IETF Logo Mail Archive

Re: [saag] Last Call: <draft-foudil-securitytxt-08.txt> (A Method for Web Security Policies) to Informational RFC

Carsten Bormann <cabo@tzi.org> Sun, 29 December 2019 08:07 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94F80120090; Sun, 29 Dec 2019 00:07:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3GK3bXYNe0Kt; Sun, 29 Dec 2019 00:07:16 -0800 (PST)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20FFD12004E; Sun, 29 Dec 2019 00:07:16 -0800 (PST)
Received: from client-0034.vpn.uni-bremen.de (client-0034.vpn.uni-bremen.de [134.102.107.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 47ltSy0hLNz16pj; Sun, 29 Dec 2019 09:07:14 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <6.2.5.6.2.20191228083545.0bcd8a78@elandnews.com>
Date: Sun, 29 Dec 2019 09:07:13 +0100
Cc: saag@ietf.org, draft-foudil-securitytxt@ietf.org
X-Mao-Original-Outgoing-Id: 599299631.5562249-685185c6490a10db3d393e1b0e1f9de3
Content-Transfer-Encoding: quoted-printable
Message-Id: <A12F9824-F99F-4044-A1D1-2833F44F237A@tzi.org>
References: <157591314890.2123.12378772921757205119.idtracker@ietfa.amsl.com> <6.2.5.6.2.20191228083545.0bcd8a78@elandnews.com>
To: S Moonesamy <sm+ietf@elandsys.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/d9lu-1MQK6LahovGQxi0-VAeUEI>
Subject: Re: [saag] Last Call: <draft-foudil-securitytxt-08.txt> (A Method for Web Security Policies) to Informational RFC
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Dec 2019 08:07:20 -0000

On Dec 28, 2019, at 18:58, S Moonesamy <sm+ietf@elandsys.com> wrote:
> 
> Have the authors considered line limits given that the specification defines a machine-parsable format?

Don’t do that (putting in artificial limitations into a new spec can sometimes be faintly legitimized by legacy considerations, such as in MIME 8bit, but usually only has negative consequences).

> Why does the robustness principle require capital letters? (Section 4)?

I don’t see a reference to RFC 1123 there.  I think the BCP14 language in that section is justified, with the possible exception of

   Any directives registered
   via that process MUST be considered optional.

(What?  Considered by whom?  What does “considered optional” actually mean?  Does “that process” include the directives registered by the proposed document?)

.oOo.

Obviously, I’m not a fan of standardizing yet another ad-hoc parser, but this may be legitimized here by legacy considerations.  (I believe the CRLF handling is appropriate.) I also see the problems with staleness and verification.
I think requiring a mandatory expiration date in every security.txt could help a bit with the staleness issue.

I also believe this text need some good reread.  E.g., the following two sentences lead to obvious nonsense: »   This text file contains multiple directives with different values.
   The "directive" is the first part of a field all the way up to the
   colon ("Contact:") and follows the syntax defined for "field-name" in
   section 3.6.8 of [RFC5322].  «
Do the values really need to be different?  Isn’t the file containing fields, not just the directives (which demonstrates that “directive” is a bad name for a directive name)?

Grüße, Carsten

v2.23.0 | Report a Bug | By Email