> On Dec 28, 2019, at 10:33, Salz, Rich <rsalz@xxxxxxxxxx> wrote: > > I don't understand the security concerns about "do not publish this." > > It's protected by transport level security, and it's encouraged to use application-level signing. It's machine readable, or easily parseable, and it makes it easier for people to report problems. Do we have a problem with over-reportage? > > Don't let the perfect be the enemy of the better. We did that already with Whois/RDAP ? It’s the non-perfect solution we have that is more secure than this alternative. It’s not perfect, and rdap is better than Whois for human plus machine readable. Putting this information in the same realm you have a security issue with is just not a good idea for many reasons mentioned during the entire discussion of the document and the various last call comments. We have more less-perfect solutions too. There is the web server error message contact info too. The DNS SOA record has a contact. The main web page usually has a “contact” place listing an email or web form. And we have postmaster@ and info@ and security@ email address that usually work. If anything, we already have too many non-perfect solutions out there and this proposal is really a perfect example of xkcd 927. Paul -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
