Re: REF URL require ToU/Conduct policy

To: Kurt Seifried <kurt@seifried.org>, "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
Subject: Re: REF URL require ToU/Conduct policy
From: Art Manion <amanion@cert.org>
Date: Fri, 22 Jun 2018 09:39:23 -0400
Authentication-results: spf=neutral (sender IP is 198.49.146.235) smtp.mailfrom=cert.org; imc.mitre.org; dkim=test (signature was verified) header.d=cert.org;imc.mitre.org; dmarc=pass action=none header.from=cert.org;
Autocrypt: addr=amanion@cert.org; keydata= xsFNBFoV8GMBEACXd7zH23Gx/W77Gr3Hs+n+BTtEt7IP0jU26vM9i4ASGewrIFZaRIOgL964 xX7Qk1wvxLl8HvUomLNHsJIZYG4EKcNkEfREO7lTx/3nYhG3wjF0DcHYuLwUkwAS3N6p9PQ7 bvEsXZMbfG0L8ASgRy0h4dWg+XGV4xT64REsIlzSsclVaHKTvP7FAMCDG70L/2wc+w24RAzs TYhfxLp4w8TBaVj/pONm+EDGVtK5u4LPLpLS0xmlGxgKP9mYSYAF3j44msAsbsuFPfWTa8JU s9yASol4pMECH24Cp3snHlSNHMl1APfVz3Xsfw5x/mekgCAPcGCARhA9ltRHLYgVMr1JCYZW JdyUB0UEiY0xvlb5JYfCFJm4fL8E2xoW/ATmDIxkU0qguL55AD2VYEwbWEsiP725YMSKBDaC cGH9fa2iuSxnflui6wR4K+FOjXfB2nF561q+HjlRb6bahdkYzWccX4fx3dSlZ6w62qRFNKAE 5zUfe2ZHwis9Bx9iqIp7Ini/sZ3ESJgMr7qlSSkYl10Esdl5CyFyxQ5g/LgzOlywdHazju13 /ckVBPo5vz9ZPOmafiUDSz6R/kbC0+nCrJSjIBvDfBWG7Gl2gon4HqB4Ji6r3+gFEFFJl+O/ PwID6Wh0jAjTQWvD+5L/vFTZ3/875Q2OcoxL9Hh4ls5ptg+7uwARAQABzR1BcnQgTWFuaW9u IDxhbWFuaW9uQGNlcnQub3JnPsLBkQQTAQgAOwIbAwIeAQIXgAULCQgHAwUVCgkICwUWAgMB ABYhBBHNrv2hhwlGumhcAVNt4uTRu2rfBQJaFmXUAhkBAAoJEFNt4uTRu2rfY1IP/j8cjh38 B0mnEo0Lk27r/mYRQhj2Yk/ClsAuPWea56BGAswtW2Q6g6DswcinjvTxrycSqAfpj2ZQP9Rx Ib/FsfozF5bC7Ja5/W4amH1NcTr/cE+sgKX3XZcRlOIrw2d0jmS1SAtDWPWn4zTYKoR7cbDz BAAABLb8/xQn7YFgf8nKQ4ZM0yOTUOnF7wG42UU0Y0ww3b+x2/ZMys0ntpz4ZSOgVJlun2xP WgFzkHu/fEJkVTPkZQweRULIGeFJBzuJP46+FMy6PJFZ/ZudzLy/VBMVAxA/yOszLbRvsl6z 3prRMgI+fJF/11ohRVQ5DWzS4AmfnI9RP6aOlUgEi4MYMcbYKrYGwguhGOpdg5iaO6ir4mhd OMcKLeV0ZqSef0ZpXTLQiTzWuFg9ECof5OCK/Y2VQ2EXyWIi7q4OPTFFoZBl2keoF6j0k272 PCYfJZIzq/ER9mfoH1+7nmIxvZ+XXQ6EoCCPv6le8VKQyZOFVgjD5rPvCeGZgAs9CRbfqYNm bF3jqeMk4kZbJ/+GsKv66M4R0VI2DijOLNF1kGXeU6s45lUBZmcT0Fb2MQ78rNItpeUP+XYj fpB0g/woOIstbSoOqpVZf++HIjnmMHj9jJrbFcMVIPac89EDcjbab3zPTMb5LHdk6AxMsWRM QqxofqoqqzNI7RiKisaDQhINXRwAzsBNBFoV8roBCADZKC4LLl6XhVvHCZZIwa9t2e+swdln YRtxwG1TDRxM1PaV7VDzB9K1FMRDC9CQQmiwI+Vl2j0Kn3BUvkCp3zmP+S7CRgK2vfP1GBAs CURE6j6M7S47qOhQvAvJK0qlF14tCBSX16CceGFV0XzfOUnQGt6m8AnVTr7WODilYsJPWUrj xLe3cKQJs7zk3iMLH1lJ7jNXlAQUgrTurVD7sl6PbKgbmDw3tIgXwep7tMOUzpiN4vCPALA+ WYL+0VxE03TZj/FqNzNrjoKXw+X3za675QnLsXww2cgLBV0Zjg3HZVDT5/0LlQjYqPnaWh3s ZG8uRJ104Thx1JVFLN4+8aDrABEBAAHCwXwEGAEIACYWIQQRza79oYcJRrpoXAFTbeLk0btq 3wUCWhXyugIbDAUJBaOagAAKCRBTbeLk0btq3zHYD/4vvS0lul3UKWGeRsVb33Y3eJ1yv4O3 EpBtmkVgCyxdG3zj8YrI15DCzhn6LSN3FqjV+wovE3SsxIrRjn7eoBA6SH54KlFRrW7pAARc NQaHFU+nX6ST6X3pOoNYzhXPZjkxoUpxyC+ehNARx+3tlQ0LScEr0L5Ttvr8W7nopWaXeuCt VI+8tjDnsCtWLaI2bYi3TYWDJdgWzNFSGYioqIxvQHIpokFZAx6fTKtEYaAqqg2cefRDgNoU bMcHmNtVMAXThLdNAx23F/sv2gV9a612ktCwl6hjKu1vuK4KGnhQu1T/oRk5EUA8jy5yBB6/ S5jwYbZR01EriZXSTXwT/gJcThBIXH8i9/4lUwdhV8+iBP/Pomhs8D7dPU7q1fUYlvVxn8iN K7IFoWdptGv+bhdNsf/qWGxVxOHwTAipr73Fl3eC5RovVM2aAK2Bx6xQFXlh4uPcI/S0gIPG tytClYZxtbXKM3qVhUTZgg1Ge6MgtgJkKWttzRciW0N9t5pZ/IbH7ax0NUv2hjHovGBXhuQb cVAEgmx90iyx9iRizCpgr3JyDNtKX+bc26aGI+mFOdiawp2HihhSazqiEpuNrxlQVWgMgmXa RduAg8L9z2CshZ6Zkcmwea79r8yDsBbwfJEZ71T0WWyfm1UcRVflPFAYb9xE8Ulgh8BQzw// z7Y5Lw==
Cc: "pmeunier@cerias.purdue.edu" <pmeunier@cerias.purdue.edu>, cve-editorial-board-list <cve-editorial-board-list@mitre.org>
Delivery-date: Fri Jun 22 10:16:11 2018
Dkim-filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu w5MDdRPN029704
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1529674767; bh=tmRXmBk1bDks/92mp5Kl1iI0H1d2eVx5MZRZul0FXn4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=AJ12Iy37zWD69TLwFcHujFKZLfym8DLnJDgU1LPT1AnV1Uv3rxhYG5iEd4dcBgggI NxJhFymGe8tn1//LPXyC61mfqsJgFRh1RrvH6zierRI+wPPdYPmqoCuLoqmdEsf1wu +sKY/Bvtcf6dSoqdiN4+ZaqEimodUC3mzfX+CXic=
In-reply-to: <CABqVa3_gkActjXbRKknpabUFMa5dJE3_-cuLFRMuSx0_NBepRw@mail.gmail.com>
Openpgp: preference=signencrypt
References: <CABqVa385i5s0MY4zZL8A8BSbQbJqHxprWvhYr3Gxon3okzqwrQ@mail.gmail.com> <1529638198.25969.1.camel@cerias.purdue.edu> <7748E4BAEC3B964387F3535351DCBA1F0117EBDACF@D2ASEPREA010> <CABqVa3_gkActjXbRKknpabUFMa5dJE3_-cuLFRMuSx0_NBepRw@mail.gmail.com>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0

On 2018-06-21 23:55, Kurt Seifried wrote:
> Yes, I click the links and if I can't read them all without a hassle 
> I set the CVE request to HOLD:LACK_REF_URL and they can provide 
> working urls... It's not ideal but I don't have a better solution 
> (well I do, but I haven't implemented it yet, TL;DR: download the 
> link with like wget and snapshot that). 

While I like the idea, I suspect the local copy provided to others 
violates the ToU.

1. At least one material and free/public/unencumbered URL or no CVE?

2. Allow free but encumbered (e.g., free login, click through ToU) URLs 
but flag them as such?

If the world really wants CVE IDs, they'll do 1.  Else, those who want 
to reduce their CVE exposure can hide behind ToU.

An extension of #2 could be to flag or set state of a CVE entry.  Not 
going so far as the CAN days, but "this entry is incomplete, the issuer 
gets a D+ passing grade (in the US), but it's in the corpus."  The 
incompleteness could be for encumbered URLs/references or other issues.

Some of the CNA metrics should be published, including a count/graph of 
incompleteness (also public-but-not-populated).

 - Art



> On Thu, Jun 21, 2018 at 9:40 PM, Millar, Thomas 
> <Thomas.Millar@hq.dhs.gov <mailto:Thomas.Millar@hq.dhs.gov>> wrote:
> 
>     Yeah, this is unacceptable. On to the hard question: how can we 
> enforce free and open access to references?
> 
>     -----Original Message-----
>     From: Pascal Meunier [mailto:pmeunier@cerias.purdue.edu 
> <mailto:pmeunier@cerias.purdue.edu>]
>     Sent: 21 June, 2018 23:30
>     To: Kurt Seifried <kurt@seifried.org <mailto:kurt@seifried.org>>; 
> cve-editorial-board-list <cve-editorial-board-list@mitre.org 
> <mailto:cve-editorial-board-list@mitre.org>>
>     Subject: Re: REF URL require ToU/Conduct policy
> 
>     I get a login dialog "Sign in with your Google Account", so it's 
> a login plus a surrendering of rights, and with it being Google, a 
> tracking of which security information I look at, from where and 
> when, which will be composed with other profiling information, and 
> profiles from other people I interact with or that work in the same 
> organization, and all the other things Google knows or can deduce 
> about us.
>     With little imagination needed, this is chilling -- for 
> businesses, for students, for security researchers, and even for 
> people who are just curious and happen to look it up at the wrong 
> time.  This setup also makes it possible for Google to selectively 
> provide or withhold security information.
> 
>     Access to CVE security references should be as anonymous as can 
> be practical, and giving up rights in exchange for access goes 
> against that because agreements require accountability.  Access to 
> security references should also be provided without trackers.  
> However, policing that may be difficult and onerous.  By comparison 
> it's easy to require access without login and agreements so we should 
> hold that as a minimum.  I'd very much like to see "MUST NOT" chosen 
> for your 2 proposed sentences.
> 
>     Pascal
> 
>     On Thu, 2018-06-21 at 19:07 -0600, Kurt Seifried wrote:
>     > So real world example I have a CVE request which has a 
> reference url:
>     >
>     > https://issuetracker.google.com/issues/77809383 
> <https://issuetracker.google.com/issues/77809383>
>     >
>     > the requires:
>     >
>     > Google IssueTracker Terms of Service
>     >
>     >  I acknowledge and agree to the Google Terms of Service
>     > <https://www.google.com/policies/terms/ 
> <https://www.google.com/policies/terms/>> and the Google IssueTracker
>     > Conduct Policy <https://issuetracker.google.com/terms 
> <https://issuetracker.google.com/terms>>.
>     > Which... I dunno. I don't want links that require logins 
> (because you
>     > can't grab them with tools easily), and I feel like this is the 
> same,
>     > and also requiring people to agree to a ToU (that for example 
> maybe
>     > requires you to give up your first born) is not really kosher.
>     >
>     > So I'd like to add to the CVE/CNA docs discussion:
>     >
>     > can we get ruling on reference URL's, specifically:
>     >
>     > 1) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require a 
> login of
>     > any sort (even a free login)
>     > 2) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require 
> acceptance
>     > of ToU/Conduct Policy/etc.
>     >
>     > In my mind I should be able to "wget 
> http://example.org/refurl/"; and
>     > get the page. Anything less is not acceptable. But I also think 
> the
>     > board should discuss this and rule on it and document it.
>     >
> 
> 
> 
> 
> -- 
> Kurt Seifried
> kurt@seifried.org <mailto:kurt@seifried.org>

Follow-Ups:
- Re: REF URL require ToU/Conduct policy
  - From: Kurt Seifried <kurt@seifried.org>

References:
- REF URL require ToU/Conduct policy
  - From: Kurt Seifried <kurt@seifried.org>
- Re: REF URL require ToU/Conduct policy
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- RE: REF URL require ToU/Conduct policy
  - From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- Re: REF URL require ToU/Conduct policy
  - From: Kurt Seifried <kurt@seifried.org>

Prev by Date: Re: REF URL require ToU/Conduct policy
Next by Date: Re: REF URL require ToU/Conduct policy
Previous by thread: Re: REF URL require ToU/Conduct policy
Next by thread: Re: REF URL require ToU/Conduct policy
Index(es):
- Date
- Thread