Re: [Last-Call] [secdir] Secdir last call review of draft-foudil-securitytxt-08

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Dec 28, 2019 at 8:56 AM Paul Wouters <paul@xxxxxxxxx> wrote:


> On Dec 28, 2019, at 10:33, Salz, Rich <rsalz@xxxxxxxxxx> wrote:
>
> I don't understand the security concerns about "do not publish this."
>
> It's protected by transport level security, and it's encouraged to use application-level signing.  It's machine readable, or easily parseable, and it makes it easier for people to report problems.  Do we have a problem with over-reportage?
>
> Don't let the perfect be the enemy of the better.

We did that already with Whois/RDAP ? It’s the non-perfect solution we have that is more secure than this alternative.

It’s not perfect, and rdap is better than Whois for human plus machine readable.

Putting this information in the same realm you have a security issue with is just not a good idea for many reasons mentioned during the entire discussion of the document and the various last call comments.

Most vulnerabilities will not get access to this file. Stuff like SQL injection, CSRF, XSS, etc.

We have more less-perfect solutions too. There is the web server error message contact info too. The DNS SOA record has a contact. The main web page usually has a “contact” place listing an email or web form. And we have postmaster@ and info@ and security@ email address that usually work. If anything, we already have too many non-perfect solutions out there and this proposal is really a perfect example of xkcd 927.

The reason this draft was made is those methods don't work. DNS SOA and website contact can go the wrong places in an organization. info@ and security@ aren't universal, and after that you're left being psychic. We are seeing new solutions to serious problems, and the response is "No, it isn't a problem" when the proposed solutions offer far less information. You're also assuming that another place to put information is a bad thing, and a possible heads up to a hypothetical attacker is worse then no notification.

Right now the standard is begging on twitter for a chain of introductions. We should be able to do better.


Paul
_______________________________________________
secdir mailing list
secdir@xxxxxxxx
https://www.ietf.org/mailman/listinfo/secdir
wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview


--
"Man is born free, but everywhere he is in chains".
--Rousseau.
-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux