IETF Logo Mail Archive

Re: [saag] Comments on draft-foudil-securitytxt-04

Tim Hollebeek <tim.hollebeek@digicert.com> Mon, 07 January 2019 23:06 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEC7612E04D for <saag@ietfa.amsl.com>; Mon, 7 Jan 2019 15:06:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.066
X-Spam-Level:
X-Spam-Status: No, score=-2.066 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ChBx-6atk8T5 for <saag@ietfa.amsl.com>; Mon, 7 Jan 2019 15:06:06 -0800 (PST)
Received: from mail1.bemta23.messagelabs.com (mail1.bemta23.messagelabs.com [67.219.246.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7AA912D4ED for <saag@ietf.org>; Mon, 7 Jan 2019 15:06:05 -0800 (PST)
Received: from [67.219.247.52] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-1.bemta.az-d.us-east-1.aws.symcld.net id 78/31-24968-C5BD33C5; Mon, 07 Jan 2019 23:06:04 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrEJsWRWlGSWpSXmKPExsWSoa9gpBt92zj GYN5pXYuGnfkWp89cZLZ41vqSyWJKfyeTA4vHiWVXWD12zrrL7rFkyU8mj6kzZzMGsESxZuYl 5VcksGb0PnzHUtDjWvF67jzWBsbPjl2MXBwsAj3MEke37WYFcYQE+pkkfvc0ATmcQM49RonO6 YwgNpuAgcS1vceZQGwRgVCJ86+usYHYzAJBEu1LH4HVCAtYS/w6uIsVosZGYtKWa1B2skTbu0 YWEJtFQEXi244fYL28ArESq77eZIRYfJdZou/yL2aQBKeAlsTZtZPBbEYBMYnvp9YwQSwTl7j 1ZD6YLSEgIvHw4mk2CFtU4uXjf6wQ9TEScz8fgoorSlzduIIRwpaVuDS/G2yZhEAzu8T7zq1Q CV2JD1OnAi3jALJ9JW690oKouc0osbZlCzNEjZbErqW3GSFqciTeHZeACMtILL7bDXXPXDaJ/ S+sIQGXIjFlFcwNchKreh+yQMx8wiSx9HI7GyS0pCTuXulknMCoOQvJb7OA6pgFFjBKHD78j3 0WOJQEJU7OfMICUaQrsWvfAWYIW15i+9s5QDY7kG0jsSUFIqooMaX7ITuEbSbRdu4j2wJGjlW M5klFmekZJbmJmTm6hgYGuoaGRkBa19DMSC+xSjdFr7RYNzWxuETXUC+xvFivuDI3OSdFLy+1 ZBMjMOWlFHAt2sH4bmn6IUZJDiYlUd5Z+cYxQnxJ+SmVGYnFGfFFpTmpxYcYZTg4lCR4U28C5 QSLUtNTK9Iyc4DJFyYtwcGjJMIbAZLmLS5IzC3OTIdInWI05lg1o2MGM8fxzq9zmIVY8vLzUq XEef+ClAqAlGaU5sENgmWFS4yyUsK8jAwMDEI8BalFuZklqPKvGMU5GJWEeZlBpvBk5pXA7Xs FdAoT0CkveQxATilJREhJNTAG9O7wrQ+onZm7MEM9M/WSROvv2XFTPfyT9fbdU3320IpP0b1n 3vn5Kd8nfL+mtfGgwqK7ZWkuf6bVrbzpddv1esDdNYVWP2zPH1ohdsHL9otmBI/1Bql+fuEwh bArM5ZJv4j58HTvwhovD1uTeSKPfMVa5r9qvfZNy+HIhb4ZU20zdmoIVH9XYinOSDTUYi4qTg QA2zg24gUEAAA=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-7.tower-424.messagelabs.com!1546902362!4448738!1
X-Originating-IP: [104.47.32.50]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.14.24; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 5767 invoked from network); 7 Jan 2019 23:06:03 -0000
Received: from mail-sn1nam01lp2050.outbound.protection.outlook.com (HELO NAM01-SN1-obe.outbound.protection.outlook.com) (104.47.32.50) by server-7.tower-424.messagelabs.com with AES256-SHA256 encrypted SMTP; 7 Jan 2019 23:06:03 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Yniqr+6952mccNHI00ChETxM4+GsLkzPUtU/nHLaGjY=; b=fheC+QMmgg+SvcZPPuCcLFSAWd52tsQEek4+niH8862BALWWr+Zj7j12z/7+LMZg1RrG/FKhNE+hJYHdd7h0vS4xCPm6QWyByI+C8oOE+EC/FBW3LImUZBAHngBeO7C+lgWeFux+j/YzvYm6p12r4FSJQ8AUxM5yTo+xDQRFNT8=
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1267.namprd14.prod.outlook.com (10.173.162.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1495.9; Mon, 7 Jan 2019 23:05:50 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::60f0:c4cd:7c30:59c4]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::60f0:c4cd:7c30:59c4%2]) with mapi id 15.20.1495.011; Mon, 7 Jan 2019 23:05:50 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Randy Bush <randy@psg.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
CC: Mark O <Mark.O=40ncsc.gov.uk@dmarc.ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] Comments on draft-foudil-securitytxt-04
Thread-Index: AdSXmuqMkZbdVjQnQ92VKibJ8bVUvgFNFPcAARWKmxAAB62vAAD578wAAFgN4QAAAgBOAAAJRxiAAAjWqtA=
