IETF Logo Mail Archive

Re: [Last-Call] Last Call: <draft-foudil-securitytxt-08.txt> (A Method for Web Security Policies) to Informational RFC

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 11 December 2019 21:17 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9978F12004E; Wed, 11 Dec 2019 13:17:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w51yZ2UjIZNz; Wed, 11 Dec 2019 13:17:48 -0800 (PST)
Received: from mail-oi1-f194.google.com (mail-oi1-f194.google.com [209.85.167.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ED8712004C; Wed, 11 Dec 2019 13:17:48 -0800 (PST)
Received: by mail-oi1-f194.google.com with SMTP id a124so75495oii.13; Wed, 11 Dec 2019 13:17:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yfJAjx6A/3lYgFfn5MIxhGuYpClFwM++jElgOgTDD/E=; b=tuKtvzNJJlJe3d1PlVqz0U36HZ3RrOff7TelbqW9e3GMpKuxIpifMNJCMdoRlIiiDH +CgREZOTZJFPTXbbzBFEDRdU0xaaonBP93fWTQJQ27aaOyD/wFQMFpbEax0b2ZSUtSdx k0NTwF1v1qIp7Z9RSes0CAlh7bLMwuj9suwWcKcpfNKzV4I95ILC3iKgK1z8DviYmVmJ Wtv25QUw8G7X9YaC/uyViapvFjQbl2Fc+ZpC6zTvX8eEZX+dM0OMCfjN08ozf5EtsT0U 3cVlA8zEpJShYwTzcMd/P6Tz+3KpAOSfH7jVsYL4Fe+e0qeYroFIVWxx7Nqsg62KjuAz 0fHw==
X-Gm-Message-State: APjAAAUwNKi7oCc+/9Fk2AoXsPKGrW674pEiFlO2jKq+2LEKow7Zkzk2 1WDEtUGJ+hWbBG6mhxutfOKXr97daWmTJzUw0hClCw==
X-Google-Smtp-Source: APXvYqwibLc8ge3WvaGyCyLzZ3qBzJ9N5MgO5kJXUvf4VLMGx1w50xs5MZglcYfmfx1BrSCJ8PjbLSGgJbws6/ZE8tY=
X-Received: by 2002:aca:7583:: with SMTP id q125mr4553015oic.100.1576099067290; Wed, 11 Dec 2019 13:17:47 -0800 (PST)
MIME-Version: 1.0
References: <157591314890.2123.12378772921757205119.idtracker@ietfa.amsl.com>
In-Reply-To: <157591314890.2123.12378772921757205119.idtracker@ietfa.amsl.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 11 Dec 2019 16:17:36 -0500
Message-ID: <CAMm+LwhWpjRrZxxmupz8gbW0Go4YSm=-w3V2_NAWBLApgrCcUw@mail.gmail.com>
To: last-call@ietf.org
Cc: IETF-Announce <ietf-announce@ietf.org>, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, draft-foudil-securitytxt@ietf.org
Content-Type: multipart/alternative; boundary="00000000000009673e0599742917"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/DOH5NHcDKeQEVGpWox43w1BHOrE>
Subject: Re: [Last-Call] Last Call: <draft-foudil-securitytxt-08.txt> (A Method for Web Security Policies) to Informational RFC
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2019 21:17:50 -0000

I support publication of the document provided that it is renamed.

The current title is confusing as what is described is not a security
policy according to the accepted term of art. It may contain a link to a
policy but that is not the primary subject matter. The term 'security
description' is a possible alternative.

I would also suggest that in addition to publication via the .well-known
scheme, there is a means of publication through an appropriately prefixed
TXT record specifying an alternative URI. While HTTP service is ubiquitous,
it is not universal. More to the point, it is highly likely that the target
Web site is unavailable if there is an attack in progress.



On Mon, Dec 9, 2019 at 12:39 PM The IESG <iesg-secretary@ietf.org> wrote:

>
> The IESG has received a request from an individual submitter to consider
> the
> following document: - 'A Method for Web Security Policies'
>   <draft-foudil-securitytxt-08.txt> as Informational RFC
>
> The IESG plans to make a decision in the next few weeks, and solicits final
> comments on this action. Please send substantive comments to the
> last-call@ietf.org mailing lists by 2020-01-06. Exceptionally, comments
> may
> be sent to iesg@ietf.org instead. In either case, please retain the
> beginning
> of the Subject line to allow automated sorting.
>
> Abstract
>
>
>    When security vulnerabilities are discovered by independent security
>    researchers, they often lack the channels to report them properly.
>    As a result, security vulnerabilities may be left unreported.  This
>    document defines a format ("security.txt") to help organizations
>    describe the process for security researchers to follow in order to
>    report security vulnerabilities.
>
>
>
>
> The file can be obtained via
> https://datatracker.ietf.org/doc/draft-foudil-securitytxt/
>
> IESG discussion can be tracked via
> https://datatracker.ietf.org/doc/draft-foudil-securitytxt/ballot/
>
>
> No IPR declarations have been submitted directly on this I-D.
>
>
>
>
> _______________________________________________
> IETF-Announce mailing list
> IETF-Announce@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf-announce
>

v2.23.0 | Report a Bug | By Email