Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify Permission #132

Closed
RobertKosten opened this issue Nov 29, 2018 · 5 comments
Closed

Clarify Permission #132

RobertKosten opened this issue Nov 29, 2018 · 5 comments
Labels
➡ Permission:

Comments

@RobertKosten
Copy link

The description of the permission property is very unclear IMHO. Since it is not allowed to be interpreted as having any legal value it would be, at best, a declaration of intent, and then the absence of the property or any value other than "none" may not be interpreted as any kind of permission to test the resource. So essentially, either the property is "none", which means "explicitly don't test" (but has no legal value) or it's absence means "don't test, because you don't know" (but also has no legal value). Why have the property at all then, if the default (correctly) is already "don't test"?

Either I'm unable to understand the intention, then it should be clarified, or the property is pointless as-is and should either be dropped or changed into something that allows declaration of intent/goodwill with legal value (And many companies may opt to omit it), no?
@nightwatchcyber
Copy link
Contributor

(there is some background discussion in issue #30)

The purpose of this field is to signal to a researcher that they should try not to test this particular web property. It only has valid value right now because there was no consensus reached as to how to indicate the opposite - an intent to allow testing. Later on, this may become an IANA registry of valid values.

The reason why this doesn't carry legal intent, is that we are not sure if the standard as whole can be used in that fashion, and several users expressed concern about possible legal liability as the result.

@RobertKosten
Copy link
Author

I read the background, thx. My point stands: The value 'none' conveys exactly the same information as the absence of the property, namely no permission to test. Unless other values are added (preferably in a way that is legally useful to a security researcher, otherwise it doesn't provide any value to them, IMHO) I'd strongly prefer the property were dropped from the RFC until other values are added.

@EdOverflow
Copy link
Member

@RobertKosten, you have raised a very good point. Would you be willing to move this discussion to the original ticket where the Permission directive was created in the first place? I am curious to see what the others have to say.

@RobertKosten
Copy link
Author

@EdOverflow will do 👍

@RobertKosten RobertKosten mentioned this issue Dec 6, 2018
Closed
@nightwatchcyber
Copy link
Contributor

Discussion moved to #30

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
➡ Permission:
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nightwatchcyber @EdOverflow @RobertKosten