REF URL require ToU/Conduct policy

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

REF URL require ToU/Conduct policy

Kurt Seifried-2
So real world example I have a CVE request which has a reference url:


the requires:

Google IssueTracker Terms of Service

 I acknowledge and agree to the Google Terms of Service and the Google IssueTracker Conduct Policy.

Which... I dunno. I don't want links that require logins (because you can't grab them with tools easily), and I feel like this is the same, and also requiring people to agree to a ToU (that for example maybe requires you to give up your first born) is not really kosher. 

So I'd like to add to the CVE/CNA docs discussion:

can we get ruling on reference URL's, specifically:

1) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require a login of any sort (even a free login)
2) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require acceptance of ToU/Conduct Policy/etc.

In my mind I should be able to "wget http://example.org/refurl/" and get the page. Anything less is not acceptable. But I also think the board should discuss this and rule on it and document it. 

--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: REF URL require ToU/Conduct policy

Pascal Meunier
I get a login dialog "Sign in with your Google Account", so it's a login plus a
surrendering of rights, and with it being Google, a tracking of which security
information I look at, from where and when, which will be composed with other
profiling information, and profiles from other people I interact with or that work in
the same organization, and all the other things Google knows or can deduce about us.
With little imagination needed, this is chilling -- for businesses, for students, for
security researchers, and even for people who are just curious and happen to look it
up at the wrong time.  This setup also makes it possible for Google to selectively
provide or withhold security information.

Access to CVE security references should be as anonymous as can be practical, and
giving up rights in exchange for access goes against that because agreements require
accountability.  Access to security references should also be provided without
trackers.  However, policing that may be difficult and onerous.  By comparison it's
easy to require access without login and agreements so we should hold that as a
minimum.  I'd very much like to see "MUST NOT" chosen for your 2 proposed sentences.

Pascal

On Thu, 2018-06-21 at 19:07 -0600, Kurt Seifried wrote:

> So real world example I have a CVE request which has a reference url:
>
> https://issuetracker.google.com/issues/77809383
>
> the requires:
>
> Google IssueTracker Terms of Service
>
>  I acknowledge and agree to the Google Terms of Service
> <https://www.google.com/policies/terms/> and the Google IssueTracker
> Conduct Policy <https://issuetracker.google.com/terms>.
> Which... I dunno. I don't want links that require logins (because you can't
> grab them with tools easily), and I feel like this is the same, and also
> requiring people to agree to a ToU (that for example maybe requires you to
> give up your first born) is not really kosher.
>
> So I'd like to add to the CVE/CNA docs discussion:
>
> can we get ruling on reference URL's, specifically:
>
> 1) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require a login of any
> sort (even a free login)
> 2) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require acceptance of
> ToU/Conduct Policy/etc.
>
> In my mind I should be able to "wget http://example.org/refurl/" and get
> the page. Anything less is not acceptable. But I also think the board
> should discuss this and rule on it and document it.
>
Reply | Threaded
Open this post in threaded view
|

RE: REF URL require ToU/Conduct policy

Millar, Thomas
Yeah, this is unacceptable. On to the hard question: how can we enforce free and open access to references?

-----Original Message-----
From: Pascal Meunier [mailto:[hidden email]]
Sent: 21 June, 2018 23:30
To: Kurt Seifried <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: REF URL require ToU/Conduct policy

I get a login dialog "Sign in with your Google Account", so it's a login plus a surrendering of rights, and with it being Google, a tracking of which security information I look at, from where and when, which will be composed with other profiling information, and profiles from other people I interact with or that work in the same organization, and all the other things Google knows or can deduce about us.
With little imagination needed, this is chilling -- for businesses, for students, for security researchers, and even for people who are just curious and happen to look it up at the wrong time.  This setup also makes it possible for Google to selectively provide or withhold security information.

Access to CVE security references should be as anonymous as can be practical, and giving up rights in exchange for access goes against that because agreements require accountability.  Access to security references should also be provided without trackers.  However, policing that may be difficult and onerous.  By comparison it's easy to require access without login and agreements so we should hold that as a minimum.  I'd very much like to see "MUST NOT" chosen for your 2 proposed sentences.

