IETF Logo Mail Archive

Re: [saag] Comments on draft-foudil-securitytxt-04

Paul Wouters <pwouters@redhat.com> Wed, 09 January 2019 00:57 UTC

Return-Path: <pwouters@redhat.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD9FF131207 for <saag@ietfa.amsl.com>; Tue, 8 Jan 2019 16:57:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gaFwyuTG9jPF for <saag@ietfa.amsl.com>; Tue, 8 Jan 2019 16:57:20 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B26F12D4ED for <saag@ietf.org>; Tue, 8 Jan 2019 16:57:20 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6F74D89AC6; Wed, 9 Jan 2019 00:57:19 +0000 (UTC)
Received: from bofh7.nohats.ca (ovpn-204-54.brq.redhat.com [10.40.204.54]) by smtp.corp.redhat.com (Postfix) with ESMTP id D9EC65D762; Wed, 9 Jan 2019 00:57:17 +0000 (UTC)
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "Salz, Rich" <rsalz@akamai.com>
Cc: Mark O <Mark.O=40ncsc.gov.uk@dmarc.ietf.org>, "saag@ietf.org" <saag@ietf.org>
References: <MMXP123MB1423DD96BF73BBAE4AEAE121D3BE0@MMXP123MB1423.GBRP123.PROD.OUTLOOK.COM> <CAAyEnSOe3W5CZwajXk9qZk8vtiHC8P2AUOeP9atpr_6ZJtoLBw@mail.gmail.com> <LOXP123MB141659AE0F5B8D514A8F4CB5D3B20@LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM> <48E913F3-59C7-4ED3-B742-CDE033453FBB@akamai.com> <ac942953-9820-c041-6f6c-726ef224e7d8@redhat.com> <13AA6D29-CC99-49B6-A671-BFD0E407C507@akamai.com> <2C5F7D9D-47A2-4665-9DC8-58C01A93351E@gmail.com>
From: Paul Wouters <pwouters@redhat.com>
Openpgp: preference=signencrypt
Message-ID: <f181cca2-9be8-5f45-f78a-cf8ea6beb825@redhat.com>
Date: Tue, 08 Jan 2019 19:57:16 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <2C5F7D9D-47A2-4665-9DC8-58C01A93351E@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Wed, 09 Jan 2019 00:57:19 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/RXP_zxpQtS-pfEEWOEImUtWV--o>
Subject: Re: [saag] Comments on draft-foudil-securitytxt-04
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2019 00:57:22 -0000

On 01/07/2019 09:20 AM, Kathleen Moriarty wrote:

> FIRST lists lack of contact information as one of the top 3 challenges of incident responders still.  This and other methods of making contact information accessible could be quite helpful in reducing the number of compromised systems overall.

I do see value in a domain-wide standardized location for this information, whether it is example.com/.well-known/security.txt or security.example.com or a TXT
record in _security.example.com.

That still runs the risk of getting compromised, but that risk is far lowed than a security contact per resource in the organization, and even something the
organization can monitor for.

This of course immediately runs into the problem "what is a separate administrative domain" (aka the public suffix problem)

I think random web servers each with a security.txt will result in mostly bad, outdated or malicious information. People lose track of their VMs, their metal
servers, or even racks of servers. They won't be able to maintain a list of servers or images with updated security information.

And this of course immediately runs into the problem what is a separate administrative domain (aka the public suffix problem)

And I don't agree with you on the "something is better than nothing" argument. We already have the SOA record and the whois output and the HTTP contact email,
so why would adding another one work better than the ones we already tried before?

Put something machine readable in RDAP. It's designed for that. It already properly delegates domains across administrative boundaries. Add a trivial command
line tool to query the security information for a domain (that automatically handles cutting prefixes until it gets the right zone cut, so you can just feed it
the hostname or IP address you want to report on)

Paul

v2.23.0 | Report a Bug | By Email