Re: [Secdispatch] Review of draft-foudil-securitytxt
Yakov Shafranovich <yakov@nightwatchcybersecurity.com> Mon, 23 July 2018 21:05 UTC
Return-Path: <yakov@nightwatchcybersecurity.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E9A1130E73 for <secdispatch@ietfa.amsl.com>; Mon, 23 Jul 2018 14:05:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nightwatchcybersecurity-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TNalLk1aR9us for <secdispatch@ietfa.amsl.com>; Mon, 23 Jul 2018 14:05:26 -0700 (PDT)
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D999130E2D for <secdispatch@ietf.org>; Mon, 23 Jul 2018 14:05:26 -0700 (PDT)
Received: by mail-pg1-x534.google.com with SMTP id r1-v6so1225548pgp.11 for <secdispatch@ietf.org>; Mon, 23 Jul 2018 14:05:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nightwatchcybersecurity-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WBBbjlLx9kRh7Xj3YHO1reGhLM5TRzeGm/Kegwourzk=; b=KSxP7FvMNi/tMenRrYuPdsQFZsbett/q+4zcQSCmCe1OfmzMaLCL2nM2G88PqLyi3h yjxkkKIkY9GksPu9HSmYH7g4UL7dXBagnH4jGdYKpypo8EcDMmQRQRODjOtx7Qr+xuCr Jg2pXxQIPgqOs4+71yFOyVykiV3v5GZ/SnrAl7Yxl0xMFWAi0LznF/GrNX1gw2OLUQ3k 1NwFUG1Pc0O2+ZPCKdkIfQ/F6iWDwkiQFwz13sHWppCchEs5ljEdljUbI8HrUcrv4hRq /OwmGe67jJv1XBd+f/kbzaI7M9L+LOIFqv6ctLN83vlzoxyYnEjxdQxGCPl9/IJenwqM 1u1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WBBbjlLx9kRh7Xj3YHO1reGhLM5TRzeGm/Kegwourzk=; b=CH2jMfN5CA/2rbMt13VcS3F7PQmoCVuRxmMHlkkY3ZrNRqjinKdeCioXo6RkIda4WN LL/ucruLLv2547Yfky9xt2T6TUEtK2YAYFxmrAgmhgVWhTr91otyLrlSc13hJwac7+O5 CQoQpdmBucZ8tWglQGgJAjQ9C04KESsW0U7FVBz9yCWf9NOT8aID2JC43+NuRQdMnBTr vjYoCMFfKZPch9eGJnn9H7Bwoe0ox50wGJsYnklB1jFKDedcHloORrvDj0KfVqHvuFJw f8jg0+mmrKdmF4Rg7GiJTY8ve0cky65Ei7kln58poEbLyBREVloqdLZTXBmuc6s7CAip Qqeg==
X-Gm-Message-State: AOUpUlEQ0dZz49kHONMQH2E6fx4lgL9PajRuOdOHdvjNTcNpRObPslRM 13Pee9kX5TlJkWulrWlxEAELeQUnytEdU7c53MmVwuFPQpNkqA==
X-Google-Smtp-Source: AAOMgpd7ZAE1Tka/tcPkkryMglvMSvvqhP1VzW3l15ESXZPD9ThPejJW1kMsLyVSzNdU7twJKhiKVDNDn/EJURFFKFY=
X-Received: by 2002:a63:7d7:: with SMTP id 206-v6mr13626366pgh.137.1532379925785; Mon, 23 Jul 2018 14:05:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:ae18:0:0:0:0 with HTTP; Mon, 23 Jul 2018 14:04:45 -0700 (PDT)
In-Reply-To: <CAHbuEH5a3t4bvnaTQ+iwn+uCimQkNtCJ3HCMrY-ZMUi4Cpb_pA@mail.gmail.com>
References: <CAHbuEH5a3t4bvnaTQ+iwn+uCimQkNtCJ3HCMrY-ZMUi4Cpb_pA@mail.gmail.com>
From: Yakov Shafranovich <yakov@nightwatchcybersecurity.com>
Date: Mon, 23 Jul 2018 17:04:45 -0400
Message-ID: <CAAyEnSNCxMkTMnuLd0+w16m1YkbnB6RjCqw5BH3pm5kS=t2QpQ@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: IETF SecDispatch <secdispatch@ietf.org>, Ed Overflow <contact@edoverflow.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/JModaV7E0ZBCYiMG1oiETtlbNqQ>
Subject: Re: [Secdispatch] Review of draft-foudil-securitytxt
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jul 2018 21:05:31 -0000
Hi Kathleen, Thank you for volunteering to review our document. It is very much appreciated. On Mon, Jul 23, 2018 at 12:09 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: ... > > Section 3: > > I'd prefer to see that TLS is required in with the statement: > the instructions MUST be accessible via the Hypertext > Transfer Protocol [RFC1945] as a resource of Internet Media Type > "text/plain" with the default charset parameter set to "utf-8" per > section 4.1.3 of [RFC2046]. > > And since that's really hard to enforce, I think using RECOMMENDED at a > minimum here and in many of the places SHOULD appears in the document would > be better. I know the meaning is similar, but I think it sounds a bit > stronger. > Because it is hard to enforce, we choose SHOULD in some places. I don't see an issue with changing that language to RECOMMENDED and opened an issue to track this and other recommendations: https://github.com/securitytxt/security-txt/issues/118 > > It looks like it is permissible to retrieve the file using HTTP only from > examples. This has probably been discussed, but I am curious as to the > reasons. > I assume you are referring to section 3.1 (in the -04) draft: # This security.txt file applies to IPv4 address of 192.0.2.0. http://192.0.2.0/.well-known/security.txt # This security.txt file applies to IPv6 address of 2001:db8:8:4::2. http://[2001:db8:8:4::2]/.well-known/security.txt It is probably an oversight due to the fact that it is not clear if SSL certificates can be issued for IP addresses, although I see that CloudFlare got one for "https://1.1.1.1" using a Subject Alternative Name (SAN). LetsEncrypt however, doesn't allow them: https://community.letsencrypt.org/t/certificate-for-public-ip-without-domain-name/6082/82 We can probably change to "https", and if someone is unable to get an SSL cert, they will end up using "http". > Section 3.8 seems odd as most would look to a companies job listings rather > than use this as a source for information that should be timely. The > vulnerability disclosure procedures are likely to be static for long periods > of time and hiring isn't necessarily. > When the initial adoption of our proposal started among larger companies, some of them added this field as a way to attract security researchers to work for them. This was added to the draft in order to document that usage, even though it was somewhat unorthodox. > 4.3. Internal hosts READS: > > A .security.txt file SHOULD be placed in the root directory of an > internal host to trigger incident response. > > The .security.txt doesn't trigger the response, but rather provides > information on the steps for disclosure with the organization, correct? > We will re-word this. In the discussions around the earlier drafts there was some mention about scope and IR may have been included, but certainly in the current version and going forward, the scope is disclosure only. Thank you
- [Secdispatch] Review of draft-foudil-securitytxt Kathleen Moriarty
- Re: [Secdispatch] Review of draft-foudil-security… Yakov Shafranovich
- Re: [Secdispatch] Review of draft-foudil-security… Kathleen Moriarty