Re: [Last-Call] Last Call: <draft-foudil-securitytxt-08.txt> (A Method for Web Security Policies) to Informational RFC

Yakov Shafranovich <yakov@nightwatchcybersecurity.com> Wed, 11 December 2019 22:16 UTC

Return-Path: <yakov@nightwatchcybersecurity.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14634120178 for <last-call@ietfa.amsl.com>; Wed, 11 Dec 2019 14:16:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nightwatchcybersecurity-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pNxG-QSyZT6A for <last-call@ietfa.amsl.com>; Wed, 11 Dec 2019 14:16:55 -0800 (PST)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE7B8120169 for <last-call@ietf.org>; Wed, 11 Dec 2019 14:16:55 -0800 (PST)
Received: by mail-pl1-x62e.google.com with SMTP id c23so143466plz.4 for <last-call@ietf.org>; Wed, 11 Dec 2019 14:16:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nightwatchcybersecurity-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7lrKxb9/HY9OCsPE0PzfQYy9DQ72ncfQjfOXsKUAemI=; b=AwZXgNeCayJd6TcRmk34crZdeRYDMDV+gD97qfOLi5s8e4s6Ei2/F9a6bIvgPFC+v+ e8ZCARWGIXStNcm0GE5lbjVlKHvqHxYLLyOw2dyW740R9fCFftO7S/ajMKihLOr7trWM FeWvq83RiGY4L4lcFNuusV25GSy/VPd1rNDGCeVJnhcouEBgG1uyxUjZ+CUZs78jBoo4 2gQ13+esUy2BWgZfv+AFOpZ3pEMAfF94QF+hOqIVxi0yO0XTPDajEMP6WhGpSryN6d3T wF8NiA5Kxtty/KkrGnX7HMaEpn9rKHqZ/JSWZl6QHnbPhyQPP0dBX4kt6NHQvelNYdjy VzjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7lrKxb9/HY9OCsPE0PzfQYy9DQ72ncfQjfOXsKUAemI=; b=e5vLjbxEDkOFrshgsLe72c3Gdg+6CyUoa/F7HYDsZQlmEfROAPVVB74p5I30ZsRkDh PxWz2S592Kem5iUHt6bowvZaYbzmxmrjKGv2MtTDjMIxKJ6orztwZwGy1iwR96ZiVWez rEgmhsK+WcYm425bhNi3Le2fSt6PTJ3ax/v0vPH1mxxo1L3W7POIrVPiVsPOo706md66 9lg7O9/OqoKjb9/E9fh58bsPlMQCyjHo4uRPE28qD+r3lhNMENmisInCbQtLZSBdtKv6 93NohUiX3qllxfH0LHNJPXgKCLSU/UxwKryohA/cJ3ql9i1tGrpj6yQ1rgl1VYGgNCD9 t4/Q==
X-Gm-Message-State: APjAAAVZYTTS+IbfBQXGxs0nvJ93IILFwapdhiiNaICz8ClZ96i7NkC0 EPGwm9Q5vv+Q6tH9NQVCcDTlTECqU7c5pnbD3d6+iQ==
X-Google-Smtp-Source: APXvYqyDfJmpt7ahHjCpDh0d11wQwbFLR2AA74TUzOkBOV6MQGFrbsK5Qys+tDolLFr8it87PhOH3bZr5tmt6+E+OUY=
X-Received: by 2002:a17:902:8601:: with SMTP id f1mr5816412plo.291.1576102614499; Wed, 11 Dec 2019 14:16:54 -0800 (PST)
MIME-Version: 1.0
References: <157591314890.2123.12378772921757205119.idtracker@ietfa.amsl.com> <CAMm+LwhWpjRrZxxmupz8gbW0Go4YSm=-w3V2_NAWBLApgrCcUw@mail.gmail.com>
In-Reply-To: <CAMm+LwhWpjRrZxxmupz8gbW0Go4YSm=-w3V2_NAWBLApgrCcUw@mail.gmail.com>
From: Yakov Shafranovich <yakov@nightwatchcybersecurity.com>
Date: Wed, 11 Dec 2019 17:16:18 -0500
Message-ID: <CAAyEnSPbj=cX+ZYWGPYndaGpM764ajOysFJ_YdoyqMR5dT+avw@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: last-call@ietf.org, IETF-Announce <ietf-announce@ietf.org>, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, draft-foudil-securitytxt@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/K1-oY4ff_2v0Gc1Gj91XD2panJA>
Subject: Re: [Last-Call] Last Call: <draft-foudil-securitytxt-08.txt> (A Method for Web Security Policies) to Informational RFC
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2019 22:16:57 -0000

On Wed, Dec 11, 2019 at 4:17 PM Phillip Hallam-Baker
<phill@hallambaker.com> wrote:
<snip>
> I would also suggest that in addition to publication via the .well-known scheme, there is a means of publication through an appropriately prefixed TXT record specifying an alternative URI. While HTTP service is ubiquitous, it is not universal. More to the point, it is highly likely that the target Web site is unavailable if there is an attack in progress.
>

Publishing via DNS has been considered and discussed several times
during the development of this draft. Because consensus couldn't be
reached, we made a decision to exclude DNS from this draft and plan to
address this via a separate draft in the future.

Thank you!