New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider adding support for ".well-known" protocol / RFC 5785 #3

Closed
nightwatchcyber opened this Issue Aug 14, 2017 · 14 comments

Comments

Projects
None yet
5 participants
@nightwatchcyber
Contributor

nightwatchcyber commented Aug 14, 2017

The ".well-known" standard or RFC 5785 is the proposed way to websites to store things like "robots.txt":
https://tools.ietf.org/html/rfc5785

It is currently used for the ACME protocol used by LetsEncrypt for SSL domain verification:
https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-9.2

Other protocols out there that use "/.well-known":
https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml

Please consider supporting this for "security.txt" as well

@april

This comment has been minimized.

Show comment
Hide comment
@april

april Aug 14, 2017

Please, this is much better than having a document at the top level and keeps your hierarchy from being too cluttered.

april commented Aug 14, 2017

Please, this is much better than having a document at the top level and keeps your hierarchy from being too cluttered.

@EdOverflow

This comment has been minimized.

Show comment
Hide comment
@EdOverflow

EdOverflow Aug 15, 2017

Member

Thank you for the suggestion. Lots of people have been suggesting this to me, so I will definitely look into this.

Member

EdOverflow commented Aug 15, 2017

Thank you for the suggestion. Lots of people have been suggesting this to me, so I will definitely look into this.

@EdOverflow

This comment has been minimized.

Show comment
Hide comment
@EdOverflow

EdOverflow Aug 19, 2017

Member

@nightwatchcyber & @april: I have decided that I will be adding support for the ".well-known" protocol. 🙂

Member

EdOverflow commented Aug 19, 2017

@nightwatchcyber & @april: I have decided that I will be adding support for the ".well-known" protocol. 🙂

@EdOverflow EdOverflow modified the milestone: Internet Draft Aug 19, 2017

@EdOverflow

This comment has been minimized.

Show comment
Hide comment
@EdOverflow
Member

EdOverflow commented Aug 21, 2017

I have added this to the README.md: https://github.com/EdOverflow/security-txt#how-it-works. Thank you @nightwatchcyber & @april.

@EdOverflow EdOverflow closed this Aug 21, 2017

@nightwatchcyber

This comment has been minimized.

Show comment
Hide comment
@nightwatchcyber

nightwatchcyber Aug 21, 2017

Contributor

You may want to register with IANA:

https://www.ietf.org/assignments/well-known-uris/well-known-uris.xml

This can be done part of the IETF draft

Contributor

nightwatchcyber commented Aug 21, 2017

You may want to register with IANA:

https://www.ietf.org/assignments/well-known-uris/well-known-uris.xml

This can be done part of the IETF draft

@EdOverflow

This comment has been minimized.

Show comment
Hide comment
@EdOverflow

EdOverflow Sep 11, 2017

Member

@nightwatchcyber & @april: After a very long and heated debate with some other people, I have decided to go with the original idea of having security.txt in the root directory. The main reason for not using /.well-known/ was the fact that it is not widely used. Most people I talked to had never even heard of it in the first place. This is surprising since the RFC was published in April 2010.

I apologise for this last-minute decision. Hopefully, this will not cause too much trouble.

Edit: I have changed my mind again. See: #3 (comment)

Member

EdOverflow commented Sep 11, 2017

@nightwatchcyber & @april: After a very long and heated debate with some other people, I have decided to go with the original idea of having security.txt in the root directory. The main reason for not using /.well-known/ was the fact that it is not widely used. Most people I talked to had never even heard of it in the first place. This is surprising since the RFC was published in April 2010.

I apologise for this last-minute decision. Hopefully, this will not cause too much trouble.

Edit: I have changed my mind again. See: #3 (comment)

This was referenced Oct 7, 2017

@EdOverflow EdOverflow reopened this Oct 8, 2017

@EdOverflow

This comment has been minimized.

Show comment
Hide comment
@EdOverflow

EdOverflow Oct 8, 2017

Member

This issue is now back open for discussion.

Member

EdOverflow commented Oct 8, 2017

This issue is now back open for discussion.

@EdOverflow

This comment has been minimized.

Show comment
Hide comment
@EdOverflow

EdOverflow Oct 8, 2017

Member

The new draft that I have not published yet places security.txt under the /.well-known/ path, but I would still like to discuss this further because of this poll: https://twitter.com/EdOverflow/status/916638593027919873.

image

Member

EdOverflow commented Oct 8, 2017

The new draft that I have not published yet places security.txt under the /.well-known/ path, but I would still like to discuss this further because of this poll: https://twitter.com/EdOverflow/status/916638593027919873.

image

@x3ro

This comment has been minimized.

Show comment
Hide comment
@x3ro

x3ro Oct 8, 2017

Hi @EdOverflow. Thanks for getting this started project started!