Pascal

On Thu, 2018-06-21 at 19:07 -0600, Kurt Seifried wrote:

> So real world example I have a CVE request which has a reference url:
>
> https://issuetracker.google.com/issues/77809383
>
> the requires:
>
> Google IssueTracker Terms of Service
>
>  I acknowledge and agree to the Google Terms of Service
> <https://www.google.com/policies/terms/> and the Google IssueTracker
> Conduct Policy <https://issuetracker.google.com/terms>.
> Which... I dunno. I don't want links that require logins (because you
> can't grab them with tools easily), and I feel like this is the same,
> and also requiring people to agree to a ToU (that for example maybe
> requires you to give up your first born) is not really kosher.
>
> So I'd like to add to the CVE/CNA docs discussion:
>
> can we get ruling on reference URL's, specifically:
>
> 1) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require a login of
> any sort (even a free login)
> 2) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require acceptance
> of ToU/Conduct Policy/etc.
>
> In my mind I should be able to "wget http://example.org/refurl/" and
> get the page. Anything less is not acceptable. But I also think the
> board should discuss this and rule on it and document it.
>
Reply | Threaded
Open this post in threaded view
|

Re: REF URL require ToU/Conduct policy

Kurt Seifried-2
Yes, I click the links and if I can't read them all without a hassle I set the CVE request to HOLD:LACK_REF_URL and they can provide working urls... It's not ideal but I don't have a better solution (well I do, but I haven't implemented it yet, TL;DR: download the link with like wget and snapshot that). 

On Thu, Jun 21, 2018 at 9:40 PM, Millar, Thomas <[hidden email]> wrote:
Yeah, this is unacceptable. On to the hard question: how can we enforce free and open access to references?

-----Original Message-----
From: Pascal Meunier [mailto:[hidden email]]
Sent: 21 June, 2018 23:30
To: Kurt Seifried <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: REF URL require ToU/Conduct policy

I get a login dialog "Sign in with your Google Account", so it's a login plus a surrendering of rights, and with it being Google, a tracking of which security information I look at, from where and when, which will be composed with other profiling information, and profiles from other people I interact with or that work in the same organization, and all the other things Google knows or can deduce about us.
With little imagination needed, this is chilling -- for businesses, for students, for security researchers, and even for people who are just curious and happen to look it up at the wrong time.  This setup also makes it possible for Google to selectively provide or withhold security information.

Access to CVE security references should be as anonymous as can be practical, and giving up rights in exchange for access goes against that because agreements require accountability.  Access to security references should also be provided without trackers.  However, policing that may be difficult and onerous.  By comparison it's easy to require access without login and agreements so we should hold that as a minimum.  I'd very much like to see "MUST NOT" chosen for your 2 proposed sentences.

Pascal

On Thu, 2018-06-21 at 19:07 -0600, Kurt Seifried wrote:
> So real world example I have a CVE request which has a reference url:
>
> https://issuetracker.google.com/issues/77809383
>
> the requires:
>
> Google IssueTracker Terms of Service
>
>  I acknowledge and agree to the Google Terms of Service
> <https://www.google.com/policies/terms/> and the Google IssueTracker
> Conduct Policy <https://issuetracker.google.com/terms>.
> Which... I dunno. I don't want links that require logins (because you
> can't grab them with tools easily), and I feel like this is the same,
> and also requiring people to agree to a ToU (that for example maybe
> requires you to give up your first born) is not really kosher.
>
> So I'd like to add to the CVE/CNA docs discussion:
>
> can we get ruling on reference URL's, specifically:
>
> 1) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require a login of
> any sort (even a free login)
> 2) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require acceptance
> of ToU/Conduct Policy/etc.
>
> In my mind I should be able to "wget http://example.org/refurl/" and
> get the page. Anything less is not acceptable. But I also think the
> board should discuss this and rule on it and document it.
>



--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: REF URL require ToU/Conduct policy

Art Manion
On 2018-06-21 23:55, Kurt Seifried wrote:
> Yes, I click the links and if I can't read them all without a hassle I set the CVE request to HOLD:LACK_REF_URL and they can provide working urls... It's not ideal but I don't have a better solution (well I do, but I haven't implemented it yet, TL;DR: download the link with like wget and snapshot that). 

While I like the idea, I suspect the local copy provided to others violates the ToU.

1. At least one material and free/public/unencumbered URL or no CVE?

2. Allow free but encumbered (e.g., free login, click through ToU) URLs but flag them as such?

If the world really wants CVE IDs, they'll do 1.  Else, those who want to reduce their CVE exposure can hide behind ToU.

