IETF Logo Mail Archive

Re: [saag] results of IETF LC for draft-foudil-securitytxt-08 and next steps

Benjamin Kaduk <kaduk@mit.edu> Thu, 02 July 2020 22:20 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EAB73A0C34; Thu, 2 Jul 2020 15:20:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jof8ALagk1_J; Thu, 2 Jul 2020 15:20:38 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8500C3A0C33; Thu, 2 Jul 2020 15:20:37 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 062MKX7i024403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 2 Jul 2020 18:20:35 -0400
Date: Thu, 02 Jul 2020 15:20:32 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: draft-foudil-securitytxt@ietf.org, saag@ietf.org
Message-ID: <20200702222032.GG16335@kduck.mit.edu>
References: <20200630222455.GX58278@kduck.mit.edu> <12504.1593572624@localhost> <20200702034828.GB16335@kduck.mit.edu> <5953.1593706347@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5953.1593706347@localhost>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/TmPry_KlwKlFW-t0rS2465lH6oU>
Subject: Re: [saag] results of IETF LC for draft-foudil-securitytxt-08 and next steps
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2020 22:20:40 -0000

On Thu, Jul 02, 2020 at 12:12:27PM -0400, Michael Richardson wrote:
> 
> Benjamin Kaduk <kaduk@mit.edu> wrote:
>     >> Benjamin Kaduk <kaduk@mit.edu> wrote:
>     >> > The topic of use for reporting compromise vs. vulnerability was raised by
>     >> > many reviewers, to the extent that it seems like it would be very
>     >> > challenging to craft text that would definitively convince the reader to not
>     >> > use the contents of the files for reporting cases of active compromise,
>     >>
>     >> When you say, "reporting compromise" do you think that reviewers/commenters
>     >> were limiting this to talking about reporting that example.com (where you
>     >> found security.txt) is compromised, or is it about any part of example.com?
> 
>     > My understanding is that that's what was so controversial, yes.  (Note that
>     > the draft is quite clear that https://example.com/.well-known/security.txt
>     > does not apply to *.example.com, and one of the points I'd like further
>     > clarifying text on is whether the file on the web is useful for non-web
>     > stuff.)
> 
> I believe that it is useful as a point of contact for all things related example.com.
> I don't understand limiting it the way that 3.1 says.
> It feels like this limitation is the result of some comment.
> I guess I would like to have a statement that either restricts the scope
> to where it is found, or not.  It might also be worth indicating if it is
> worth looking for subdomain.example.com/.well-known/security.txt or not.

The authors may remember better than I do, but I think this came up due to
corporate scenarios where division A and division B don't talk to each
other much, so a single corporate contact point/plan wouldn't work.

I also think it would be useful to have the web's /.well-known/security.txt
provide a contact point for non-web resources (such as physical devices),
but don't want to force my opinion on people if it's not the consensus.

>     > I think a lot of what we're hoping for relies on human judgment and not
>     > blindly trusting something without cause.  Call me an optimist, but I think
>     > there's at least some of that going around, and possibly even more than
>     > average if you limit to the "security researcher" community.
> 
> I agree with your optimism.
> 
>     >> My take:
>     >> We can't get publically anchored certificates for devices without DNS names,
>     >> such as those that might be found in your home on RFC1918 addresses.  The
>     >> teddy cam can still have a securitytxt on it to report issues.
> 
>     > That seems pretty aligned with my best guess, involving cases where https
>     > was not possible (whether because it's going via filesystem access and not
>     > web, or the device only has an IP address and not a name, or whatever).
> 
> Okay, but if the teddycam at 192.168.1.104, has a security.txt, then it can
> only apply for reporting vulnerabilities in *that* TeddyCam, since other
> Teddy Cams would be at different addresses, according to section 3.1.

Yes ... but any vulnerabilities in that one would also be expected to be
present in other instances of the same model, and if the contact point is
at the manufacturer, the manufacturer can do the right thing?
I feel like you have a downside in mind that I'm failing to spot...

>     >> > Michael Richardson noted that the scope of contact information is/can be
>     >> > broader than just the website hosting the file -- e.g., it would be very
>     >> > useful to have a discoverable way to report vulnerabilities in the products
>     >> > produced by a company, not just the company's website.  It is probably worth
>     >> > a mention that (or disclaimer against) the scope of use is potentially
>     >> > broader than just the immediate website hosting the file.  (This seems
>     >> > related to https://github.com/securitytxt/security-txt/issues/185 and might
>     >> > result in some text in Section 3.1.)
>     >>
>     >> If the IETF *does not* want securitytxt used for reporting vulnerablities,
>     >> then the IETF had better say so loudly VERY SOON, and probably communicate through
>     >> liason to ETSI, IoTSF and UK NCSC about that... although EN 303 645 does not
>     >> mention securitytxt by name, the (not-quite-finished, not released)
>     >> educational material around it *does* mention it.
> 
>     > Indeed.  (That's not the sense I'm getting, though, luckily.)
> 
> Please clarify... too many negatives to parse.

Sorry to be confusing.

I am seeing general support (in the rough consensus sense) in the IETF for
using securitytxt to report vulnerabilities, controversy about
reporting compromise or what precise scope it should have notwithstanding.

-Ben

v2.23.0 | Report a Bug | By Email