Skip to content

Commit

Permalink
added reference to the webkey PGP draft
Browse files Browse the repository at this point in the history
  • Loading branch information
@nightwatchcyber
nightwatchcyber committed May 19, 2021
1 parent 0c2a329 commit b6d2217
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 41 deletions.
23 changes: 15 additions & 8 deletions draft-foudil-securitytxt.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1167,8 +1167,8 @@ <h3 id="name-terminology">
<h2 id="name-note-to-readers">
<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-note-to-readers" class="section-name selfRef">Note to Readers</a>
</h2>
<ul class="ulEmpty normal">
<li class="ulEmpty normal" id="section-2-1.1">
<ul class="normal ulEmpty">
<li class="normal ulEmpty" id="section-2-1.1">
<strong>Note to the RFC Editor:</strong> Please remove this section prior
to publication.<a href="#section-2-1.1" class="pilcrow"></a>
</li>
Expand Down Expand Up @@ -1239,7 +1239,8 @@ <h3 id="name-digital-signature">
thus allowing the digital signature to authenticate the location of the file.<a href="#section-3.3-1" class="pilcrow"></a></p>
<p id="section-3.3-2">When it comes to verifying the key used to generate the signature, it is always
the security researcher's responsibility to make sure the key being
used is indeed one they trust.<a href="#section-3.3-2" class="pilcrow"></a></p>
used is indeed one they trust. Researchers should use other ways to obtain
and verify the key (such as <span>[<a href="#I-D.koch-openpgp-webkey-service" class="xref">I-D.koch-openpgp-webkey-service</a>]</span>).<a href="#section-3.3-2" class="pilcrow"></a></p>
</section>
</div>
<div id="extensibility">
Expand Down Expand Up @@ -2048,6 +2049,10 @@ <h3 id="name-informative-references">
<dd>
<span class="refAuthor">Software Engineering Institute, Carnegie Mellon University</span>, <span class="refTitle">"The CERT Guide to Coordinated Vulnerability Disclosure (CMU/SEI-2017-SR-022)"</span>, <time datetime="2017" class="refDate">2017</time>. </dd>
<dd class="break"></dd>
<dt id="I-D.koch-openpgp-webkey-service">[I-D.koch-openpgp-webkey-service]</dt>
<dd>
<span class="refAuthor">Koch, W.</span>, <span class="refTitle">"OpenPGP Web Key Directory"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-koch-openpgp-webkey-service-11</span>, <time datetime="2020-11-17" class="refDate">17 November 2020</time>, <span>&lt;<a href="https://www.ietf.org/archive/id/draft-koch-openpgp-webkey-service-11.txt">https://www.ietf.org/archive/id/draft-koch-openpgp-webkey-service-11.txt</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="ISO.29147.2018">[ISO.29147.2018]</dt>
<dd>
<span class="refAuthor">International Organization for Standardization (ISO)</span>, <span class="refTitle">"ISO/IEC 29147:2018, Information technology - Security techniques - Vulnerability disclosure"</span>, <time datetime="2018" class="refDate">2018</time>. </dd>
Expand Down Expand Up @@ -2088,8 +2093,8 @@ <h3 id="name-informative-references">
<h2 id="name-note-to-readers-2">
<a href="#section-appendix.a" class="section-number selfRef">Appendix A. </a><a href="#name-note-to-readers-2" class="section-name selfRef">Note to Readers</a>
</h2>
<ul class="ulEmpty normal">
<li class="ulEmpty normal" id="section-appendix.a-1.1">
<ul class="normal ulEmpty">
<li class="normal ulEmpty" id="section-appendix.a-1.1">
<strong>Note to the RFC Editor:</strong> Please remove this section prior
to publication.<a href="#section-appendix.a-1.1" class="pilcrow"></a>
</li>
Expand All @@ -2102,8 +2107,8 @@ <h2 id="name-note-to-readers-2">
<h2 id="name-document-history">
<a href="#section-appendix.b" class="section-number selfRef">Appendix B. </a><a href="#name-document-history" class="section-name selfRef">Document History</a>
</h2>
<ul class="ulEmpty normal">
<li class="ulEmpty normal" id="section-appendix.b-1.1">
<ul class="normal ulEmpty">
<li class="normal ulEmpty" id="section-appendix.b-1.1">
<strong>Note to the RFC Editor:</strong> Please remove this section prior
to publication.<a href="#section-appendix.b-1.1" class="pilcrow"></a>
</li>
Expand Down Expand Up @@ -2356,7 +2361,9 @@ <h2 id="name-since-draft-foudil-securitytxt-11">
</li>
<li class="normal" id="section-b.12-1.2">Added clarification in "canonical" field regarding the URI used to retrieve the file<a href="#section-b.12-1.2" class="pilcrow"></a>
</li>
<li class="normal" id="section-b.12-1.3">Added language about machine-parsability<a href="#section-b.12-1.3" class="pilcrow"></a>
<li class="normal" id="section-b.12-1.3">Added language about machine-<a href="#section-b.12-1.3" class="pilcrow"></a>
</li>
<li class="normal" id="section-b.12-1.4">Added a reference to the PGP webkey draft<a href="#section-b.12-1.4" class="pilcrow"></a>
</li>
</ul>
<p id="section-b.12-2">Full list of changes can be viewed via the IETF document tracker:
Expand Down
6 changes: 4 additions & 2 deletions draft-foudil-securitytxt.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,8 @@ thus allowing the digital signature to authenticate the location of the file.

