IETF Logo Mail Archive

Re: [secdir] [Last-Call] Secdir last call review of draft-foudil-securitytxt-08

Watson Ladd <watsonbladd@gmail.com> Sat, 28 December 2019 17:13 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 155D5120121; Sat, 28 Dec 2019 09:13:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id chkas4yzb42L; Sat, 28 Dec 2019 09:13:31 -0800 (PST)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A791F12011E; Sat, 28 Dec 2019 09:13:30 -0800 (PST)
Received: by mail-lj1-x236.google.com with SMTP id y4so15247266ljj.9; Sat, 28 Dec 2019 09:13:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TEGI8o6aS1VnvF4ZuZg3ZaIpmf7uQXfEu/oyKSL7mcY=; b=BgO19r1EtfzATzRfC1pMlCg00BOMSIH9ijwr9VPS6CwtTa1XqQ27ucK/vFy55B5ptg a1fbbkKnf90LLmKbyqzblYBn8Kcpy5d+cgMxN66Dz4WQ+nS9ng05dhk+p2PnJaThpVIF FYlF6LHczR7vm+RJLYSBZa+NJGnfUW2kt/AR/IC2QMN6T/6qaFwW1xmNKJEeoLMLBOZ+ cIBXUcnShQZRqacRKHsN3bBGaTww2olAwZS3X92lE3dzkd2EE4sM4tQsBB6ScSNf2RKs cwrE08DNnWdazYZqctWPnT3Vmb47VSvGBPmp2EG4sGI42uiHW+uVVAOMXS3a6Pgpn2/3 OtXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TEGI8o6aS1VnvF4ZuZg3ZaIpmf7uQXfEu/oyKSL7mcY=; b=S8LpdlCT+5pEszYzts+YAyMkTP6k2ws3ETovindwE3gMiiAyoCcIF4bfW5XNlnNr9w HvjZfoRuY+LhxcObZqWuEOAjRr6gplVoUdPbS2hvKsNDnnZ+pTHVOT+DHmJx2IiwXgaq a7LM15rjdLkpbmIZ/iCIfPD4bwLY0jEMi2f1vKHsjOAn+ZGpteS14m0ewO63gq3rCqpG I1gfwJFNP1dCrXi3kNf4RrR16UASJjCRpsfuB8/fcSZgdOOpbkz2ckv6qwdsvXF2QTb5 DCCy7YT+TZdhrCrD2n82M+T2gjabf5KsJvR/nEBhUBllIHP9MMK7Ztp/M6U1XjgF8mee JLXw==
X-Gm-Message-State: APjAAAU8HFvEIAbaMidWiHz7LlwQRQ6OXyV2aTXynG70DJ3KkMFbmkRe OYKnivIvo3ZfEGb0hjYAp0xe9xsqytJgwQZQXMNVfXHq
X-Google-Smtp-Source: APXvYqxsVoUPCMgLTWwG/uDjJ7JPgJDttzHOn+/D04RUQHwn9J10hbBi19gxU01iC0DjTY0JAW8sawMYiPsFUX/8V2k=
X-Received: by 2002:a2e:9f47:: with SMTP id v7mr10969469ljk.124.1577553208933; Sat, 28 Dec 2019 09:13:28 -0800 (PST)
MIME-Version: 1.0
References: <157720267698.19361.11750709876624228448@ietfa.amsl.com> <CAAyEnSOx-MH0Ua6o9j-zMKwLktvYGXzBUw1ZkuO49BWD+1yxRQ@mail.gmail.com> <24070.38156.658126.30539@fireball.acr.fi> <760F7FE4-B10B-42FA-B3FF-0F73BEFEC953@akamai.com> <F73568E4-2AD0-4C9F-AD03-EBA831D569AB@nohats.ca>
In-Reply-To: <F73568E4-2AD0-4C9F-AD03-EBA831D569AB@nohats.ca>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 28 Dec 2019 09:13:17 -0800
Message-ID: <CACsn0c=KkDzwXYMzWW88_OcX8GpJ92e3yrXeWR=v0SdQRYzxFQ@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: "Salz, Rich" <rsalz@akamai.com>, "last-call@ietf.org" <last-call@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, Yakov Shafranovich <yakov@nightwatchcybersecurity.com>, "draft-foudil-securitytxt.all@ietf.org" <draft-foudil-securitytxt.all@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a203da059ac6ba3f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/JxdXEgcfX7MmsmFODjRoBRgAhX8>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-foudil-securitytxt-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Dec 2019 17:13:33 -0000

On Sat, Dec 28, 2019 at 8:56 AM Paul Wouters <paul@nohats.ca> wrote:

>
>
> > On Dec 28, 2019, at 10:33, Salz, Rich <rsalz@akamai.com> wrote:
> >
> > I don't understand the security concerns about "do not publish this."
> >
> > It's protected by transport level security, and it's encouraged to use
> application-level signing.  It's machine readable, or easily parseable, and
> it makes it easier for people to report problems.  Do we have a problem
> with over-reportage?
> >
> > Don't let the perfect be the enemy of the better.
>
> We did that already with Whois/RDAP ? It’s the non-perfect solution we
> have that is more secure than this alternative.
>
> It’s not perfect, and rdap is better than Whois for human plus machine
> readable.
>
> Putting this information in the same realm you have a security issue with
> is just not a good idea for many reasons mentioned during the entire
> discussion of the document and the various last call comments.
>

Most vulnerabilities will not get access to this file. Stuff like SQL
injection, CSRF, XSS, etc.

>
> We have more less-perfect solutions too. There is the web server error
> message contact info too. The DNS SOA record has a contact. The main web
> page usually has a “contact” place listing an email or web form. And we
> have postmaster@ and info@ and security@ email address that usually work.
> If anything, we already have too many non-perfect solutions out there and
> this proposal is really a perfect example of xkcd 927.
>

The reason this draft was made is those methods don't work. DNS SOA and
website contact can go the wrong places in an organization. info@ and
security@ aren't universal, and after that you're left being psychic. We
are seeing new solutions to serious problems, and the response is "No, it
isn't a problem" when the proposed solutions offer far less information.
You're also assuming that another place to put information is a bad thing,
and a possible heads up to a hypothetical attacker is worse then no
notification.

Right now the standard is begging on twitter for a chain of introductions.
We should be able to do better.


> Paul
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>


-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email