IETF Logo Mail Archive

Re: Method of Contact - Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement

Christopher Morrow <morrowc.lists@gmail.com> Thu, 06 August 2020 19:13 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 093DF3A0E10; Thu, 6 Aug 2020 12:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id da8WZgvsTPJ9; Thu, 6 Aug 2020 12:13:45 -0700 (PDT)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88ABE3A0EF3; Thu, 6 Aug 2020 12:13:17 -0700 (PDT)
Received: by mail-qk1-x731.google.com with SMTP id m7so13845147qki.12; Thu, 06 Aug 2020 12:13:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=JVr2mXyLI9kvWy/YESvYK9qbIfev2YoCXPfqEVRn3Nk=; b=IxcplbKxOy2FZ9x5MuIl6D5pkZNSzyQEbMPW4ZXpI4ra2jqySN+GPGMMn4knCpJ1ZU W5HOR2dnTmA8lVoghpI4PCRqLLEkzqcnbphL6Wadx0AY5YMLBH/HIDzGDBRcyRH1spWz l+YbNaVtb3iyJKfG1+mWnGSSdMUMGOOFS6ymrUMuoIFtTW+oJ4WhmaKLiN8paxjjZoCo hJisHzkoUQEQRwFSv6jMEAz3O+875owcP2Xxdy/HtUivopuDodCu9OlYnLSvhScUPGD2 5FVgkM4mUl6SBTAluUDT113S7Hn+Uv7ZaiYMs/6fw08uedE6WaIWTtY+lDOQ5svU1nVy xKCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=JVr2mXyLI9kvWy/YESvYK9qbIfev2YoCXPfqEVRn3Nk=; b=s+DVdR1pHR2T4gpJdLJ1bj3BjB582P4eNWmJ4UuMn1VSZau61WdGJLVinnvvRwCxZ0 5PloDjSgnoFpYPeNi77uo2pm2eDCbUs4x9644e2mYrTKZAeJhNbelDP2XUlKJul4ytLB 3oJxlxBz4IU3a8Wip3Ba+G2fF+2M+CdKywnD/6exTbewPiR7EhyLgQ7x3sTiNtft+3Rr NfU5003m+5A9aKTXxrJ/e5tB/Phtf6dEBBnKgQz0KzsXXCZNWGiuCnPaBfjNS3RY5MBh IlNU1wSKmWDkwm4mv+8Bv9PyWREJO4vAl1+OxzYOizJavtnmLrJ0Hm8FYj0epQrvgM+9 h5vQ==
X-Gm-Message-State: AOAM533jbwS7nyl6Fzh8xFbiIa7DkkYOIUts4hzE0xep/qqq1SGZUq7/ 11pg4r25QZhKkoxIAY6aX3XpMCiHJqiZZKqtvNc=
X-Google-Smtp-Source: ABdhPJx3S5yFPnq6ka6uAi2XhKdUpSH/eMPGpuAxWuHPqrRTV0F0aOhw9z33KtcoxLR4ajEwgDKZK8n+5qnr60de0ws=
X-Received: by 2002:a05:620a:1122:: with SMTP id p2mr10502101qkk.45.1596741196300; Thu, 06 Aug 2020 12:13:16 -0700 (PDT)
MIME-Version: 1.0
References: <965FAE2A-59D2-4D4B-8D95-76B84483C379@cable.comcast.com>
In-Reply-To: <965FAE2A-59D2-4D4B-8D95-76B84483C379@cable.comcast.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
Date: Thu, 06 Aug 2020 15:13:05 -0400
Message-ID: <CAL9jLaa-oJ_Ogp0g8eGH3UOS2BqQ2dLD1Cfwjz6V3e+7kbHtsQ@mail.gmail.com>
Subject: Re: Method of Contact - Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
To: "Livingood, Jason" <Jason_Livingood@comcast.com>
Cc: "ietf@ietf.org" <ietf@ietf.org>, Jay Daley <jay@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/_vFEor2gG-fAfDX0YdRPTYc4GWs>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2020 19:13:47 -0000

i hate to be late to the party, but..

Is the overall effort here really just framing what the security.txt
for all IETF-LLC properties/things should be?
(also I had thought jim duncan's security.txt thing was long-since a
defacto standard... but: draft-foudil-securitytxt-09 says otherwise,
oops)

On Thu, Aug 6, 2020 at 11:00 AM Livingood, Jason
<Jason_Livingood@comcast.com> wrote:
>
> I would love to see comment on these 2 key questions:
>
> (1) >   * The proposed mechanism for reporting a vulnerability.
>
> When I originally thought about this I was concerned at the default to use email, acknowledging that this is something with which most IETF participants are quite comfortable. I wondered if it might be better to specify that a web interface was the reporting method, which would automatically generate a report ID number on submission that a bug reporter could use for their reference later on. In contrast, an email may not arrive or may be delayed and automatically generating an acknowledgement response with a ticket/tracking number would rely on an additional system that may have communications issues with the email system.
>
> It seems like a web-based reporting system may also provide a better level of security protection by encrypting the channel & contents of the communication vs. less secure email.
>

I think the easiest thing to use is email, forcing a web interface is
rough on some folks :(
an email to a ticket system with auto-responder (and ideally both gpg
verification inbound and signing outbound) would be nice.
that could be published on the eventual security.txt even :)
  "send gpg signed mail, if you can gpg sign, expect a gpg signed mail
from our ticket system with incident-id"

> (2) >  * What the email address should be for reports to be sent to.
>
> @Jay - Can you list the options being considered here to help aid the discussion?
>

security@ ? :)

> Thanks
> Jason
>
>
>

v2.23.0 | Report a Bug | By Email