IETF Logo Mail Archive

Re: [saag] results of IETF LC for draft-foudil-securitytxt-08 and next steps

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 03 July 2020 06:33 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 725EC3A0D20; Thu, 2 Jul 2020 23:33:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TbeX4H5jSSol; Thu, 2 Jul 2020 23:33:02 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8E963A0D21; Thu, 2 Jul 2020 23:33:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 0262E389D6; Fri, 3 Jul 2020 02:30:10 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id jIfI6EHrdwsJ; Fri, 3 Jul 2020 02:30:09 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 04EAC389D5; Fri, 3 Jul 2020 02:30:09 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 2781A3DE; Fri, 3 Jul 2020 02:32:58 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Benjamin Kaduk <kaduk@mit.edu>
cc: draft-foudil-securitytxt@ietf.org, saag@ietf.org
In-Reply-To: <20200702222032.GG16335@kduck.mit.edu>
References: <20200630222455.GX58278@kduck.mit.edu> <12504.1593572624@localhost> <20200702034828.GB16335@kduck.mit.edu> <5953.1593706347@localhost> <20200702222032.GG16335@kduck.mit.edu>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 03 Jul 2020 02:32:58 -0400
Message-ID: <29760.1593757978@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/6i4S76BS3IdjLV3dywv2OMTModM>
Subject: Re: [saag] results of IETF LC for draft-foudil-securitytxt-08 and next steps
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2020 06:33:05 -0000

Benjamin Kaduk <kaduk@mit.edu> wrote:
    >> >> My take:
    >> >> We can't get publically anchored certificates for devices without DNS names,
    >> >> such as those that might be found in your home on RFC1918 addresses.  The
    >> >> teddy cam can still have a securitytxt on it to report issues.
    >>
    >> > That seems pretty aligned with my best guess, involving cases where https
    >> > was not possible (whether because it's going via filesystem access and not
    >> > web, or the device only has an IP address and not a name, or whatever).
    >>
    >> Okay, but if the teddycam at 192.168.1.104, has a security.txt, then it can
    >> only apply for reporting vulnerabilities in *that* TeddyCam, since other
    >> Teddy Cams would be at different addresses, according to section 3.1.

    > Yes ... but any vulnerabilities in that one would also be expected to be
    > present in other instances of the same model, and if the contact point is
    > at the manufacturer, the manufacturer can do the right thing?
    > I feel like you have a downside in mind that I'm failing to spot...

If a security.txt applies *only* to the web resource where you found it,
then that means it doesn't generalize to the other instances of that device.
That sounds dumb, and it is, but that's what I'm reading in section 3.1

    >> >> > Michael Richardson noted that the scope of contact information is/can be
    >> >> > broader than just the website hosting the file -- e.g., it would be very
    >> >> > useful to have a discoverable way to report vulnerabilities in the products
    >> >> > produced by a company, not just the company's website.  It is probably worth
    >> >> > a mention that (or disclaimer against) the scope of use is potentially
    >> >> > broader than just the immediate website hosting the file.  (This seems
    >> >> > related to https://github.com/securitytxt/security-txt/issues/185 and might
    >> >> > result in some text in Section 3.1.)
    >> >>
    >> >> If the IETF *does not* want securitytxt used for reporting vulnerablities,
    >> >> then the IETF had better say so loudly VERY SOON, and probably communicate through
    >> >> liason to ETSI, IoTSF and UK NCSC about that... although EN 303 645 does not
    >> >> mention securitytxt by name, the (not-quite-finished, not released)
    >> >> educational material around it *does* mention it.
    >>
    >> > Indeed.  (That's not the sense I'm getting, though, luckily.)
    >>
    >> Please clarify... too many negatives to parse.

    > Sorry to be confusing.

    > I am seeing general support (in the rough consensus sense) in the IETF for
    > using securitytxt to report vulnerabilities, controversy about
    > reporting compromise or what precise scope it should have notwithstanding.

Good! We agree then.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email