When it comes to verifying the key used to generate the signature, it is always
the security researcher's responsibility to make sure the key being
used is indeed one they trust.
used is indeed one they trust. Researchers should use other ways to obtain
and verify the key (such as {{?I-D.koch-openpgp-webkey-service}}).

## Extensibility {#extensibility}

Expand Down Expand Up @@ -886,7 +887,8 @@ of DNS-stored encryption keys (#28 and #94)
## Since draft-foudil-securitytxt-11
- Changed date format from RFC 5322 to RFC 3339 / ISO 8601 (#208)
- Added clarification in "canonical" field regarding the URI used to retrieve the file
- Added language about machine-parsability
- Added language about machine-
- Added a reference to the PGP webkey draft

Full list of changes can be viewed via the IETF document tracker:
https://tools.ietf.org/html/draft-foudil-securitytxt
62 changes: 31 additions & 31 deletions draft-foudil-securitytxt.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,10 +117,10 @@ Internet-Draft security.txt May 2021
9.1. Normative References . . . . . . . . . . . . . . . . . . 19
9.2. Informative References . . . . . . . . . . . . . . . . . 21
Appendix A. Note to Readers . . . . . . . . . . . . . . . . . . 22
Appendix B. Document History . . . . . . . . . . . . . . . . . . 22
Appendix B. Document History . . . . . . . . . . . . . . . . . . 23
B.1. Since draft-foudil-securitytxt-00 . . . . . . . . . . . . 23
B.2. Since draft-foudil-securitytxt-01 . . . . . . . . . . . . 23
B.3. Since draft-foudil-securitytxt-02 . . . . . . . . . . . . 23
B.3. Since draft-foudil-securitytxt-02 . . . . . . . . . . . . 24
B.4. Since draft-foudil-securitytxt-03 . . . . . . . . . . . . 24
B.5. Since draft-foudil-securitytxt-04 . . . . . . . . . . . . 24
B.6. Since draft-foudil-securitytxt-05 . . . . . . . . . . . . 25
Expand Down Expand Up @@ -299,7 +299,9 @@ Internet-Draft security.txt May 2021

When it comes to verifying the key used to generate the signature, it
is always the security researcher's responsibility to make sure the
key being used is indeed one they trust.
key being used is indeed one they trust. Researchers should use
other ways to obtain and verify the key (such as
[I-D.koch-openpgp-webkey-service]).

3.4. Extensibility

Expand Down Expand Up @@ -327,8 +329,6 @@ Internet-Draft security.txt May 2021
limit the vulnerability information being published in order to
prevent future attacks.

If this field indicates a web URI, then it MUST begin with "https://"
(as per section 2.7.2 of [RFC7230]).



Expand All @@ -338,6 +338,9 @@ Foudil & Shafranovich Expires 20 November 2021 [Page 6]
Internet-Draft security.txt May 2021


If this field indicates a web URI, then it MUST begin with "https://"
(as per section 2.7.2 of [RFC7230]).

Example:

Acknowledgments: https://example.com/hall-of-fame.html
Expand Down Expand Up @@ -383,9 +386,6 @@ Internet-Draft security.txt May 2021
section 2.7.2 of [RFC7230]). Security email addresses should use the
conventions defined in section 4 of [RFC2142].