An extension of #2 could be to flag or set state of a CVE entry.  Not going so far as the CAN days, but "this entry is incomplete, the issuer gets a D+ passing grade (in the US), but it's in the corpus."  The incompleteness could be for encumbered URLs/references or other issues.

Some of the CNA metrics should be published, including a count/graph of incompleteness (also public-but-not-populated).

 - Art



> On Thu, Jun 21, 2018 at 9:40 PM, Millar, Thomas <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Yeah, this is unacceptable. On to the hard question: how can we enforce free and open access to references?
>
>     -----Original Message-----
>     From: Pascal Meunier [mailto:[hidden email] <mailto:[hidden email]>]
>     Sent: 21 June, 2018 23:30
>     To: Kurt Seifried <[hidden email] <mailto:[hidden email]>>; cve-editorial-board-list <[hidden email] <mailto:[hidden email]>>
>     Subject: Re: REF URL require ToU/Conduct policy
>
>     I get a login dialog "Sign in with your Google Account", so it's a login plus a surrendering of rights, and with it being Google, a tracking of which security information I look at, from where and when, which will be composed with other profiling information, and profiles from other people I interact with or that work in the same organization, and all the other things Google knows or can deduce about us.
>     With little imagination needed, this is chilling -- for businesses, for students, for security researchers, and even for people who are just curious and happen to look it up at the wrong time.  This setup also makes it possible for Google to selectively provide or withhold security information.
>
>     Access to CVE security references should be as anonymous as can be practical, and giving up rights in exchange for access goes against that because agreements require accountability.  Access to security references should also be provided without trackers.  However, policing that may be difficult and onerous.  By comparison it's easy to require access without login and agreements so we should hold that as a minimum.  I'd very much like to see "MUST NOT" chosen for your 2 proposed sentences.
>
>     Pascal
>
>     On Thu, 2018-06-21 at 19:07 -0600, Kurt Seifried wrote:
>     > So real world example I have a CVE request which has a reference url:
>     >
>     > https://issuetracker.google.com/issues/77809383 <https://issuetracker.google.com/issues/77809383>
>     >
>     > the requires:
>     >
>     > Google IssueTracker Terms of Service
>     >
>     >  I acknowledge and agree to the Google Terms of Service
>     > <https://www.google.com/policies/terms/ <https://www.google.com/policies/terms/>> and the Google IssueTracker
>     > Conduct Policy <https://issuetracker.google.com/terms <https://issuetracker.google.com/terms>>.
>     > Which... I dunno. I don't want links that require logins (because you
>     > can't grab them with tools easily), and I feel like this is the same,
>     > and also requiring people to agree to a ToU (that for example maybe
>     > requires you to give up your first born) is not really kosher.
>     >
>     > So I'd like to add to the CVE/CNA docs discussion:
>     >
>     > can we get ruling on reference URL's, specifically:
>     >
>     > 1) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require a login of
>     > any sort (even a free login)
>     > 2) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require acceptance
>     > of ToU/Conduct Policy/etc.
>     >
>     > In my mind I should be able to "wget http://example.org/refurl/" and
>     > get the page. Anything less is not acceptable. But I also think the
>     > board should discuss this and rule on it and document it.
>     >
>
>
>
>
> --
> Kurt Seifried
> [hidden email] <mailto:[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: REF URL require ToU/Conduct policy

Kurt Seifried-2
I would say my preference would be a policy statement that CVE References must be public. 

Having said that I can see cases where it's useful to have "private" links, e.g. a protocol level vuln like CVE-2009-3555 where it's plausible that a small vendor might be happy to put a link in, if only their customers can access it. 

But then what's to stop all the other vendors from doing this? 

On Fri, Jun 22, 2018 at 7:39 AM, Art Manion <[hidden email]> wrote:
On 2018-06-21 23:55, Kurt Seifried wrote:
> Yes, I click the links and if I can't read them all without a hassle I set the CVE request to HOLD:LACK_REF_URL and they can provide working urls... It's not ideal but I don't have a better solution (well I do, but I haven't implemented it yet, TL;DR: download the link with like wget and snapshot that). 

While I like the idea, I suspect the local copy provided to others violates the ToU.

1. At least one material and free/public/unencumbered URL or no CVE?

2. Allow free but encumbered (e.g., free login, click through ToU) URLs but flag them as such?

If the world really wants CVE IDs, they'll do 1.  Else, those who want to reduce their CVE exposure can hide behind ToU.

