From a55227293698780d36a1685ea2cac7ed35012c9b Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Mon, 27 May 2024 11:49:33 +0200
Subject: [PATCH 1/3] HTTP User-Agents

- addresses parts of oasis-tcs/csaf#635
- add new requirement explicitly stating that no blocking is allowed
---
 csaf_2.1/prose/edit/src/distributing.md | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md
index 2a9c2f06..2805683e 100644
--- a/csaf_2.1/prose/edit/src/distributing.md
+++ b/csaf_2.1/prose/edit/src/distributing.md
@@ -558,6 +558,19 @@ Each such folder MUST at least:
   }
 ```
 
+### Requirement 24: HTTP User-Agent
+
+Access to the files provided, both CSAF metadata and documents, MUST NOT be restricted by the value of HTTP User-Agent.
+
+> Limit the value of HTTP User-Agents to a certain set would hinder adoption of tools retrieving the files.
+
+The only exception is that the temporary blocking of certain HTTP User-Agents is allowed to mitigate an ongoing security incident
+(e.g. a DoS attack on the web server serving the CSAF files). However, it MUST be checked if a less severe measure with a similar
+effect could be used. White-listing CSAF related files and directories MUST be considered. The temporary blocking MUST be removed
+as soon as possible, at latest two weeks after the security incident process was completed.
+
+> Also confer to the TC's guidance on content delivery networks and caching.
+
 ## Roles
 
 This subsection groups the requirements from the previous subsection into named sets which target the roles with the same name.
@@ -595,7 +608,7 @@ A CSAF publisher satisfies the "CSAF provider" role if the party fulfills the fo
 Firstly, the party:
 
 * satisfies the "CSAF publisher" role profile.
-* additionally satisfies the requirements 5 to 7 in section [sec](#requirements).
+* additionally satisfies the requirements 5 to 7 and 24 in section [sec](#requirements).
 
 Secondly, the party:
 
@@ -619,7 +632,7 @@ A CSAF provider satisfies the "CSAF trusted provider" role if the party:
 
 A distributing party satisfies the "CSAF lister" role if the party:
 
-* satisfies the requirements 6, 21 and 22 in section [sec](#requirements).
+* satisfies the requirements 6, 21, 22 and 24 in section [sec](#requirements).
 * uses the value `lister` for `/aggregator/category`.
 * does not list any mirror pointing to a domain under its own control.
 
@@ -630,7 +643,7 @@ A distributing party satisfies the "CSAF lister" role if the party:
 
 A distributing party satisfies the "CSAF aggregator" role if the party:
 
-* satisfies the requirements 1 to 6 and 21 to 23 in section [sec](#requirements).
+* satisfies the requirements 1 to 6 and 21 to 24 in section [sec](#requirements).
 * uses the value `aggregator` for `/aggregator/category`.
 * lists a mirror for at least two disjoint issuing parties pointing to a domain under its own control.
 * links the public part of the OpenPGP key used to sign CSAF documents for each mirrored issuing party in

From df33caa90cafe4eea5d306040a9c64c0236ea430 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Mon, 27 May 2024 16:04:09 +0200
Subject: [PATCH 2/3] HTTP User-Agents

- addresses parts of review comments from oasis-tcs/csaf#742
- change wording from MUST NOT to MUST (hopefully with same clarity)
- rephrase "white-listing" to exempt
- use new line per sentence
---
 csaf_2.1/prose/edit/src/distributing.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md
index 2805683e..6a400d01 100644
--- a/csaf_2.1/prose/edit/src/distributing.md
+++ b/csaf_2.1/prose/edit/src/distributing.md
@@ -560,14 +560,16 @@ Each such folder MUST at least:
 
 ### Requirement 24: HTTP User-Agent
 
-Access to the files provided, both CSAF metadata and documents, MUST NOT be restricted by the value of HTTP User-Agent.
+Access to the CSAF related files and directories provided, for both metadata and documents, MUST be allowed independent of the
+value of HTTP User-Agent.
 
 > Limit the value of HTTP User-Agents to a certain set would hinder adoption of tools retrieving the files.
 
 The only exception is that the temporary blocking of certain HTTP User-Agents is allowed to mitigate an ongoing security incident
-(e.g. a DoS attack on the web server serving the CSAF files). However, it MUST be checked if a less severe measure with a similar
-effect could be used. White-listing CSAF related files and directories MUST be considered. The temporary blocking MUST be removed
-as soon as possible, at latest two weeks after the security incident process was completed.
+(e.g. a DoS attack on the web server serving the CSAF files).
+However, it MUST be checked if a less severe measure with a similar effect could be used.
+It MUST be considered to exempt CSAF related files and directories from such a the temporary blocking.
+The temporary blocking MUST be removed as soon as possible, at latest two weeks after the security incident process was completed.
 
 > Also confer to the TC's guidance on content delivery networks and caching.
 

From 65dea4f650f19f4e5bd6599038c82e3e9fdf87b7 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Wed, 29 May 2024 22:35:17 +0200
Subject: [PATCH 3/3] HTTP User-Agents

- addresses parts of review comments from oasis-tcs/csaf#742
- change wording to SHOULD instead of weak MUST statements

Co-authored-by: Stefan Hagen <stefan@hagen.link>
---
 csaf_2.1/prose/edit/src/distributing.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md
index 6a400d01..a764877c 100644
--- a/csaf_2.1/prose/edit/src/distributing.md
+++ b/csaf_2.1/prose/edit/src/distributing.md
@@ -567,9 +567,9 @@ value of HTTP User-Agent.
 
 The only exception is that the temporary blocking of certain HTTP User-Agents is allowed to mitigate an ongoing security incident
 (e.g. a DoS attack on the web server serving the CSAF files).
-However, it MUST be checked if a less severe measure with a similar effect could be used.
-It MUST be considered to exempt CSAF related files and directories from such a the temporary blocking.
-The temporary blocking MUST be removed as soon as possible, at latest two weeks after the security incident process was completed.
+However, a less severe measure with a similar effect SHOULD be used.
+CSAF related files and directories SHOULD be exempted from temporary blocking.
+The temporary blocking SHOULD be removed as soon as possible, at latest two weeks after the security incident process was completed.
 
 > Also confer to the TC's guidance on content delivery networks and caching.