Date: Mon, 07 Jan 2019 23:05:49 +0000
Message-ID: <BN6PR14MB11062151603BBCA7D5EBEC7783890@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <MMXP123MB1423DD96BF73BBAE4AEAE121D3BE0@MMXP123MB1423.GBRP123.PROD.OUTLOOK.COM> <CAAyEnSOe3W5CZwajXk9qZk8vtiHC8P2AUOeP9atpr_6ZJtoLBw@mail.gmail.com> <LOXP123MB141659AE0F5B8D514A8F4CB5D3B20@LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM> <48E913F3-59C7-4ED3-B742-CDE033453FBB@akamai.com> <ac942953-9820-c041-6f6c-726ef224e7d8@redhat.com> <13AA6D29-CC99-49B6-A671-BFD0E407C507@akamai.com> <2C5F7D9D-47A2-4665-9DC8-58C01A93351E@gmail.com> <m2zhscnw6c.wl-randy@psg.com>
In-Reply-To: <m2zhscnw6c.wl-randy@psg.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [64.78.193.238]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR14MB1267; 6:JhcOMbuOQRKNdM8jbuDt4w+k4QmRIo0cquduIPJfl8wEKRCXkPxwPYtcHFBSdHlF7F92kG37fFVGFfV7I1B1OWTpnF7LhGIA3FH19VWpWNkIy/NOVIx4Ebz1YR0NhyvxrsEzB3DwDgp5GqtOnVqFLsrQAshNHUCvvZbKTXLD7q/tAX8ye1jYFMJBhDYXs9iyffOOPoDqirXv0XKAGxWMsDBcforQdO91dUw770AP/n300EZdVn3ZPegDKFMMDZLYRGCLUom8DgsmJwUW00M6hp8XO3Qq1/8gviEMRpc7iXTuEQDnm55z26gRIuMKmPGB6SLxAE4l9qg6VbyvT4G5iCdEPdm9YsmihKPhpWSlwQXWBBetSvLYh4Gh2tCnhG/g2KanKzSjukd5u7xLr2xVpRspiIwiDKA3+7AL3y+l9xaLVj4Lvz0OjUZfm/oV5AXrKqMcAbMRcGBH8DciDjgRlg==; 5:uJMr2c5fjb4FU6e072k7N6QmtHTG3v6qKy1NtyzJ1edkkrZcsA66DTXVHIANX+b0qyQ7JPnQ8WwZwV7AkVo5uxyeysORb5F0yckC8qZUYJvus0jt0urYzRZqrGxbNJdNe+1m7Z4buuFrAv+ViyZKZ3JlyQUuJ/VchVKBPL3ECo+I6d1N30MO14yQF9fB5WSVDMzUCPeJFT8nQWWfyZpEzw==; 7:p3zM94jB/WExFGT9M0fFUgF8T0WmoP9yh6AH/w1kCh0BAhS2AdURxE/UMy7ETwACTZBeFMyKOQU/op7HWWLxPMf1ludjPuRnXCOQMq+QXJ67beGRF89+0eRKfC5JJuEZnteOayykaERttKDHTuGSDw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: becdd9ae-b5a5-483e-6930-08d674f4aa80
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1267;
x-ms-traffictypediagnostic: BN6PR14MB1267:
x-microsoft-antispam-prvs: <BN6PR14MB12670CBA73457104B9ABCEC483890@BN6PR14MB1267.namprd14.prod.outlook.com>
x-forefront-prvs: 0910AAF391
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(396003)(136003)(39860400002)(366004)(346002)(189003)(13464003)(199004)(105586002)(316002)(110136005)(54906003)(6306002)(25786009)(86362001)(4326008)(6246003)(97736004)(446003)(99286004)(9686003)(186003)(14444005)(106356001)(256004)(2906002)(8676002)(71190400001)(55016002)(66066001)(26005)(71200400001)(68736007)(229853002)(6506007)(53546011)(102836004)(486006)(7736002)(93886005)(99936001)(8936002)(7696005)(81156014)(81166006)(44832011)(305945005)(5660300001)(39060400002)(3846002)(6116002)(6436002)(33656002)(14454004)(476003)(74316002)(11346002)(966005)(15650500001)(53936002)(76176011)(478600001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1267; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: UAfxighopZ9A6GGKwXIVNz2BcyXfWA4VHsgtFb26++aiLPl/iQAuQuhZPRSC3sr8haEV07lRB0vG5YYijBqg5ILnOPlZ2tsjHKit5eD3Bic4niLSNPuowK0jMLzvT6fkVySblFUxKJiMjkGfOq23TiAqJfLhKPDEEFVudxH3cX65CC0Hc2F7UDb/EtG7+gAoVh29bEb/E1n4XSS5fRNd4ZBgED6WysS59z8b2y/gK0TO9lxi/WQanmoFLht8mRvvd7Mx+4g4OfeHinE7Qc8IpxrGuV9GzYM1WOKnMEm9LoUYqg9JVnxN+gvgh7yzTGx5
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_01DE_01D4A6A2.D7B2F790"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: becdd9ae-b5a5-483e-6930-08d674f4aa80
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jan 2019 23:05:49.9777 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1267
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/fH9p6ticJUHZ_mKnK11Wtu5WWks>
Subject: Re: [saag] Comments on draft-foudil-securitytxt-04
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2019 23:06:09 -0000

