[Secdispatch] Review of draft-foudil-securitytxt
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Mon, 23 July 2018 16:10 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35FC5130F08 for <secdispatch@ietfa.amsl.com>; Mon, 23 Jul 2018 09:10:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EMBr2j_Gl90r for <secdispatch@ietfa.amsl.com>; Mon, 23 Jul 2018 09:10:39 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4400130EB7 for <secdispatch@ietf.org>; Mon, 23 Jul 2018 09:10:38 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id w126-v6so2095217oie.7 for <secdispatch@ietf.org>; Mon, 23 Jul 2018 09:10:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=rpbtRIaYjOxfZDbJkUAVfT6JJUA+YJIPPMD5XTBUjfM=; b=Ts7Sk7ojH9MX18V6dMYUL3CkndnlpuNnPzToB5T5ttcNExfKkW0jGOqhjxy1A8rTOq H2iTSNm5MOot9M9oEzXgPzv7qvkwCT2tud8PFvPFjhq4bST03jArg0XeBEX4t6gORTHW 4jmcrX3J/Mpy0p2Ux7AiLjLNjgDfe9JoGlzo+Qxh6HK72Fv9ZF+tgnVYGJIS8sPfTTFO zvM6Okv8fZiV1EENz55uAiXzfMMU5qV4uXFjL5FpdjnOb6XoOXi5ZCfOhueQmmvKYfJl Ji3jQrXt8EteAhBcusy4757Os7l+ec7Cagc8ums5BNone0mWl4FMa3fMCKnpXrjydyj6 oo0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=rpbtRIaYjOxfZDbJkUAVfT6JJUA+YJIPPMD5XTBUjfM=; b=UVvqcIF3mrp95zIn8olY5F6TR6+ahJzn11ym0C1jVNUwvpKKR54MXIksI92cPzf4qG bLSLFR1h+xCEhp3SBDuxI+lE98mgQslB9ax57UwggE/aX/DhC/2mZYniCVMZxlQWkFSM FTqiHhJ+shbX1G2f8VNYIbWJP7BHcYzNF1tTJ3Yt1dJOW7/YX6O+CA4KUD6WuleQi8Tu arwnlTf7Fo0+QeyiK2JnCX6OLFKM6jHueeU76FyDuD+wtcsuKeTNMFhx1Un0syo3zGxB Rm4LzhYnnChHlPkwab5dWKanOaYvw5OJQi3vxLxJpWdzBkoHxHkk/RuVwvEXGFouw4gl ppvw==
X-Gm-Message-State: AOUpUlE5Q48FdOq+9+ps6BZPFYh6/docRlFB6nvILUAGoyv41A6OJTKh 2TTofw8SmjUOYWB2W1/F3JuZI1GzASd3Fop07xPNE0df
X-Google-Smtp-Source: AAOMgpe/sjYX1Vhk2g6c1wYFCluSGbJbaUvAiBO1wVZVuY/qyftDRapybpbgXm48Nzq/XCvEwgt9erI+o90V0Oj013w=
X-Received: by 2002:aca:e0c2:: with SMTP id x185-v6mr8321545oig.220.1532362237807; Mon, 23 Jul 2018 09:10:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac9:7ad0:0:0:0:0:0 with HTTP; Mon, 23 Jul 2018 09:09:57 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Mon, 23 Jul 2018 12:09:57 -0400
Message-ID: <CAHbuEH5a3t4bvnaTQ+iwn+uCimQkNtCJ3HCMrY-ZMUi4Cpb_pA@mail.gmail.com>
To: IETF SecDispatch <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000da13ac0571ace25a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/PuXCH_C6-A74DQe3UzvDxGgDJIk>
Subject: [Secdispatch] Review of draft-foudil-securitytxt
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jul 2018 16:10:41 -0000
Hello, I have agreed to act as draft shepherd for https://datatracker.ietf.org/doc/draft-foudil-securitytxt/?include_text=1. As such, I did a review of the draft and have some questions. Overall, I think this is a positive step towards providing a consistent path for security disclosure information dissemination. Thanks for your work on it. I still need to look through list discussions as part of the shepherd responsibilities. Section 3: I'd prefer to see that TLS is required in with the statement: the instructions MUST be accessible via the Hypertext Transfer Protocol [RFC1945] as a resource of Internet Media Type "text/plain" with the default charset parameter set to "utf-8" per section 4.1.3 of [RFC2046]. And since that's really hard to enforce, I think using RECOMMENDED at a minimum here and in many of the places SHOULD appears in the document would be better. I know the meaning is similar, but I think it sounds a bit stronger. It looks like it is permissible to retrieve the file using HTTP only from examples. This has probably been discussed, but I am curious as to the reasons. Section 3.8 seems odd as most would look to a companies job listings rather than use this as a source for information that should be timely. The vulnerability disclosure procedures are likely to be static for long periods of time and hiring isn't necessarily. 4.3. Internal hosts READS: A .security.txt file SHOULD be placed in the root directory of an internal host to trigger incident response. The .security.txt doesn't trigger the response, but rather provides information on the steps for disclosure with the organization, correct? -- Best regards, Kathleen
- [Secdispatch] Review of draft-foudil-securitytxt Kathleen Moriarty
- Re: [Secdispatch] Review of draft-foudil-security… Yakov Shafranovich
- Re: [Secdispatch] Review of draft-foudil-security… Kathleen Moriarty