Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it clear that security.txt.sig files should be served over HTTPS. #55

Closed
EdOverflow opened this issue Dec 3, 2017 · 2 comments
Closed

Make it clear that security.txt.sig files should be served over HTTPS. #55

EdOverflow opened this issue Dec 3, 2017 · 2 comments
Milestone
securitytxt-02

Comments

@EdOverflow
Copy link
Member

draft-foudil-securitytxt-01.txt states the following:

In order to ensure the authenticty of the security.txt file one
SHOULD use the "Signature:" directive, which allows you to link to an
external signature or to directly include the signature in the file.
External signature files should be named "security.txt.sig" and also
be placed under the /.well-known/ path.

In the next version we should make it very clear that the security.txt.sig file should be served over HTTPS.
@EdOverflow EdOverflow added this to the securitytxt-02 milestone Dec 3, 2017
nightwatchcyber added a commit to nightwatchcyber/security-txt that referenced this issue Dec 26, 2017
@nightwatchcyber
Adding history section, and addressing issues securitytxt#55 and secu…
b5fa7a3 
…ritytxt#14
EdOverflow added a commit that referenced this issue Dec 26, 2017
@EdOverflow
Merge pull request #61 from nightwatchcyber/draft
51abd19 
Adding history section, and addressing issues #55 and #14
@austinheap
Copy link
Collaborator

FYI The registry has been updated to reject SIG files not over HTTPs.

EdOverflow added a commit that referenced this issue Jan 7, 2018
@EdOverflow
Move draft branch to master. (#88)
3b8f442 
* updated issues shield/link

* Remove hero image.

* Create draft-foudil-securitytxt-01.txt.

* Create draft-foudil-securitytxt-01.txt.

* chore(text): fix grammar

* chore(text): fix grammar

* Fix Typo

* Fix Typo

* Fix Shield Link

* Fix Shield Link

* converting to use markdown and adding IETF tool support

* clarifying instructions for making the text draft

* putting back the original version

* adding version-01 before markdown conversion

* adding text draft generated from markdown

* removing non-markdown draft version

* Adding IANA registration for .well-known

* removing date

* Adding IANA registry for extensibility to address issue #34

* added extensibility section

* adding extensibility to abnf

* Start working on https://github.com/securitytxt/security-txt/milestone/2.

* Add Signature directive to registry.

* Add file location section.

* Explaining how this is different from RFC2142

* language tweaks

* s/filesystems/file systems

* adding author

* adding html

* adding txt and html

* re-generating drafts

* Signature file should be added to the Well-Known URI's registry

In accordance with issue #59, the signature file "security.txt.sig" should also be added to the Well-Known URI's registry.

* Update draft-01.

* Update draft.

* s/draft-01/draft-02

* Adding history section, and addressing issues #55 and #14

* Adding language to clarify Contact values as per issue #62

* "the" ability

* Create .travis.yml

* Languages updates for the draft text (#66)

* Languages updates for the draft text

* Fix comment

* Fix more wording

* Fix for Ed
EdOverflow added a commit that referenced this issue Jan 15, 2018
@EdOverflow
Start working on draft version 03. (#81)
3e80708 
* updated issues shield/link

* Remove hero image.

* Create draft-foudil-securitytxt-01.txt.

* Create draft-foudil-securitytxt-01.txt.

* chore(text): fix grammar

* chore(text): fix grammar

* Fix Typo

* Fix Typo

* Fix Shield Link

* Fix Shield Link

* converting to use markdown and adding IETF tool support

* clarifying instructions for making the text draft

* putting back the original version

* adding version-01 before markdown conversion

* adding text draft generated from markdown

* removing non-markdown draft version

* Adding IANA registration for .well-known

* removing date

* Adding IANA registry for extensibility to address issue #34

* added extensibility section

* adding extensibility to abnf

* Start working on https://github.com/securitytxt/security-txt/milestone/2.

* Add Signature directive to registry.

* Add file location section.

* Explaining how this is different from RFC2142

* language tweaks

* s/filesystems/file systems

* adding author

* adding html

* adding txt and html

* re-generating drafts

* Signature file should be added to the Well-Known URI's registry

In accordance with issue #59, the signature file "security.txt.sig" should also be added to the Well-Known URI's registry.

* Update draft-01.

* Update draft.

* s/draft-01/draft-02

* Adding history section, and addressing issues #55 and #14

* Adding language to clarify Contact values as per issue #62

* "the" ability

* Create .travis.yml

* Start working on securitytxt-03.

* Update version to 03.

* Fix mistakes.

* Languages updates for the draft text (#66)

* Languages updates for the draft text

* Fix comment

* Fix more wording

* Fix for Ed

* Update securitytxt-03 addressing the issues raised by @nightwatchcyber.

* Fix remaining issues.

* Solve #77: Add language about security researcher's responsibility.

* Solve #87.
@nightwatchcyber
Copy link
Contributor

Changing HTTPS to MUST as per this message:
https://mailarchive.ietf.org/arch/msg/saag/i5QL-WvzS7oLa9WYI_-mRv0Po_U

nightwatchcyber added a commit to nightwatchcyber/security-txt that referenced this issue Feb 10, 2019
@nightwatchcyber
Making SSL required, and adding language to email encryption (securit…
d88541b 
…ytxt#55) and (securitytxt#134)
nightwatchcyber added a commit that referenced this issue Feb 11, 2019
@nightwatchcyber
Merge pull request #144 from nightwatchcyber/master
cdee949 
Making SSL required+and adding language for encryption (#55) (#134)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
securitytxt-02
Development

No branches or pull requests
3 participants
@austinheap @nightwatchcyber @EdOverflow