Re: [saag] Comments on draft-foudil-securitytxt-04
"Salz, Rich" <rsalz@akamai.com> Mon, 07 January 2019 13:22 UTC
Return-Path: <rsalz@akamai.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14103130ED6 for <saag@ietfa.amsl.com>; Mon, 7 Jan 2019 05:22:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.766
X-Spam-Level:
X-Spam-Status: No, score=-2.766 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FuexfQAwxJWO for <saag@ietfa.amsl.com>; Mon, 7 Jan 2019 05:22:56 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 796AF130EE5 for <saag@ietf.org>; Mon, 7 Jan 2019 05:22:54 -0800 (PST)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x07DHkLV026684; Mon, 7 Jan 2019 13:22:52 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=KriSHbwK8IobUVD96T/YZxotSvmAxute7i/ItgNrXnU=; b=Bxi2qGM2pa0kl33g+85wcCAuwfzGezLwpAf+Q4EsvMbmerf24onKfN251F/48Xgt6kKD K3K9Np8KMdDBXArvXi5jPijKnByJkQC7ABloqwNnfno+84dwFREei5bP8C5bwU9EDbYT mfjOg9qQDaDGUmU5Sgco6V6Vh89xDSROR9USRi989vICb56KOTXlMnUvgH5bB6y37mmo mJDwQsqUWiYG6Ea1qa6arZ5T+tlvBWW/AjZhGizl7KTSg45bklZUZG7QyNyZ7UChwXT8 Giz6tEji/eLeoByqaXWB/hsJ2I4CrZ+06FzzMaZhrzZBcvmsJAu/lDpdiICLc5StzYkP LA==
Received: from prod-mail-ppoint3 (a96-6-114-86.deploy.static.akamaitechnologies.com [96.6.114.86] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 2ptn3wppj5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 07 Jan 2019 13:22:52 +0000
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.21/8.16.0.21) with SMTP id x07DHhtb005681; Mon, 7 Jan 2019 08:22:51 -0500
Received: from email.msg.corp.akamai.com ([172.27.25.30]) by prod-mail-ppoint3.akamai.com with ESMTP id 2ptrt1xwhc-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 07 Jan 2019 08:22:51 -0500
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb1.msg.corp.akamai.com (172.27.27.101) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Mon, 7 Jan 2019 07:22:51 -0600
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1365.000; Mon, 7 Jan 2019 07:22:51 -0600
From: "Salz, Rich" <rsalz@akamai.com>
To: Paul Wouters <pwouters@redhat.com>, Mark O <Mark.O=40ncsc.gov.uk@dmarc.ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] Comments on draft-foudil-securitytxt-04
Thread-Index: AdSXmuqMkZbdVjQnQ92VKibJ8bVUvgFZp54AARaYY4D//+EsgIAII1EAgAJsnQA=
Date: Mon, 07 Jan 2019 13:22:50 +0000
Message-ID: <13AA6D29-CC99-49B6-A671-BFD0E407C507@akamai.com>
References: <MMXP123MB1423DD96BF73BBAE4AEAE121D3BE0@MMXP123MB1423.GBRP123.PROD.OUTLOOK.COM> <CAAyEnSOe3W5CZwajXk9qZk8vtiHC8P2AUOeP9atpr_6ZJtoLBw@mail.gmail.com> <LOXP123MB141659AE0F5B8D514A8F4CB5D3B20@LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM> <48E913F3-59C7-4ED3-B742-CDE033453FBB@akamai.com> <ac942953-9820-c041-6f6c-726ef224e7d8@redhat.com>
In-Reply-To: <ac942953-9820-c041-6f6c-726ef224e7d8@redhat.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.14.0.181208
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.40.253]
Content-Type: text/plain; charset="utf-8"
Content-ID: <2396E807F46C304B81895E898C4126F1@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-07_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=910 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901070118
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-07_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=904 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901070118
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/itxR8cHyU89VAQXich8Br5PRnVQ>
Subject: Re: [saag] Comments on draft-foudil-securitytxt-04
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2019 13:23:01 -0000
> Whether it uses TLS or not is completely irrelevant. The security contact is supposed to be easy to find public information. What attack is forcing the use of > TLS supposed to prevent? The server is already compromised (hence the need for the info) so it is easier to modify the source, then modify it in transit. You are assuming that all notifications are equivalent and that they are all of the "you are completely broken" nature. I am not.
- [saag] Comments on draft-foudil-securitytxt-04 Mark O
- Re: [saag] Comments on draft-foudil-securitytxt-04 Yakov Shafranovich
- Re: [saag] Comments on draft-foudil-securitytxt-04 Mark O
- Re: [saag] Comments on draft-foudil-securitytxt-04 Salz, Rich
- Re: [saag] Comments on draft-foudil-securitytxt-04 Randy Bush
- Re: [saag] Comments on draft-foudil-securitytxt-04 Paul Wouters
- Re: [saag] Comments on draft-foudil-securitytxt-04 Salz, Rich
- Re: [saag] Comments on draft-foudil-securitytxt-04 Kathleen Moriarty
- Re: [saag] Comments on draft-foudil-securitytxt-04 Randy Bush
- Re: [saag] Comments on draft-foudil-securitytxt-04 Tim Hollebeek
- Re: [saag] Comments on draft-foudil-securitytxt-04 Yakov Shafranovich
- Re: [saag] Comments on draft-foudil-securitytxt-04 Randy Bush
- Re: [saag] Comments on draft-foudil-securitytxt-04 Paul Wouters
- Re: [saag] Comments on draft-foudil-securitytxt-04 Paul Wouters
- Re: [saag] Comments on draft-foudil-securitytxt-04 Randy Bush
- Re: [saag] Comments on draft-foudil-securitytxt-04 Yakov Shafranovich
- Re: [saag] Comments on draft-foudil-securitytxt-04 Paul Wouters