On Tue, Dec 24, 2019 at 7:51 AM Tero Kivinen via Datatracker <noreply@xxxxxxxx> wrote:
Reviewer: Tero Kivinen
Review result: Has Issues
This document describes text file located in the web server which can be used
to find the information where to contact in case there is security
vulnerabilities that needs to be disclosed.
I think this whole idea is BAD, and I do not think we should be publishing this
document at all in this format.
Yeah... I looked at:
"Organizations SHOULD weigh the advantages of publishing this file versus the possible disadvantages and increased resources required to triage security reports."
While the draft does spend some time describing the "Scope of the File", it doesn't address attacks against other parties using phone numbers or emails contained within the file.
For example, it seems possible to register free domain names under TLDs like .xyz and .tk and then point phone numbers at unsuspecting parties.
thanks,
Rob
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