On topic: Why is it relevant whether or not people are well-aware of .well-known? You'd have to learn/know about the existence of security.txt in order to look at it, so it wouldn't matter what the exact path of it is, right? While learning about security.txt people would then automatically also learn about .well-known if they weren't aware of it before.

Or to put it differently: what would be the advantage of putting security.txt in the root directory over putting it in a standard location defined by an RFC?

PS: Re your poll: You already said that most people you spoke to do not know about/do not care about .well-known so this outcome is not that surprising I guess. In the end, if you want to publish this as an RFC you should also consider that it'll need to pass through all IETF scrutiny, and I find it hard to believe that the poll would have the same outcome there.

x3ro commented Oct 8, 2017

Hi @EdOverflow. Thanks for getting this started project started!

On topic: Why is it relevant whether or not people are well-aware of .well-known? You'd have to learn/know about the existence of security.txt in order to look at it, so it wouldn't matter what the exact path of it is, right? While learning about security.txt people would then automatically also learn about .well-known if they weren't aware of it before.

Or to put it differently: what would be the advantage of putting security.txt in the root directory over putting it in a standard location defined by an RFC?

PS: Re your poll: You already said that most people you spoke to do not know about/do not care about .well-known so this outcome is not that surprising I guess. In the end, if you want to publish this as an RFC you should also consider that it'll need to pass through all IETF scrutiny, and I find it hard to believe that the poll would have the same outcome there.

@EdOverflow

This comment has been minimized.

Show comment
Hide comment
@EdOverflow

EdOverflow Oct 8, 2017

Member

Hi @x3ro,

Why is it relevant whether or not people are well-aware of .well-known?

I have actually changed my mind about that since the last decision was made.

what would be the advantage of putting security.txt in the root directory over putting it in a standard location defined by an RFC?

One advantage would be that this would make security.txt comply with robots.txt. Something that is already fairly familiar with most people and companies.

In the end, if you want to publish this as an RFC you should also consider that it'll need to pass through all IETF scrutiny, and I find it hard to believe that the poll would have the same outcome there.

I am waiting to hear back from the IETF board about the location of the file. Maybe they can help me come to a definitive conclusion.

Member

EdOverflow commented Oct 8, 2017

Hi @x3ro,

Why is it relevant whether or not people are well-aware of .well-known?

I have actually changed my mind about that since the last decision was made.

what would be the advantage of putting security.txt in the root directory over putting it in a standard location defined by an RFC?

One advantage would be that this would make security.txt comply with robots.txt. Something that is already fairly familiar with most people and companies.

In the end, if you want to publish this as an RFC you should also consider that it'll need to pass through all IETF scrutiny, and I find it hard to believe that the poll would have the same outcome there.

I am waiting to hear back from the IETF board about the location of the file. Maybe they can help me come to a definitive conclusion.

@EdOverflow

This comment has been minimized.

Show comment
Hide comment
@EdOverflow

EdOverflow Oct 8, 2017

Member

@x3ro, @april & @nightwatchcyber: I have finally come to a conclusion. security.txt will be placed under the /.well-known/ path. The Google VRP team have convinced me. This will be made clear in the next version of the draft. Thank you very much for the constructive feedback and help.

Member

EdOverflow commented Oct 8, 2017

@x3ro, @april & @nightwatchcyber: I have finally come to a conclusion. security.txt will be placed under the /.well-known/ path. The Google VRP team have convinced me. This will be made clear in the next version of the draft. Thank you very much for the constructive feedback and help.

@april

This comment has been minimized.

Show comment
Hide comment
@april

april Oct 8, 2017

april commented Oct 8, 2017

@austinheap

This comment has been minimized.

Show comment
Hide comment
@austinheap

austinheap Oct 8, 2017

Collaborator

👍 good call on using /.well-known/

robots.txt was created back in 1994, back when we thought that using
unstructured text files and putting them in the root directory was a
good idea.

Couldn't agree more! No reason to bring along poorly thought out decisions from 20~ years ago.

Collaborator

austinheap commented Oct 8, 2017

👍 good call on using /.well-known/

robots.txt was created back in 1994, back when we thought that using
unstructured text files and putting them in the root directory was a
good idea.

Couldn't agree more! No reason to bring along poorly thought out decisions from 20~ years ago.

@nightwatchcyber

This comment has been minimized.

Show comment
Hide comment
@nightwatchcyber

nightwatchcyber Oct 10, 2017

Contributor

@EdOverflow - considering how successful the ".well-known" approach worked in regards to the ACME protocol used by LetsEncrypt, it will probably work well for this as well. Thanks.

Contributor

nightwatchcyber commented Oct 10, 2017

@EdOverflow - considering how successful the ".well-known" approach worked in regards to the ACME protocol used by LetsEncrypt, it will probably work well for this as well. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment