IETF Logo Mail Archive

Re: [saag] Last Call: <draft-foudil-securitytxt-08.txt> (A Method for Web Security Policies) to Informational RFC

Yakov Shafranovich <yakov@nightwatchcybersecurity.com> Tue, 31 December 2019 03:13 UTC

Return-Path: <yakov@nightwatchcybersecurity.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F1181200C1 for <saag@ietfa.amsl.com>; Mon, 30 Dec 2019 19:13:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nightwatchcybersecurity-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GxByRBIjN9xT for <saag@ietfa.amsl.com>; Mon, 30 Dec 2019 19:13:18 -0800 (PST)
Received: from mail-pf1-x443.google.com (mail-pf1-x443.google.com [IPv6:2607:f8b0:4864:20::443]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39A1812008F for <saag@ietf.org>; Mon, 30 Dec 2019 19:13:18 -0800 (PST)
Received: by mail-pf1-x443.google.com with SMTP id q8so19162537pfh.7 for <saag@ietf.org>; Mon, 30 Dec 2019 19:13:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nightwatchcybersecurity-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=rRmBg7hNH6iF5XKgQhrMXnCcaCp/LpNY2yHoPnUV6wA=; b=1++jwcgqUrso7gGZqXcQCMs/89Kk7/jvWLxyxVdSRsC/wopCEvbgevnEGV80Hnc8Xx QEURmdLEk+Qim2Pyng0fR1HWBfOHhm2Cu1ZxETnSXIjCG/Yq8PFlPnmHkoU2Z8YK8ukx lBc6VhbKH+hsrCA4+ypthgbWlAkzHwnahertPBzSwOxdz/0Sh9VZqPv1hd+mG1HLoLUH Yvt4paKoaPKywiGwjoLXHRoLoZce14hq+l+hABy914TYmqijEe9Vq87LArm9kLKoWVCY 0IUL4zDaAgch65l3B0kEwhwMCzmBOGJrJ+rj9QXQm8SB2b1/Fhui+qzV6Dd+nhQtxEke ZzWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=rRmBg7hNH6iF5XKgQhrMXnCcaCp/LpNY2yHoPnUV6wA=; b=lZzgmp1T4lfvurXN+tdtBcERDv6rW7eXE3YL3sosAzWYbGRetZk8+z16IrfgKzezOW u+OlJsHsNnpLg2EyrOcNIPIqxonJpdZ5dvUmgkauQyvnAwfRbjbfTp728hsJ3AHSZc6N GW4iRXsZ5urqCgW4ob3GSuKj+RJXv8ZFNagjIYA0ZGY3uQipoDSgYLdh6Sko+5VH4wdY m5bRn9Z1FeHznQvizU7YDxsyq00gmjlZb6m/JtjWhtsA6Eb6U03ccQDyEVbm0ZRn0hu3 LTRIXFPmeVn93G7VQKg1eb/ezMvtogVItN3E0fQfWFCyDYJJ2Mm5JNapaJMcjYCB5Gev 34cA==
X-Gm-Message-State: APjAAAUxJsjINrMUghJY5qApm8Ewut7UWhcfJwJpYPiq607faJy4bPL1 V1MsJB9mUIu8biO554ohHSDyZaFHQnKVl2mEMLCZPSDdWmI=
X-Google-Smtp-Source: APXvYqxQw9iMnGSaVj+vCmSX07f5nha07IIplbuNxYYyPGtMInEyYu74kN7mQKyqqLC5nac/6zNRz5J2Ovlyn+YOx9U=
X-Received: by 2002:a63:954f:: with SMTP id t15mr74581985pgn.137.1577761997371; Mon, 30 Dec 2019 19:13:17 -0800 (PST)
MIME-Version: 1.0
References: <157591314890.2123.12378772921757205119.idtracker@ietfa.amsl.com> <6.2.5.6.2.20191228083545.0bcd8a78@elandnews.com> <A12F9824-F99F-4044-A1D1-2833F44F237A@tzi.org> <CAAyEnSPdD_k1vV64R1vM5UkxNcfyGEH_c9gN__0KGvi3Bs=WXA@mail.gmail.com>
In-Reply-To: <CAAyEnSPdD_k1vV64R1vM5UkxNcfyGEH_c9gN__0KGvi3Bs=WXA@mail.gmail.com>
From: Yakov Shafranovich <yakov@nightwatchcybersecurity.com>
Date: Mon, 30 Dec 2019 22:12:41 -0500
Message-ID: <CAAyEnSP9j6DcufA-bf_jtL1GeQ50YYc5gL=Gpuu+qjVQk3GeoQ@mail.gmail.com>
To: Security Area Advisory Group <saag@ietf.org>
Cc: last-call@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/amVzDpjqgWsLYSLIQdfn2kqCaug>
Subject: Re: [saag] Last Call: <draft-foudil-securitytxt-08.txt> (A Method for Web Security Policies) to Informational RFC
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Dec 2019 03:13:19 -0000

