IETF Logo Mail Archive

Re: [secdir] [Last-Call] Secdir last call review of draft-foudil-securitytxt-08

Rob Sayre <sayrer@gmail.com> Tue, 31 December 2019 03:55 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67C3A1200C3; Mon, 30 Dec 2019 19:55:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hZXTDeGFSjqz; Mon, 30 Dec 2019 19:55:01 -0800 (PST)
Received: from mail-il1-x143.google.com (mail-il1-x143.google.com [IPv6:2607:f8b0:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6AB412002E; Mon, 30 Dec 2019 19:55:01 -0800 (PST)
Received: by mail-il1-x143.google.com with SMTP id x5so29348895ila.6; Mon, 30 Dec 2019 19:55:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KSYrgdJqqRRoFUDi5IDdLpDzoBq2IDKsdGFiYWtUQLY=; b=FlvJnUruxShwIZ7d2Rj1oy4rOlYi6R8xhp+0W/vhlDmtxiRM3Df7buUYhmb21Ywh3b pmtOA4ohGaXbFw4j4U4eY27n9yFO2eUh0u1XKKIGI/UfRFBSMFpnheTRLvKGhnKruZY+ REE2aPIbf7Gtj/nF6tn/yN969aoU/JFPFyZM0ypw/v7K6KO89mZjOPP5ML500pJSoiWI CXs/e/cTeFdoi5REsEwabZnklXVIjobw9yVr2YtJxKYDgjU06lXBTRVxed5yf7lM6rkO slsFS5yvHSNHnSIkxrqgkDPUMtoOkG1zqUMIT+K1gZBYXVnaqyAdvkd5ieMQIYsuMaD/ yPRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KSYrgdJqqRRoFUDi5IDdLpDzoBq2IDKsdGFiYWtUQLY=; b=VOP9e6MMhvTD3MWPDTD9eqVAhF6NA6mj4wbtsd0RDnVIcKIzFofunvNw6SGLzGnHZh Dh3ZzPLPzEYugzZoT518Sv/PY9tp4Tf8+KgtUoBZZFGiKXA7RyW5u2RZvrBsmUm3ekbh qVGYU/+64nwYw3bJcECRzbW2sAfe6wpO1kwiXf8QHmkYJmEFgravUXP3THVCAcoxz/3Q 4ScvbAtxnuNiJlrz4P1Nlu5Ch/dA6cgQHd6PJEJG133pqaTrk5oxl0hwxx4dIkwzWIMM E879pjikTDeUC/hK3LqJw508qPiEdUQ6NDvD4JZhHbC52ehZCrZWmBIskqHv3AON+Pzq 1AAQ==
X-Gm-Message-State: APjAAAWzH97ZJ5gkdeBvSxfz5HG6c2DnD8XC0zQwhwPhWUccZJINgGJL 0pRs7I9VGPBjXBrX0+QbbxlxTf2eRAmsDjiE58Y=
X-Google-Smtp-Source: APXvYqwj9g/+6DLHNvNS5HYqwam4K8Poh8TCMdEwIXYEDe842yeZBOyYW0ujSvp0t7pscMb2KXha9wg1MElxK4PQdj8=
X-Received: by 2002:a92:8307:: with SMTP id f7mr62046450ild.73.1577764501079; Mon, 30 Dec 2019 19:55:01 -0800 (PST)
MIME-Version: 1.0
References: <157720267698.19361.11750709876624228448@ietfa.amsl.com>
In-Reply-To: <157720267698.19361.11750709876624228448@ietfa.amsl.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Mon, 30 Dec 2019 19:54:48 -0800
Message-ID: <CAChr6SwMxi9VULdF9MKcHNqZGwX6Rv-AB72MCq2_pDmi4X2jVw@mail.gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
Cc: secdir@ietf.org, last-call@ietf.org, draft-foudil-securitytxt.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a04db0059af7ece9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/hlSr81h0HlWcsDgeqg56XEXCEcg>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-foudil-securitytxt-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Dec 2019 03:55:03 -0000

On Tue, Dec 24, 2019 at 7:51 AM Tero Kivinen via Datatracker <
noreply@ietf.org> wrote:

> Reviewer: Tero Kivinen
> Review result: Has Issues
>
> This document describes text file located in the web server which can be
> used
> to find the information where to contact in case there is security
> vulnerabilities that needs to be disclosed.
>
> I think this whole idea is BAD, and I do not think we should be publishing
> this
> document at all in this format.
>

Yeah... I looked at:

https://tools.ietf.org/html/draft-foudil-securitytxt-08#section-6.7

"Organizations SHOULD weigh the advantages of publishing this file versus
the possible disadvantages and increased resources required to triage
security reports."

While the draft does spend some time describing the "Scope of the File", it
doesn't address attacks against other parties using phone numbers or emails
contained within the file.

For example, it seems possible to register free domain names under TLDs
like .xyz and .tk and then point phone numbers at unsuspecting parties.

thanks,
Rob

v2.23.0 | Report a Bug | By Email