:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm2; bh=o eftBlI+FGdziUagG4/25fxWWgeXcmcWMjTlJRso26U=; b=KANHqMf8HVijjs0Qq B/0elNrKvsXIkTNqVCNSJflxCgrQ9tgq25YmxA0mvLtnqZXt+b32J9AvgX/sFh+8 MjYjU7MsWDN/Ex2UAPzVf8tutyj5odKH96R60iKN42i1L9ehDEzjB6mzr5bE+Jg2 0UK0Bzdgv2oVOdMCDy1o+1BV1ldVKpooVp0am/Zgm2dwZDxAFJSQjJWjuU4ipxFe j8xgqpHrzV8C6yzczP7dzjQRdJ/WU/iwsJN+lU/5tbfVcYvkLwVx7B8mSIoge4fh 8l4ZX6TgODd/XjZr6gmq8FqWb6f7+PFx2TNIkTq56/Yl3ruExWgXBkziDpV4SSZ5 fqA9w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=oeftBlI+FGdziUagG4/25fxWWgeXcmcWMjTlJRso2 6U=; b=umWogtZAIL4xy5bOMcFNZhsK0o5bPcVQTDKkiDqbAH/wNbf59ZOTADW13 hO1l0h1wYcU7MqpKDJuDmbKf5zfzdXyVCNAuwJuJqxhMU+4oLmg+xu5QQcwWtxuY /iXKzxg5PiKzvTdkg9bWZd9g4QhFfuRx9Hzp3mq8qylWF7WKBmm8hWK/ozffRH6O HHOQxXrrnuY44V+2TTZlSWvH2yjjZzC+S01JBZhHMKXbyBfHImuXA17Mxey80u8c G2B7NwMQl/kmmEHtFrNSSItpLLRI6iD8c84K5Psk0bw/RQyNW9ZP5qfqfuRvsmmQ 1QYjCsPew37eqs1j6RHmTaEpOcKlA==
X-ME-Sender: <xms:_NO9Xr-gYb9bM9ewLvp-G43m-uWgjW4VPX6QfdkTDQ_F5ozBhewhNA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrleejgdduhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghrkhcu pfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrthhtvg hrnhepjeekgfeghefgueekteeiteeuheelkeehtdefieduudekuefgudejiedvteffkeff necuffhomhgrihhnpehivghtfhdrohhrghdpphgrthhrvghonhdrtghomhdpudhprghssh ifohhrugdrtghomhdpmhhnohhtrdhnvghtnecukfhppeduudelrddujedrudehkedrvdeh udenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmnh hothesmhhnohhtrdhnvght
X-ME-Proxy: <xmx:_NO9XnsnB02xAaHxW9O8FTXQ6JwaHdtI2Hxx6z4WF474y2yRw3HV2A> <xmx:_NO9XpCpSECS-oYVm6Hk8Wt5MQZCifGnahjaGf61OPaDLt9bsKt-CA> <xmx:_NO9Xnf-6hyHg5yoJd_9XjXF3vi0ZTsBJAdbICRhcuLLb1ZJTS7m5Q> <xmx:_dO9Xv3VWiMRBBQYZQ8Y7piW4Yzwam4pQEl0buXH5XKeEXvnZTDT5g>
Received: from macbook-air.mnot.net (119-17-158-251.77119e.mel.static.aussiebb.net [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id 6400230611FB; Thu, 14 May 2020 19:27:54 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CAAyEnSOOTkepdbKSRXzzsFR3chLAO9VcfD5ApECxAnDTy4oYfA@mail.gmail.com>
Date: Fri, 15 May 2020 09:27:43 +1000
Cc: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, Ed Overflow <contact@edoverflow.com>, Benjamin Kaduk <kaduk@mit.edu>, yakov+ietf@nightwatchcybersecurity.com, ART Area <art@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <02EE2D30-F2D8-4AD7-BDBF-82BCB13AC8F9@mnot.net>
References: <480748CD-7043-43AC-8EBC-BF6E3F17CEA1@mnot.net> <CAAyEnSOOTkepdbKSRXzzsFR3chLAO9VcfD5ApECxAnDTy4oYfA@mail.gmail.com>
To: Yakov Shafranovich <yakov@nightwatchcybersecurity.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/nOGdTulVNoj5IVBA5Oog5fDh7TU>
Subject: Re: [art] One more thing about draft-foudil-securitytxt
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 23:28:02 -0000

Thanks! My concern is mostly that other folks might see the old approach and copy it.

Cheers,


> On 14 May 2020, at 10:38 pm, Yakov Shafranovich <yakov@nightwatchcybersecurity.com> wrote:
> 
> Hi Mark,
> 
> I agree with that observation and will add a GitHub issue to track
> this. However, the example mentioned ("Signature") was part of earlier
> drafts and were intended to be registered in the "well-known"
> namespace as mentioned here:
> https://tools.ietf.org/html/draft-foudil-securitytxt-04#section-7.1
> 
> The most recent draft no longer uses external signatures and replaces
> this with inline PGP signatures.
> 
> Thanks
> 
> On Wed, May 13, 2020 at 11:28 PM Mark Nottingham <mnot@mnot.net> wrote:
>> 
>> It looks like it's becoming common practice for security.txt files to put *other* things in the /.well-known namespace.
>> 
>> For example:
>> 
>> "Signature: https://www.patreon.com/.well-known/security.txt.sig" on www.patreon.com
>> "Signature: https://www.patreon.com/.well-known/security.txt.sig" on 1password.com
>> 
>> It might be good to mention that URLs in security.txt fields should not be in .well-known space unless registered for that purpose.
>> 
>> Cheers,
>> 
>> --
>> Mark Nottingham   https://www.mnot.net/
>> 
> 
> _______________________________________________
> art mailing list
> art@ietf.org
> https://www.ietf.org/mailman/listinfo/art

--
Mark Nottingham   https://www.mnot.net/