IETF Logo Mail Archive

Re: [secdir] [Last-Call] Secdir last call review of draft-foudil-securitytxt-08

Paul Wouters <paul@nohats.ca> Sat, 28 December 2019 16:56 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C77DA120125; Sat, 28 Dec 2019 08:56:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iPcC0VdyFQt6; Sat, 28 Dec 2019 08:56:44 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D50E12011E; Sat, 28 Dec 2019 08:56:44 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 47lVGH4fKMzF6V; Sat, 28 Dec 2019 17:56:39 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1577552199; bh=4Dq3s4tNF01JIQu+YCJHQwoPuv9GrXytjdNNgPnsDZo=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=d+/opNiM1Eos9VttPcElzuzEJyw+7WnuroRZdGFoUfeGg3zIGt2IYDgEgve52IKo6 m1ose9f2LwJ+WXXsd9uxJOK9oojHEhjNE6O4vJWYdtNonvG4x9pQmiIq+xHjeGj4m/ ryBC+qLEmsid54OWyduUwyDxDCGi+LMl2uMWTmoI=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id cVVGCIiGz8NU; Sat, 28 Dec 2019 17:56:37 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sat, 28 Dec 2019 17:56:37 +0100 (CET)
Received: from [193.111.228.74] (unknown [193.111.228.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id CF3A06001413; Sat, 28 Dec 2019 11:56:36 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (16G102)
In-Reply-To: <760F7FE4-B10B-42FA-B3FF-0F73BEFEC953@akamai.com>
Date: Sat, 28 Dec 2019 11:56:36 -0500
Cc: Tero Kivinen <kivinen@iki.fi>, Yakov Shafranovich <yakov@nightwatchcybersecurity.com>, "last-call@ietf.org" <last-call@ietf.org>, "draft-foudil-securitytxt.all@ietf.org" <draft-foudil-securitytxt.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F73568E4-2AD0-4C9F-AD03-EBA831D569AB@nohats.ca>
References: <157720267698.19361.11750709876624228448@ietfa.amsl.com> <CAAyEnSOx-MH0Ua6o9j-zMKwLktvYGXzBUw1ZkuO49BWD+1yxRQ@mail.gmail.com> <24070.38156.658126.30539@fireball.acr.fi> <760F7FE4-B10B-42FA-B3FF-0F73BEFEC953@akamai.com>
To: "Salz, Rich" <rsalz@akamai.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/5l2Wdmj8m3qFBDWpdTvZL9qcokg>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-foudil-securitytxt-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Dec 2019 16:56:47 -0000


> On Dec 28, 2019, at 10:33, Salz, Rich <rsalz@akamai.com> wrote:
> 
> I don't understand the security concerns about "do not publish this."
> 
> It's protected by transport level security, and it's encouraged to use application-level signing.  It's machine readable, or easily parseable, and it makes it easier for people to report problems.  Do we have a problem with over-reportage?
> 
> Don't let the perfect be the enemy of the better.

We did that already with Whois/RDAP ? It’s the non-perfect solution we have that is more secure than this alternative.

It’s not perfect, and rdap is better than Whois for human plus machine readable.

Putting this information in the same realm you have a security issue with is just not a good idea for many reasons mentioned during the entire discussion of the document and the various last call comments.

We have more less-perfect solutions too. There is the web server error message contact info too. The DNS SOA record has a contact. The main web page usually has a “contact” place listing an email or web form. And we have postmaster@ and info@ and security@ email address that usually work. If anything, we already have too many non-perfect solutions out there and this proposal is really a perfect example of xkcd 927.

Paul

v2.23.0 | Report a Bug | By Email