Re: [Last-Call] Last Call: <draft-foudil-securitytxt-08.txt> (A Method for Web Security Policies) to Informational RFC
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 11 December 2019 15:32 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E273512081C; Wed, 11 Dec 2019 07:32:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nif-uWKkC2Om; Wed, 11 Dec 2019 07:32:26 -0800 (PST)
Received: from mail-ot1-x32c.google.com (mail-ot1-x32c.google.com [IPv6:2607:f8b0:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5FE412000F; Wed, 11 Dec 2019 07:32:25 -0800 (PST)
Received: by mail-ot1-x32c.google.com with SMTP id r27so179736otc.8; Wed, 11 Dec 2019 07:32:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kX1RMm3ZRiz7t9BJ3+dcQxYCENsAT+VU/2jma+gwIXA=; b=NhM8t2No3+32c7Jb+LG/Gzl6aqjgJ+y9didOr+y4OnqYghtCJGK0t/+VW9VwhwEFPP VLX83UBbDTr8DTlNQfH3fhj/d79nYk3YvZJbfl1n08v6aHCEAuyYnFPW6+sVoDxbyFPS oXK+7IN07SpzwgWVQeGsch2Z0TdI65Cr/sZraVed7j7Dx7fDPM3WWeTx12SydAw61Olk QVeh3moqfDgtbZLBYG2Qqbfu1KgfQSNT/qEGUW+Kksj7FL0baVfpO/zqt8SW2FOByaMp xSKJoh5ySt/TO2QkmlAXCVeWh0ht+FS8YJ9IB6m8df39VtibuypZrmSPLUXHu/wBqe9A GOvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kX1RMm3ZRiz7t9BJ3+dcQxYCENsAT+VU/2jma+gwIXA=; b=O7Ve9nsY+9bEOwdNPjlu2dYI1QxxZoRVeDDwza5cqK4r1gqUfy3yfqU+bypX93a7zV JrNFffLGzr7kVRNO79lLkW1qEcXlCQiHl2Ide89QsryyT2HwaLfB+99sJ3fBqa3ZvvK6 sAgecol86lhTsF3uZqsk19HcrgsDuBobhYwQU5tPjzgS7rgNGPRswNhvou0SmC+4qAj/ Fiomo2WYCyxADUU5J78CfWej5QM7yAOPh49/6+W18YKw65qdWuw4qFcNhy9R6OJ6XUv0 MYocx1/Pfjvc0NQsC1xM/RMClttgua4mTCRK52B2vzcu1vUVqh8qxouHuDl5lDGNlRbG tdGg==
X-Gm-Message-State: APjAAAWGDSgwmC8woDqjkM/HAsDmoI2XGb3DxjXtTKiGZobylkX86C8I T9UdhlUb3PAdxRLep5cPuIHo3X6DTkG/LWTOA1U=
X-Google-Smtp-Source: APXvYqzT1jvcMWtAOdwEo71bcMMY5UiAGL363JSb8vxUom0OeQAyYuz4/F1Mt1BvqZPQGmKz2RMEd+6MUAVlPgksIm8=
X-Received: by 2002:a9d:62d5:: with SMTP id z21mr2765501otk.224.1576078345081; Wed, 11 Dec 2019 07:32:25 -0800 (PST)
MIME-Version: 1.0
References: <157591314890.2123.12378772921757205119.idtracker@ietfa.amsl.com> <1AEC1FDE-252D-4B3C-BAC8-3AECA969541F@akamai.com> <20191211104023.GA29854@nic.fr> <alpine.LRH.2.21.1912111008230.17737@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1912111008230.17737@bofh.nohats.ca>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Wed, 11 Dec 2019 10:31:49 -0500
Message-ID: <CAHbuEH7nSCO1YT_+RJ5bMcnAwcOKO=OuwD=G=SmXkkfvNiaFCg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: IESG <iesg@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "draft-foudil-securitytxt@ietf.org" <draft-foudil-securitytxt@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e59b8605996f551d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/XcxsO1utHuVEl2CGUis-_h1HiZ4>
Subject: Re: [Last-Call] Last Call: <draft-foudil-securitytxt-08.txt> (A Method for Web Security Policies) to Informational RFC
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2019 15:32:28 -0000
Hi Paul, Thank you for your detailed comments. Your objection has been noted in the shepherd writeup with links to prior emails sent to the list. Best regards, Kathleen (shepherd hat on) On Wed, Dec 11, 2019 at 10:26 AM Paul Wouters <paul@nohats.ca> wrote: > On Wed, 11 Dec 2019, Stephane Bortzmeyer wrote: > > >> I don't know if this is substantive or not, but OpenSSL has provided > >> this since Feb 2018. > > > > % wget https://www.openssl.org/.well-known/security.txt > > > > % wget https://www.openssl.org/news/openssl-security.asc > > > > % gpg --import openssl-security.asc > > > > % wget https://www.openssl.org/.well-known/security.txt.asc > > > > % gpg --verify security.txt.asc security.txt > > gpg: Signature made Thu Jan 4 04:22:26 2018 CET > > gpg: using RSA key > EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5 > > gpg: BAD