IETF Logo Mail Archive

Re: [saag] Comments on draft-foudil-securitytxt-04

Randy Bush <randy@psg.com> Tue, 08 January 2019 06:05 UTC

Return-Path: <randy@psg.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08D481310F7 for <saag@ietfa.amsl.com>; Mon, 7 Jan 2019 22:05:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zJFRYcWei8ny for <saag@ietfa.amsl.com>; Mon, 7 Jan 2019 22:05:21 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3C911310F4 for <saag@ietf.org>; Mon, 7 Jan 2019 22:05:21 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1ggkVp-0001fI-SC; Tue, 08 Jan 2019 06:05:18 +0000
Date: Mon, 07 Jan 2019 22:05:17 -0800
Message-ID: <m21s5nofaa.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Yakov Shafranovich <yakov@nightwatchcybersecurity.com>
Cc: Tim Hollebeek <tim.hollebeek@digicert.com>, "saag@ietf.org" <saag@ietf.org>
In-Reply-To: <CAAyEnSP4iu3aN2KaXsZafTjWw=X6oiyd44a5bzpaAupLGCRJzQ@mail.gmail.com>
References: <MMXP123MB1423DD96BF73BBAE4AEAE121D3BE0@MMXP123MB1423.GBRP123.PROD.OUTLOOK.COM> <CAAyEnSOe3W5CZwajXk9qZk8vtiHC8P2AUOeP9atpr_6ZJtoLBw@mail.gmail.com> <LOXP123MB141659AE0F5B8D514A8F4CB5D3B20@LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM> <48E913F3-59C7-4ED3-B742-CDE033453FBB@akamai.com> <ac942953-9820-c041-6f6c-726ef224e7d8@redhat.com> <13AA6D29-CC99-49B6-A671-BFD0E407C507@akamai.com> <2C5F7D9D-47A2-4665-9DC8-58C01A93351E@gmail.com> <m2zhscnw6c.wl-randy@psg.com> <BN6PR14MB11062151603BBCA7D5EBEC7783890@BN6PR14MB1106.namprd14.prod.outlook.com> <CAAyEnSP4iu3aN2KaXsZafTjWw=X6oiyd44a5bzpaAupLGCRJzQ@mail.gmail.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/25.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/i5QL-WvzS7oLa9WYI_-mRv0Po_U>
Subject: Re: [saag] Comments on draft-foudil-securitytxt-04
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jan 2019 06:05:23 -0000

> This proposal is addressing item #3 - all it is providing is a simple
> way for an organization to publish a security reporting policy on
> their website in a standard, machine-parsable way, and stored in a
> standard location. It is certainly not claiming to be more secure than
> that approach, but at the same time it not less secure than publishing
> this information on a website directly like it is done today.

https is pretty widely deployed.  most of the searches you enumerated
are tls protected today.  this proposal goes against that for no good
reason.  if this is not fixed, on last call i will stand with tim and
just shoot the damned horse.

randy

v2.23.0 | Report a Bug | By Email