New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Last call changes #183
Last call changes #183
Conversation
draft-foudil-securitytxt.md
Outdated
("security.txt") to help organizations describe the process for security | ||
researchers to follow in order to report security vulnerabilities. | ||
("security.txt") to help organizations describe their vulnerability disclosure practices | ||
in order to make it easier for researchers to report security vulnerabilities. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in order to make it easier for researchers to report security vulnerabilities. | |
to make it easier for researchers to report security vulnerabilities. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will change
draft-foudil-securitytxt.md
Outdated
for organizations to communicate information about their security disclosure | ||
policies, which is not limited to email and also allows for additional features | ||
practices and ways to contact them, which is not limited to email and also allows for additional features |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sentence is too wordy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rewording this - being that we already mentioned this is intended for researchers to be consumed, I took that out and only left the part about the organizations.
draft-foudil-securitytxt.md
Outdated
such as encryption. This format is designed to help | ||
assist with the security disclosure process by making it easier | ||
for organizations to designate the preferred steps for researchers to take | ||
when trying to reach out to them with security vulnerabilities. | ||
when trying to reach out to them with security vulnerabilities as well as provide | ||
additional information about their vulnerability disclosure practices useful to security researchers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sentence is too wordy. Needs rephrasing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do
draft-foudil-securitytxt.md
Outdated
that provides information for security researchers to assist | ||
in disclosing security vulnerabilities. | ||
that provides information for security researchers about the vulnerability disclosure | ||
practices of a particular organization in order to assist them in disclosing security vulnerabilities. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
practices of a particular organization in order to assist them in disclosing security vulnerabilities. | |
practices of a particular organization to assist them in disclosing security vulnerabilities. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do
This field MUST NOT appear more than once. | ||
|
||
~~~~~~~~~~ | ||
Expires: Thu, 31 Dec 2020 18:37:07 -0800 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the date arbitrary? Is it the implementer's sole discretion to set a realistic expiration date? How does one determine what a suitable expiration date is?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a reference to the staleness section from the security considerations section
If this directive indicates a web URL, then it MUST begin with "https://" | ||
This field indicates a link to where the vulnerability disclosure policy is located. | ||
This can help security researchers understand | ||
the organization's vulnerability reporting practices. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the organization's vulnerability reporting practices. | |
the organization's vulnerability-reporting practices. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same question about the dash as above
draft-foudil-securitytxt.md
Outdated
redirect if it leads to another domain or subdomain | ||
but SHOULD follow that redirect within the same domain name | ||
(but not different subdomain on the same domain). | ||
or redirect (as per section 6.4 of {{!RFC7231}}) to the security.txt file under the /.well-known/ path. If a "security.txt" file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or redirect (as per section 6.4 of {{!RFC7231}}) to the security.txt file under the /.well-known/ path. If a "security.txt" file | |
or redirect (as per section 6.4 of {{!RFC7231}}) to the security.txt file under the "/.well-known/" path. If a "security.txt" file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed
draft-foudil-securitytxt.md
Outdated
a "security.txt" file grants or denies permission for security testing. | ||
Any such permission MAY be defined in a security or disclosure policy | ||
(as per {{policy}}) or a new directive (as per {{extensibility}}). | ||
Any such permission may be indicates in the company's vulnerability disclosure policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any such permission may be indicates in the company's vulnerability disclosure policy | |
Any such permission may be indicated in the company's vulnerability-disclosure policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do
draft-foudil-securitytxt.md
Outdated
HTTPS is being used. | ||
|
||
However, the determination of validity of such keys is out of scope | ||
for this specification. Implementors MUST establish other secure means to | ||
for this specification. Researches need to establish other secure means to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for this specification. Researches need to establish other secure means to | |
for this specification. Security researches need to establish other secure means to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, there is a typo there. It should be:
for this specification. Researches need to establish other secure means to | |
for this specification. Security researchers need to establish other secure means to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I fixed it
automated scans. | ||
Security researchers should consult the organization's vulnerability disclosure policy, if available, | ||
and review the contact information and/or resources referenced within the "security.txt" | ||
file before submitting reports in an automated fashion or as resulting from automated scans. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Too wordy. Needs rephrasing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The fix for #174 looks good!
