Re: [dispatch] Proposal for scantxt; scanning opt-in/out, identification, verification, notification, and reporting

Ollie IETF <ietf@olliejc.uk> Sun, 04 December 2022 20:05 UTC

Return-Path: <ietf@olliejc.uk>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6844CC14CEEC for <dispatch@ietfa.amsl.com>; Sun, 4 Dec 2022 12:05:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=olliejc.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yS-9DIBEV07S for <dispatch@ietfa.amsl.com>; Sun, 4 Dec 2022 12:05:36 -0800 (PST)
Received: from mail-4018.proton.ch (mail-4018.proton.ch [185.70.40.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BFADC14F749 for <dispatch@ietf.org>; Sun, 4 Dec 2022 12:05:36 -0800 (PST)
Date: Sun, 04 Dec 2022 20:05:27 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=olliejc.uk; s=protonmail3; t=1670184333; x=1670443533; bh=QFCVeZ96cwdK9lNaj5OnuhOghIlU8VKwPHBEVmv0mmA=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=VFLWQiMmmIKEaWFyvjbEU51Imjps0ic2oi8WwKvcGeD5MOuJVLfCd+209e0CnVKLY 4trXNQrkoWjSJsAMK3qfYBlJFL5piinCINPfCl/AziVeExWixObE8UQvBfmUUgMcML EjjYAb4p4ZM5tQBwVrZwLyxE+8onQ+AOn1Gu95qYI2jUj26mf9JiqBkEBHZyhaL96l FJWckWyUSRCOTYbbxct/lnX/ELN+FsL102CFhcwPN6vGPd42SISmqaAPjlLchcgYw7 hSsoy8NYFwhpOA8dle5KKzGcihU8eFE54lfdGUNKH2UW0vVM0s/7Su6F0uyXBFPKv3 hKxvPxUichvLQ==
To: westhawk <thp@westhawk.co.uk>
From: Ollie IETF <ietf@olliejc.uk>
Cc: John R Levine <johnl@taugh.com>, Dispatch WG <dispatch@ietf.org>
Message-ID: <ULgvGpS1PsNTWH3bQRcz5tZVEO0Bh2ofpFzJSy4g7cPrHmzYv9dN26G0GOX6S7MsvZzmCdHXq-zYHeKypdGddOId6DOh7m8LjkGMRAJQcjQ=@olliejc.uk>
In-Reply-To: <1BF670ED-F5A0-47C9-AF84-F376C878E6A3@westhawk.co.uk>
References: <20221204051320.0FF0650855F1@ary.qy> <-Qj162OnP3i43R95dL09E0OpifUzGvXqwTWEE8n14tndS8OQ902nGVvUTizxttYYEdamlyG54XdgeJCyFfntI8UJnVPbPRTvJk3VL_PMgqU=@olliejc.uk> <059faafd-80b2-66c0-7d8d-0087220f92ab@taugh.com> <1BF670ED-F5A0-47C9-AF84-F376C878E6A3@westhawk.co.uk>
Feedback-ID: 63001471:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/0lGRQ_hyVDqoBKkxqrAvtU2nA3U>
Subject: Re: [dispatch] Proposal for scantxt; scanning opt-in/out, identification, verification, notification, and reporting
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Dec 2022 20:05:41 -0000

> Based on my past experience of scanning, generally the folks in an org who legitimately ask for a scan aren’t the people who administer a given system.
> The day-to-day maintainers of the target system probably won’t be warned (and shouldn’t be) of a red-team exercise.
> Likewise the ‘results’ will go to the infosec department, rather than the local firewall folks.

There's quite a subject to get into here but I think you hint at cultural issues that standards like this should aim to help fix and not perpetuate those problems.
In my view the primary target of 'results' should be those responsible/accountable with running the service and the infosec team would likely want to have oversight (and create the mechanisms to get issues to the internal teams). 

> You certainly don’t want them to be able to say ’this is off limits’ because a) it would defeat the purpose of a pentest b) it would act as a red-rag-to a bull
> for all hackers of any persuasions.

I do agree with that risk so I'm leaning to remove the allow/disallow aspect and instead just have a standard approach to opt-out from an individual service.
e.g.: scantxt.app._scan.scantxt.org IN TXT "v=SCAN1; p=opt-out;" 
That said, "*._scan..." could be possible but as suggested in another reply, the intention here is to signal to legitimate, transparent scanners; I'm under no illusions this would do anything for people with a malicious intent.

Ollie