Re: [saag] Comments on draft-foudil-securitytxt-04
Yakov Shafranovich <yakov@nightwatchcybersecurity.com> Wed, 09 January 2019 02:02 UTC
Return-Path: <yakov@nightwatchcybersecurity.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3D6C12F1A2 for <saag@ietfa.amsl.com>; Tue, 8 Jan 2019 18:02:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nightwatchcybersecurity-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h8ipb0mJlNQW for <saag@ietfa.amsl.com>; Tue, 8 Jan 2019 18:02:18 -0800 (PST)
Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17A3112008A for <saag@ietf.org>; Tue, 8 Jan 2019 18:02:18 -0800 (PST)
Received: by mail-pg1-x52d.google.com with SMTP id m1so2573000pgq.8 for <saag@ietf.org>; Tue, 08 Jan 2019 18:02:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nightwatchcybersecurity-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=YmV+fQuZ4hHyZ9hAEFBoskrbOTs68gWlE2aSD0rfUBI=; b=GgdOV5U3OeiV4UdhEnkeJs8iLwkOlfK4PR6+CYrMSHZia6UuFtUDtIbTqXImTdIHft 6rDL7ERgcrqB920SCAVeaMvHbpTgC2AZ1VFW7LyMfMa7k9qlX847yy8CXGuzcwxuVZOk xz4kNXTNKpr4+MXHlHSl8VQyyOD0BGaTmWMypF/qQYnPTiK04Y0jUf6GK62k62eTGmfT r+Z+UAkNhN77DPMVKlYC9Ak49Zf4lsjtQh7lWBPYfR6xcHik62ARdSUib4R9YXDXSkoc pDreBKmTvv+hWNlxa7442Uk4jbbhoYqUIOfufbl2rQYZSspoCkQKdZKSCUnaaQnQd7tD 7CnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=YmV+fQuZ4hHyZ9hAEFBoskrbOTs68gWlE2aSD0rfUBI=; b=jAUDSDh/TmxyfUr+jMUxR+D/bVdAuv7d9OC3fepO2Xfq2KDvKjLoHyZeBxUoblX+4B pi6weSAEIWKed/81HmeJJ94nPVbbvHmrAFzKcTIRmUW5XjY77vDup77Oj//kTHEMYscP PqbpyhGn6GpC9xWEmOwvgSa0KYm1XwNZftZyHRCUoRpT/ziWOpIbZ1Exev/KmjzNyR/7 8nZ91Amr8rALL6ikOjC2eOejUP4p9ZyUJiAyECJfjG5PbDz9s/r/85xCvo2dJA3Uyzn+ 9Jti3Qg34qQKWrSdQV8KOI8RagG+YPul0/D4YymgtUzQvmlRBbZ0EbG9GMahexX+A+6q dAVA==
X-Gm-Message-State: AJcUukcqYj8aMLQB4MjOKXBl6im8iOueQhlMeSZimuMWpWyukXNMnqcY +3un+UBfkRvrTzf+IX7rvWlRxxYC00pGLcPKs6k+XQ==
X-Google-Smtp-Source: ALg8bN7B2p22T2tkQxbnxo/+RpVknNm8kWPmoF2K4lUOdMoGq39ViYgVBEEyy1xRrr8J9gl04VpqvztX3sZXhc/A6WY=
X-Received: by 2002:aa7:8286:: with SMTP id s6mr3985197pfm.63.1546999337073; Tue, 08 Jan 2019 18:02:17 -0800 (PST)
MIME-Version: 1.0
References: <MMXP123MB1423DD96BF73BBAE4AEAE121D3BE0@MMXP123MB1423.GBRP123.PROD.OUTLOOK.COM> <CAAyEnSOe3W5CZwajXk9qZk8vtiHC8P2AUOeP9atpr_6ZJtoLBw@mail.gmail.com> <LOXP123MB141659AE0F5B8D514A8F4CB5D3B20@LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM> <48E913F3-59C7-4ED3-B742-CDE033453FBB@akamai.com> <ac942953-9820-c041-6f6c-726ef224e7d8@redhat.com> <13AA6D29-CC99-49B6-A671-BFD0E407C507@akamai.com> <2C5F7D9D-47A2-4665-9DC8-58C01A93351E@gmail.com> <m2zhscnw6c.wl-randy@psg.com> <BN6PR14MB11062151603BBCA7D5EBEC7783890@BN6PR14MB1106.namprd14.prod.outlook.com> <CAAyEnSP4iu3aN2KaXsZafTjWw=X6oiyd44a5bzpaAupLGCRJzQ@mail.gmail.com> <m21s5nofaa.wl-randy@psg.com> <1f05cbe4-7f06-3e7b-aaf3-f8cf71f6f392@redhat.com>
