Re: [Last-Call] Last Call: <draft-foudil-securitytxt-08.txt> (A Method for Web Security Policies) to Informational RFC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I support publication of the document provided that it is renamed.

The current title is confusing as what is described is not a security policy according to the accepted term of art. It may contain a link to a policy but that is not the primary subject matter. The term 'security description' is a possible alternative.

I would also suggest that in addition to publication via the .well-known scheme, there is a means of publication through an appropriately prefixed TXT record specifying an alternative URI. While HTTP service is ubiquitous, it is not universal. More to the point, it is highly likely that the target Web site is unavailable if there is an attack in progress.



On Mon, Dec 9, 2019 at 12:39 PM The IESG <iesg-secretary@xxxxxxxx> wrote:

The IESG has received a request from an individual submitter to consider the
following document: - 'A Method for Web Security Policies'
  <draft-foudil-securitytxt-08.txt> as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@xxxxxxxx mailing lists by 2020-01-06. Exceptionally, comments may
be sent to iesg@xxxxxxxx instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


   When security vulnerabilities are discovered by independent security
   researchers, they often lack the channels to report them properly.
   As a result, security vulnerabilities may be left unreported.  This
   document defines a format ("security.txt") to help organizations
   describe the process for security researchers to follow in order to
   report security vulnerabilities.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-foudil-securitytxt/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-foudil-securitytxt/ballot/


No IPR declarations have been submitted directly on this I-D.




_______________________________________________
IETF-Announce mailing list
IETF-Announce@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf-announce
-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux