People here will certainly have ideas for our SAAG colleagues.
--- Begin Message ---
(This is related to this draft:
https://tools.ietf.org/html/draft-foudil-securitytxt-02)
The proposed "security.txt" file has a matching optional
"security.txt.sig" file. One of the common issues we have received as
a feedback from potential users is a need to safeguard against the
possibility of an attacker compromising the webspace of a given
domain, and putting their own "security.txt" and "security.txt.sig"
files there. This will result in an attacker now receiving reports
about potential security issues in the compromised target.
One of the proposed ways to try to fix this issue is to use DNS as follows:
- to store the digital certificate that was used to generate the signature file
- OR to store the signature itself in DNS
- OR to store the entire "security.txt" file in a DNS record instead
of being accessible via the web
The logic behind this proposed solution is that web space tends to get
compromised more often and easier than DNS for any given domain.
What I am wondering if there are any currently best accepted practices
to accomplish these goals in DNS with minimum disruption to the
Internet architecture as whole. Possibilities I was thinking of is
using DANE and OPENPGPKEY records; CERT records, or perhaps even TXT
records like DKIM and SPF.
Any recommendations, suggestions or comments are welcome.
Thank you,
Yakov
--- End Message ---
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