In-Reply-To: <1f05cbe4-7f06-3e7b-aaf3-f8cf71f6f392@redhat.com>
From: Yakov Shafranovich <yakov@nightwatchcybersecurity.com>
Date: Tue, 08 Jan 2019 21:01:40 -0500
Message-ID: <CAAyEnSNj3CfxBMjFKnLZm2Jnac=P81x=+SsY171ATEMaj_2euQ@mail.gmail.com>
To: Paul Wouters <pwouters@redhat.com>
Cc: "saag@ietf.org" <saag@ietf.org>, Ed Overflow <contact@edoverflow.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/zl7ZFk4esY-O-q6qHLgErVThvbE>
Subject: Re: [saag] Comments on draft-foudil-securitytxt-04
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2019 02:02:21 -0000
On Tue, Jan 8, 2019 at 7:39 PM Paul Wouters <pwouters@redhat.com> wrote: ... > If http://example.com is compromised, and you grab http://example.com/security.txt, > then whether the content of security.txt points to an HTTP or HTTPS resource is > meaningless. I want to clarify one point that Ed Foudil discussed with me: are we assuming that this proposal is intended for *vulnerability disclosure* or for *incident response*? Specifically, as per CERT's guide (section 1.2.8): https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf "Sometimes the term “Incident Response” is used synonymously with Vulnerability Response. These two concepts are related, but different; Vulnerability Response specifically indicates responding to reports of product vulnerabilities, usually via the CVD process, whereas Incident Response is more general and can also include other security events such as network intrusions." This proposal originates from the security research community and is geared towards vulnerability disclosure, and not necessarily things like reporting an active compromise - although it can be used for that purpose. Perhaps that's where the disconnect is. Yakov
- [saag] Comments on draft-foudil-securitytxt-04 Mark O
- Re: [saag] Comments on draft-foudil-securitytxt-04 Yakov Shafranovich
- Re: [saag] Comments on draft-foudil-securitytxt-04 Mark O
- Re: [saag] Comments on draft-foudil-securitytxt-04 Salz, Rich
- Re: [saag] Comments on draft-foudil-securitytxt-04 Randy Bush
- Re: [saag] Comments on draft-foudil-securitytxt-04 Paul Wouters
- Re: [saag] Comments on draft-foudil-securitytxt-04 Salz, Rich
- Re: [saag] Comments on draft-foudil-securitytxt-04 Kathleen Moriarty
- Re: [saag] Comments on draft-foudil-securitytxt-04 Randy Bush
- Re: [saag] Comments on draft-foudil-securitytxt-04 Tim Hollebeek
- Re: [saag] Comments on draft-foudil-securitytxt-04 Yakov Shafranovich
- Re: [saag] Comments on draft-foudil-securitytxt-04 Randy Bush
- Re: [saag] Comments on draft-foudil-securitytxt-04 Paul Wouters
- Re: [saag] Comments on draft-foudil-securitytxt-04 Paul Wouters
- Re: [saag] Comments on draft-foudil-securitytxt-04 Randy Bush
- Re: [saag] Comments on draft-foudil-securitytxt-04 Yakov Shafranovich
- Re: [saag] Comments on draft-foudil-securitytxt-04 Paul Wouters