Document Action: 'A File Format to Aid in Security Vulnerability Disclosure' to Informational RFC (draft-foudil-securitytxt-12.txt)
The IESG <iesg-secretary@ietf.org> Fri, 09 July 2021 13:58 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: ietf-announce@ietf.org
Delivered-To: ietf-announce@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 86CD13A2215; Fri, 9 Jul 2021 06:58:49 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: Document Action: 'A File Format to Aid in Security Vulnerability Disclosure' to Informational RFC (draft-foudil-securitytxt-12.txt)
X-Test-IDTracker: no
X-IETF-IDTracker: 7.34.0
Auto-Submitted: auto-generated
Precedence: bulk
Cc: Kathleen.Moriarty.ietf@gmail.com, The IESG <iesg@ietf.org>, draft-foudil-securitytxt@ietf.org, kaduk@mit.edu, rfc-editor@rfc-editor.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <162583912937.3959.10415996678309490305@ietfa.amsl.com>
Date: Fri, 09 Jul 2021 06:58:49 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/mHWqadqB85iGP4BnI-ET96CGfqU>
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-announce/>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jul 2021 13:58:50 -0000
The IESG has approved the following document: - 'A File Format to Aid in Security Vulnerability Disclosure' (draft-foudil-securitytxt-12.txt) as Informational RFC This document has been reviewed in the IETF but is not the product of an IETF Working Group. The IESG contact person is Benjamin Kaduk. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-foudil-securitytxt/ Technical Summary This document defines a file format ("security.txt") to help organizations publish their contact information and procedures for disclosure of security vulnerabilities. This is expected to improve the ability of security researchers to be able to provide their results in an actionable form. Note that vulnerability disclosure is distinct from incident response, and this mechanism is not necessarily well suited for use in incident response, but there are other mechanisms defined for coordinating incident response. Working Group Summary This document is AD-sponsored, so there is no specific WG for it. However, discussion did occur on the SAAG list as well as during IETF Last Call. The document was rather contentious, with the most debated point being the risk that use of security.txt to report compromise is highly flawed, since an attacker that has compromised the hosting system could change its contents. There was also discussion of whether the format should be more readily machine parsable; the current structure targets only human consumption, since human judgment will be needed for many of the steps in actually using the information it contains. Other topics from the last-call review are mentioned in the summary message of the last-call comments, available at https://mailarchive.ietf.org/arch/msg/saag/bmsyx9JKnuugpHvajw9svD0B0ks/ The document was updated to address these concerns, including emphasizing the intended use for vulnerability disclosure (not incident response), and the need for human judgment in processing the contents. Document Quality The security.txt file is already in use by many organizations and referenced from external documents. An informal survey of HTTP sites providing security.txt information, as summarized at https://github.com/securitytxt/security-txt/issues/191 finds that many are well formed, though some minor syntactic errors are present in others. Personnel The Document Shepherd is Kathleen Moriarty. The responsible AD is Benjamin Kaduk.