signature from "OpenSSL OMC <openssl-omc@openssl.org>" > [unknown] > > > > This illustrates a common problem with all similar schemes: these > > files tend to rot. > > This is one of the reasons I have brought up during the discussion why > this proposal is not a good idea at all. It just provides more places > with more non-standard types of unverified, obsolete or malicious > information that are especially untrustworthy when needing to report a > compromise. The information simply can never really be trusted. > > To report issues with compromised servers, don't depend on the > compromised servers. Use DNS or WHOIS/RDAP as that is more independent > of the web servers. It has the additional benefit of being rather > independant of the web farm of the entity you are looking to contact. > > If the data is openpgp signed, I still need another place and entity to > verify the key is not something the attacker installed. > > I'm not often against a proposal - after all it is better to try and fail > and try something new than not to try. But in this case, the result of > a failed experiment is damaging. Some will assume people look at this > new location for secure data. Some will assume it secure. Heaven forbid > browsers will make this available to endusers in an automated way. It will > be stale as can already be seen here. It just adds another questionable > source of information and we do not need more of these. That is why in > this case, I am against publication of this document. > > Also, if I look at the practical way of contacting large organisations > about things, people already have a good set of patterns, and I am not > convinced this problem needs solving - and surely not in this way. > > > 1) Using twitter. Those twitter accounts are acively monitored by people > who can reach the right person for the right issues. I have a very > high success rate contacting Fortune500 companies this way. > > 2) Using the About or Contact page on the company website. > > 3) Use LinkedIn. Instead of using the "Hiring" field in a security.txt file > on a company's webserver, people will use LinkedIn, or the company's > Jobs page or About page. Even for security issues, contacting someone > of the company at Linked In might give a more reliable contact that > is independent of the entity's web or mail servers that might be > compromised. > > > Only a handful of geeks will ever look at this new .well-known location > with quickly diminishing returns. It's simply not a good enough idea > and it will result in more broken and obsolete data being published (and > harvested for spam). Having remnants of the failed experiment lying around > is harmful. > > I recommend NOT publishing this document. > > Paul > -- Best regards, Kathleen
- Re: [Last-Call] Last Call: <draft-foudil-security… Salz, Rich
- Re: [Last-Call] Last Call: <draft-foudil-security… Stephen Farrell
- Re: [Last-Call] Last Call: <draft-foudil-security… Yakov Shafranovich
- Re: [Last-Call] Last Call: <draft-foudil-security… Stephane Bortzmeyer
- Re: [Last-Call] Last Call: <draft-foudil-security… Paul Wouters
- Re: [Last-Call] Last Call: <draft-foudil-security… Kathleen Moriarty
- Re: [Last-Call] Last Call: <draft-foudil-security… Salz, Rich
- Re: [Last-Call] Last Call: <draft-foudil-security… Randy Bush
- Re: [Last-Call] Last Call: <draft-foudil-security… Phillip Hallam-Baker
- Re: [Last-Call] Last Call: <draft-foudil-security… Stephane Bortzmeyer
- Re: [Last-Call] Last Call: <draft-foudil-security… Phillip Hallam-Baker
- Re: [Last-Call] Last Call: <draft-foudil-security… Yakov Shafranovich
- Re: [Last-Call] Last Call: <draft-foudil-security… Stephane Bortzmeyer
- Re: [Last-Call] Last Call: <draft-foudil-security… Yakov Shafranovich