The value MUST follow the URI syntax described in section 3 of
[RFC3986]. This means that "mailto" and "tel" URI schemes must be
used when specifying email addresses and telephone numbers, as



Expand All @@ -394,6 +394,9 @@ Foudil & Shafranovich Expires 20 November 2021 [Page 7]
Internet-Draft security.txt May 2021


The value MUST follow the URI syntax described in section 3 of
[RFC3986]. This means that "mailto" and "tel" URI schemes must be
used when specifying email addresses and telephone numbers, as
defined in [RFC6068] and [RFC3966]. When the value of this field is
an email address, it is RECOMMENDED that encryption be used (as per
Section 3.5.4).
Expand Down Expand Up @@ -442,9 +445,6 @@ Encryption: dns:5d2d37ab76d47d36._openpgpkey.example.com?type=OPENPGPKEY






Foudil & Shafranovich Expires 20 November 2021 [Page 8]

Internet-Draft security.txt May 2021
Expand Down Expand Up @@ -1178,6 +1178,12 @@ Foudil & Shafranovich Expires 20 November 2021 [Page 21]
Internet-Draft security.txt May 2021


[I-D.koch-openpgp-webkey-service]
Koch, W., "OpenPGP Web Key Directory", Work in Progress,
Internet-Draft, draft-koch-openpgp-webkey-service-11, 17
November 2020, <https://www.ietf.org/archive/id/draft-
koch-openpgp-webkey-service-11.txt>.

[ISO.29147.2018]
International Organization for Standardization (ISO),
"ISO/IEC 29147:2018, Information technology - Security
Expand Down Expand Up @@ -1220,12 +1226,6 @@ Appendix A. Note to Readers
*Note to the RFC Editor:* Please remove this section prior to
publication.

Development of this draft takes place on Github at
https://github.com/securitytxt/security-txt

Appendix B. Document History





Expand All @@ -1234,6 +1234,11 @@ Foudil & Shafranovich Expires 20 November 2021 [Page 22]
Internet-Draft security.txt May 2021


Development of this draft takes place on Github at
https://github.com/securitytxt/security-txt

Appendix B. Document History

*Note to the RFC Editor:* Please remove this section prior to
publication.

Expand Down Expand Up @@ -1278,18 +1283,17 @@ B.2. Since draft-foudil-securitytxt-01
The full list of changes can be viewed via the IETF document tracker:
https://tools.ietf.org/html/draft-foudil-securitytxt-02

B.3. Since draft-foudil-securitytxt-02

* Use "mailto" and "tel" (#62)




Foudil & Shafranovich Expires 20 November 2021 [Page 23]

Internet-Draft security.txt May 2021


B.3. Since draft-foudil-securitytxt-02

* Use "mailto" and "tel" (#62)

* Fix typo in the "Example" section (#64)

* Clarified that the root directory is a fallback option (#72)
Expand Down Expand Up @@ -1335,17 +1339,15 @@ B.5. Since draft-foudil-securitytxt-04

* Syntax fixes (#133, #135 and #136)

* Removed permission field (#30)





Foudil & Shafranovich Expires 20 November 2021 [Page 24]

Internet-Draft security.txt May 2021


* Removed permission field (#30)

* Removed signature field and switched to inline signatures (#93 and
#128)

Expand Down Expand Up @@ -1395,8 +1397,6 @@ B.8. Since draft-foudil-securitytxt-07





Foudil & Shafranovich Expires 20 November 2021 [Page 25]

Internet-Draft security.txt May 2021
Expand Down Expand Up @@ -1444,15 +1444,15 @@ B.12. Since draft-foudil-securitytxt-11
* Added clarification in "canonical" field regarding the URI used to
retrieve the file

* Added language about machine-parsability
* Added language about machine-

This comment has been minimized.

Sign in to view

Copy link
@joker314

joker314 May 23, 2021

Contributor

I think the word "parsability" may have got accidentally chopped off in this commit

* Added a reference to the PGP webkey draft

Full list of changes can be viewed via the IETF document tracker:
https://tools.ietf.org/html/draft-foudil-securitytxt





Foudil & Shafranovich Expires 20 November 2021 [Page 26]

Internet-Draft security.txt May 2021
Expand Down

0 comments on commit b6d2217

Please sign in to comment.