Re: [saag] results of IETF LC for draft-foudil-securitytxt-08 and next steps
Yakov Shafranovich <yakov@nightwatchcybersecurity.com> Mon, 13 July 2020 01:00 UTC
Return-Path: <yakov@nightwatchcybersecurity.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA8163A00C0 for <saag@ietfa.amsl.com>; Sun, 12 Jul 2020 18:00:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nightwatchcybersecurity-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JoIy68NDE6xj for <saag@ietfa.amsl.com>; Sun, 12 Jul 2020 18:00:21 -0700 (PDT)
Received: from mail-pj1-x1043.google.com (mail-pj1-x1043.google.com [IPv6:2607:f8b0:4864:20::1043]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE5443A0063 for <saag@ietf.org>; Sun, 12 Jul 2020 18:00:21 -0700 (PDT)
Received: by mail-pj1-x1043.google.com with SMTP id t15so5352290pjq.5 for <saag@ietf.org>; Sun, 12 Jul 2020 18:00:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nightwatchcybersecurity-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xGkvPOznVm6Xc3iZofXOyR5qX4nlLKl6hwQQMX0GIfE=; b=b4hl5sWIis1vOqbZxhTrHIZbI4OXW1oMMI9buTMHG6lJY6j+7ALMsQsz7PHbQIr7tG 0wlcVxS/mFgKZn2ttyYIn1gNMiQmZriLEWBwiHqRL+jkeglbblmN/whTDv5y7JmVOtpG 0KV1Kx5DGSwCw+HZbAOka/PwJKx8syRhIlttxJofin4PncgFZ6SNrRNyfKelnChGjy8R yvZVK9jdGE4VI8TAoPZq50DAQBtu8aXibaY2N9tfAA/mYlYunZ1xesklyGz+D2dCK6rg 6L8X7xdSKVgc0Bc0wqILvJeyTRp6Cwm5BPLudTQMISX6WL5OhTw6BDtIqB3o079p4BGr eXvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xGkvPOznVm6Xc3iZofXOyR5qX4nlLKl6hwQQMX0GIfE=; b=UkO0ajHT/3h3EsagBpl5q7rPIQ3tGb+AT4IbSR1stCKVC+LLKayoOE/BbnEf3sOazk 9x7ozWZhPDKbiZue8vvPy7Fg4zInvbRBZBWItT1gQysTsKejaVWbcpuReemkoSZTwdJr tsHO34zkqS6y0TehcbLwgpeFZQ3sPMEeDYnEKXy6hZaSav49zMf7uGaWUtymJBYAtIUp RV87qbvHGx0hO2773hDJxqrVg8/2jW4cSd/t6ypaGK8ub6DcBxSW9Yv32SVYWdSoeewI Efmw9e6zlCaACjxbCt78kqZDLtYM3N39cPXt+qECgby8bxIhn8G6DghTErVZdRL2knYB DvxQ==
X-Gm-Message-State: AOAM533Pxe+MSmspXFRoJkU1kCxtU12reMyqgmiF0RJWD8rzUer7mIQ2 Ds2nSNG272PvqLAn/ZEgtY7WYtN/UUH2rYMR+hZ9gQ==
X-Google-Smtp-Source: ABdhPJwZbIafPKI/TSkJqt7u0ASqY0N8JHOsG78R/I+tFiIM7ua+PiExHmsyNLeCd1tcF+Kq7Qmhz06yWEuwgqZsWB0=
X-Received: by 2002:a17:90a:fe6:: with SMTP id 93mr16998381pjz.145.1594602021362; Sun, 12 Jul 2020 18:00:21 -0700 (PDT)
MIME-Version: 1.0
References: <20200630222455.GX58278@kduck.mit.edu> <12504.1593572624@localhost> <20200702034828.GB16335@kduck.mit.edu>
In-Reply-To: <20200702034828.GB16335@kduck.mit.edu>
From: Yakov Shafranovich <yakov@nightwatchcybersecurity.com>
Date: Sun, 12 Jul 2020 20:59:45 -0400
Message-ID: <CAAyEnSM_Uthp-1MZ-8wiutoHCgbrkVjdmeJfO488ju+qCcEQGg@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, draft-foudil-securitytxt@ietf.org, Security Area Advisory Group <saag@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/4WNfa0wglCBsTvex4AN6eehyvQk>
Subject: Re: [saag] results of IETF LC for draft-foudil-securitytxt-08 and next steps
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 01:00:25 -0000