On Sun, Dec 29, 2019 at 3:07 AM Carsten Bormann <cabo@tzi.org> wrote:
> On Dec 28, 2019, at 18:58, S Moonesamy <sm+ietf@elandsys.com> wrote:
>
>    Any directives registered
>    via that process MUST be considered optional.
>
> (What?  Considered by whom?  What does “considered optional” actually mean?  Does “that process” include the directives registered by the proposed document?)
>

The concern was that once the draft is published, defining additional
required fields via the registry may lead to compatibility issues
between the people doing the publishing and the researchers parsing
the files. However, since the next sentence says that people
reading/parsing the file should ignore anything not supported, perhaps
this is not needed?

"To encourage extensibility and interoperability, implementers MUST
ignore any fields they do not explicitly support."

> .oOo.
>
> Obviously, I’m not a fan of standardizing yet another ad-hoc parser, but this may be legitimized here by legacy considerations.  (I believe the CRLF handling is appropriate.) I also see the problems with staleness and verification.
> I think requiring a mandatory expiration date in every security.txt could help a bit with the staleness issue.
>

That is a great idea, I am going to add an "Expires" field to the
draft and some language in the security section around that as well.

> I also believe this text need some good reread.  E.g., the following two sentences lead to obvious nonsense: »   This text file contains multiple directives with different values.
>    The "directive" is the first part of a field all the way up to the
>    colon ("Contact:") and follows the syntax defined for "field-name" in
>    section 3.6.8 of [RFC5322].  «
> Do the values really need to be different?  Isn’t the file containing fields, not just the directives (which demonstrates that “directive” is a bad name for a directive name)?
>

Will address this by calling them fields, names and values instead of directives

On Mon, Dec 30, 2019 at 10:10 PM Nightwatch Cybersecurity Research
<research@nightwatchcybersecurity.com> wrote:
>
> On Sun, Dec 29, 2019 at 3:07 AM Carsten Bormann <cabo@tzi.org> wrote:
> > On Dec 28, 2019, at 18:58, S Moonesamy <sm+ietf@elandsys.com> wrote:
> >
> >    Any directives registered
> >    via that process MUST be considered optional.
> >
> > (What?  Considered by whom?  What does “considered optional” actually mean?  Does “that process” include the directives registered by the proposed document?)
> >
>
> The concern was that once the draft is published, defining additional
> required fields via the registry may lead to compatibility issues
> between the people doing the publishing and the researchers parsing
> the files. However, since the next sentence says that people
> reading/parsing the file should ignore anything not supported, perhaps
> this is not needed?
>
> "To encourage extensibility and interoperability, implementers MUST
> ignore any fields they do not explicitly support."
>
> > .oOo.
> >
> > Obviously, I’m not a fan of standardizing yet another ad-hoc parser, but this may be legitimized here by legacy considerations.  (I believe the CRLF handling is appropriate.) I also see the problems with staleness and verification.
> > I think requiring a mandatory expiration date in every security.txt could help a bit with the staleness issue.
> >
>
> That is a great idea, I am going to add an "Expires" field to the
> draft and some language in the security section around that as well.
>
> > I also believe this text need some good reread.  E.g., the following two sentences lead to obvious nonsense: »   This text file contains multiple directives with different values.
> >    The "directive" is the first part of a field all the way up to the
> >    colon ("Contact:") and follows the syntax defined for "field-name" in
> >    section 3.6.8 of [RFC5322].  «
> > Do the values really need to be different?  Isn’t the file containing fields, not just the directives (which demonstrates that “directive” is a bad name for a directive name)?
> >
>
> Will address this by calling them fields, names and values instead of directives

v2.23.0 | Report a Bug | By Email