I agree that better security contact information is an important problem and
an admirable goal.

And I agree that there are some threat scenarios where security.txt might
not be compromised and would be able to be relied upon.

However, there are also many where it would not be wise to rely upon it,
especially early in an investigation where the true extent of the compromise
or security issue may be unknown.  And I'm sure that the information would
inevitably end up being used by many people who lack the sophistication to
make a reasonable decision about the likelihood of the information being
trustworthy.

For that reason, I tend to think that security.txt is a rather nasty
footgun, and quite likely to make the situation worse instead of better.  I
think time is better spent discussing better solutions to the problem.

-Tim

> -----Original Message-----
> From: saag <saag-bounces@ietf.org> On Behalf Of Randy Bush
> Sent: Monday, January 7, 2019 11:46 AM
> To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
> Cc: Mark O <Mark.O=40ncsc.gov.uk@dmarc.ietf.org>; saag@ietf.org
> Subject: Re: [saag] Comments on draft-foudil-securitytxt-04
> 
> > FIRST lists lack of contact information as one of the top 3 challenges
> > of incident responders still.  This and other methods of making
> > contact information accessible could be quite helpful in reducing the
> > number of compromised systems overall.
> 
> strongly agree that improving contact and associated information is a
forever
> goal, and one we could take some steps on now.
> 
> but rich is right, doing so in a manner which could be trivially secured
but isn't
> is pretty silly.
> 
> randy
> 
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email