On Wed, Jul 1, 2020 at 11:48 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > > Hi Michael, > > On Tue, Jun 30, 2020 at 11:03:44PM -0400, Michael Richardson wrote: > > > > Benjamin Kaduk <kaduk@mit.edu> wrote: > > > The topic of use for reporting compromise vs. vulnerability was raised by > > > many reviewers, to the extent that it seems like it would be very > > > challenging to craft text that would definitively convince the reader to not > > > use the contents of the files for reporting cases of active compromise, > > > > When you say, "reporting compromise" do you think that reviewers/commenters > > were limiting this to talking about reporting that example.com (where you > > found security.txt) is compromised, or is it about any part of example.com? > > My understanding is that that's what was so controversial, yes. (Note that > the draft is quite clear that https://example.com/.well-known/security.txt > does not apply to *.example.com, and one of the points I'd like further > clarifying text on is whether the file on the web is useful for non-web > stuff.) > > > I ask because there is a continuity of things between for instance, > > 1) reporting that Example.COM "Smart" refriderators are vulnerable (and > > maybe have been compromised already), > > 2) to reporting that gitlab.example.com (where the fridge source code is > > kept) is running a potentially vulnerable version of gitoris, > > 3) to reporting that update.example.com (where the signed images are kept) > > is full of trojaned code > > 4) to reporting that smtp.example.com seems to forward malware through > > the mailing lists maintained there > > 5) to reporting that www.example.com has been p0wned. > > Indeed, and well said. > > > My observation is that most of the discussion ratholed around (5), > > completely ignoring other benefits. I don't think that any amount of text we > > I agree. Note that I myself was not fully clear on these cases in my > writeup -- I mentioned compromise in the context of "systems involved in > retrieving security.txt" in one place but just the (presumed broader scope) > "compromise" in the high-level summary. > This is why CERT's CVD makes the distinction between "vulnerability response" and "incident response": https://vuls.cert.org/confluence/display/CVD/1.2.+CVD+Context+and+Terminology+Notes "These two concepts are related, but different; Vulnerability Response specifically indicates responding to reports of product vulnerabilities, usually via the CVD process, whereas Incident Response is more general and can also include other security events such as network intrusions." In our case, #1 and #2 and possibly #3 are "vulnerability response", while #4-5 are "incident response". Our proposal is geared towards "vulnerability response", although it can be used for both. I tried to add additional verbiage to the next draft to make that more clear. Thanks
- [saag] results of IETF LC for draft-foudil-securi… Benjamin Kaduk
- Re: [saag] results of IETF LC for draft-foudil-se… Michael Richardson
- Re: [saag] results of IETF LC for draft-foudil-se… Benjamin Kaduk
- Re: [saag] results of IETF LC for draft-foudil-se… Michael Richardson
- Re: [saag] results of IETF LC for draft-foudil-se… Benjamin Kaduk
- Re: [saag] results of IETF LC for draft-foudil-se… Michael Richardson
- Re: [saag] results of IETF LC for draft-foudil-se… Yakov Shafranovich
- Re: [saag] results of IETF LC for draft-foudil-se… Yakov Shafranovich
- Re: [saag] results of IETF LC for draft-foudil-se… Yakov Shafranovich
- Re: [saag] results of IETF LC for draft-foudil-se… Michael Richardson
- Re: [saag] results of IETF LC for draft-foudil-se… Benjamin Kaduk
- Re: [saag] results of IETF LC for draft-foudil-se… Yakov Shafranovich
- Re: [saag] results of IETF LC for draft-foudil-se… Benjamin Kaduk