A few punctuation things and also an ABNF problem.
draft-foudil-securitytxt.md
Outdated
|
||
This text file contains multiple directives | ||
with different values. The "directive" is the first part of a field all the way up | ||
This text file contains multiple fields with different values. A field contains a name which is the first part of a field all the way up |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For consistency with how the field "value" is introduced
This text file contains multiple fields with different values. A field contains a name which is the first part of a field all the way up | |
This text file contains multiple fields with different values. A field contains a "name" which is the first part of a field all the way up |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do
|
||
line = (field / comment) eol | ||
|
||
eol = *WSP [CR] LF | ||
|
||
field = ack-field / | ||
can-field / |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure about moving Canonical
to here, because it can appear a maximum of one time (similar to Expires
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As per IETF feedback, this was changed so Canonical can appear multiple times. This was done to address the use case where multiple redirects point to the same file.
draft-foudil-securitytxt.md
Outdated
of the file (as per {{canonical}}), and regularly monitor the file and | ||
the referenced resources to detect tampering. | ||
|
||
Security researchers SHOULD check the "security.txt" file including verifying | ||
Security researchers should triage the "security.txt" file including verifying | ||
the digital signature and checking any available historical records before using the information | ||
contained in the file. If "security.txt" file looks suspicious or compromised, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Not introduced by this PR, but probably good to fix this typo). One of--
contained in the file. If "security.txt" file looks suspicious or compromised, | |
contained in the file. If a "security.txt" file looks suspicious or compromised, |
contained in the file. If "security.txt" file looks suspicious or compromised, | |
contained in the file. If the "security.txt" file looks suspicious or compromised, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do
draft-foudil-securitytxt.md
Outdated
When made available on HTTP servers, it MUST be placed under the | ||
/.well-known/ path (as "/.well-known/security.txt") {{!RFC8615}} of a domain name or IP address. | ||
For legacy compatibility, a security.txt file might be placed at the top level path (see {{weblocation}}). | ||
For file systems a "security.txt" file SHOULD be placed in the root directory of a particular file system. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For file systems a "security.txt" file SHOULD be placed in the root directory of a particular file system. | |
For file systems a "security.txt" file SHOULD be placed in the root directory of the file system. |
I do not think "particular" is needed here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
draft-foudil-securitytxt.md
Outdated
For legacy compatibility, a security.txt file might be placed at the top level path (see {{weblocation}}). | ||
For file systems a "security.txt" file SHOULD be placed in the root directory of a particular file system. | ||
|
||
On HTTP servers, the file MUST be accessed via the Hypertext Transfer Protocol (HTTP) 1.0 {{!RFC1945}} or higher version |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On HTTP servers, the file MUST be accessed via the Hypertext Transfer Protocol (HTTP) 1.0 {{!RFC1945}} or higher version | |
On HTTP servers, the file MUST be accessed via the Hypertext Transfer Protocol (HTTP) 1.0 {{!RFC1945}} or a higher version |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
draft-foudil-securitytxt.md
Outdated
For file systems a "security.txt" file SHOULD be placed in the root directory of a particular file system. | ||
|
||
On HTTP servers, the file MUST be accessed via the Hypertext Transfer Protocol (HTTP) 1.0 {{!RFC1945}} or higher version | ||
and the "https" scheme (as per section 2.7.2 of {{!RFC7230}}). It MUST have a Content-Type of "text/plain" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On HTTP servers, the file MUST be accessed via the Hypertext Transfer Protocol 1.0 or a higher version and the "https" scheme.
This sentence is quite difficult to follow. Especially with all the inline references. Might need rephrasing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reworded
draft-foudil-securitytxt.md
Outdated
or repository in which it is located, and not to any of its parent or sibling folders, | ||
or repositories. However, it will apply to all subfolders. | ||
in which it is located, and not to any of its parent or sibling folders. | ||
However, it will apply to all subfolders. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would reword this as follows:
A "security.txt" file that is found in a file system MUST only apply to the folder in which it is located and that folder's subfolders. The file does not apply to any of the folder's parent or sibling folders.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
line
s at the end of the file #174)