Skip to content
This repository has been archived by the owner on Jul 4, 2023. It is now read-only.

WIP .well-known/security.txt #9

Closed
wants to merge 2 commits into from
Closed

WIP .well-known/security.txt #9

wants to merge 2 commits into from

Conversation

traumschule
Copy link
Contributor

@traumschule traumschule commented Aug 15, 2018
edited

#25131

Why

Draft

Version 4 still has some nits and expires in January 2019.

# https://www.torproject.org/about/contact#security
Contact: tor-security@lists.torproject.org
Encryption: openpgp4fpr:8B904624C5A28654E4539BC2E135A8B41A7BF184
Acknowledgments: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy

Policy: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy
Hiring: https://www.torproject.org/about/jobs

Permission: None

# RFC-URL: https://tools.ietf.org/html/draft-foudil-securitytxt-04
Signature: https://torproject.org/.well-known/security.txt.sig

There's an (incomplete) validator written in Go.

Comments

  • Encryption: There are several options (see RFC url above). The key may be made available on the Torproject website (for example torproject.org/about/torproject.asc or torproject.org/.well-known/torproject-public-key.asc), be referenced as above or with dns:...

  • Policy: the current security policy is a draft and should be published in a (signed) blog post (#5489) and linked from torproject.org/about/contact#security

  • Hiring: it could help the Torproject to always have an open position for security researchers

  • Signature: To signing the deb.torproject.org archive signing key (8B904624C5A28654E4539BC2E135A8B41A7BF184) can be used. The standard states:

When it comes to verifying the authenticity of the key, it is always
the security researcher's responsibility to make sure the key being
specified is indeed one they trust. Researchers MUST NOT assume that
this key is used to generate the signature file referenced in
Section 3.4.7.

Adoption

https://1password.com/.well-known/security.txt
https://www.google.com/.well-known/security.txt
https://protonmail.com/.well-known/security.txt
https://www.dropbox.com/.well-known/security.txt
https://www.jamieweb.net/.well-known/security.txt
https://www.facebook.com/.well-known/security.txt
https://scotthelme.co.uk/.well-known/security.txt

who else?

404

https://www.cloudflare.com/.well-known/security.txt
https://www.microsoft.com/.well-known/security.txt
https://www.schneier.com/.well-known/security.txt
https://www.kernel.org/.well-known/security.txt
https://www.debian.org/.well-known/security.txt
https://www.linux.org/.well-known/security.txt
https://www.nsa.gov/.well-known/security.txt
https://riseup.net/.well-known/security.txt
https://github.com/.well-known/security.txt
https://www.ibm.com/.well-known/security.txt
https://www.w3.org/.well-known/security.txt
https://gmail.com/.well-known/security.txt

The rails team decided against this practice and uses https://guides.rubyonrails.org/security.html instead (which is something else but also nice to have).

:)

Next

@traumschule traumschule changed the title .well-known/Security.txt .well-known/security.txt Aug 15, 2018
@traumschule traumschule changed the title .well-known/security.txt WIP .well-known/security.txt Aug 15, 2018
@traumschule
Copy link
Contributor Author

merged

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@traumschule