An extension of #2 could be to flag or set state of a CVE entry.  Not going so far as the CAN days, but "this entry is incomplete, the issuer gets a D+ passing grade (in the US), but it's in the corpus."  The incompleteness could be for encumbered URLs/references or other issues.

Some of the CNA metrics should be published, including a count/graph of incompleteness (also public-but-not-populated).

 - Art



> On Thu, Jun 21, 2018 at 9:40 PM, Millar, Thomas <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Yeah, this is unacceptable. On to the hard question: how can we enforce free and open access to references?
>
>     -----Original Message-----
>     From: Pascal Meunier [mailto:[hidden email] <mailto:[hidden email]>]
>     Sent: 21 June, 2018 23:30
>     To: Kurt Seifried <[hidden email] <mailto:[hidden email]>>; cve-editorial-board-list <[hidden email] <mailto:[hidden email]>>
>     Subject: Re: REF URL require ToU/Conduct policy
>
>     I get a login dialog "Sign in with your Google Account", so it's a login plus a surrendering of rights, and with it being Google, a tracking of which security information I look at, from where and when, which will be composed with other profiling information, and profiles from other people I interact with or that work in the same organization, and all the other things Google knows or can deduce about us.
>     With little imagination needed, this is chilling -- for businesses, for students, for security researchers, and even for people who are just curious and happen to look it up at the wrong time.  This setup also makes it possible for Google to selectively provide or withhold security information.
>
>     Access to CVE security references should be as anonymous as can be practical, and giving up rights in exchange for access goes against that because agreements require accountability.  Access to security references should also be provided without trackers.  However, policing that may be difficult and onerous.  By comparison it's easy to require access without login and agreements so we should hold that as a minimum.  I'd very much like to see "MUST NOT" chosen for your 2 proposed sentences.
>
>     Pascal
>
>     On Thu, 2018-06-21 at 19:07 -0600, Kurt Seifried wrote:
>     > So real world example I have a CVE request which has a reference url:
>     >
>     > https://issuetracker.google.com/issues/77809383 <https://issuetracker.google.com/issues/77809383>
>     >
>     > the requires:
>     >
>     > Google IssueTracker Terms of Service
>     >
>     >  I acknowledge and agree to the Google Terms of Service
>     > <https://www.google.com/policies/terms/ <https://www.google.com/policies/terms/>> and the Google IssueTracker
>     > Conduct Policy <https://issuetracker.google.com/terms <https://issuetracker.google.com/terms>>.
>     > Which... I dunno. I don't want links that require logins (because you
>     > can't grab them with tools easily), and I feel like this is the same,
>     > and also requiring people to agree to a ToU (that for example maybe
>     > requires you to give up your first born) is not really kosher.
>     >
>     > So I'd like to add to the CVE/CNA docs discussion:
>     >
>     > can we get ruling on reference URL's, specifically:
>     >
>     > 1) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require a login of
>     > any sort (even a free login)
>     > 2) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require acceptance
>     > of ToU/Conduct Policy/etc.
>     >
>     > In my mind I should be able to "wget http://example.org/refurl/" and
>     > get the page. Anything less is not acceptable. But I also think the
>     > board should discuss this and rule on it and document it.
>     >
>
>
>
>
> --
> Kurt Seifried
> [hidden email] <mailto:[hidden email]>




--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: REF URL require ToU/Conduct policy

Kurt Seifried-2
It's not 100% scientific but:




On Fri, Jun 22, 2018 at 9:15 AM, Kurt Seifried <[hidden email]> wrote:
I would say my preference would be a policy statement that CVE References must be public. 

Having said that I can see cases where it's useful to have "private" links, e.g. a protocol level vuln like CVE-2009-3555 where it's plausible that a small vendor might be happy to put a link in, if only their customers can access it. 

But then what's to stop all the other vendors from doing this? 

On Fri, Jun 22, 2018 at 7:39 AM, Art Manion <[hidden email]> wrote:
On 2018-06-21 23:55, Kurt Seifried wrote:
> Yes, I click the links and if I can't read them all without a hassle I set the CVE request to HOLD:LACK_REF_URL and they can provide working urls... It's not ideal but I don't have a better solution (well I do, but I haven't implemented it yet, TL;DR: download the link with like wget and snapshot that). 

While I like the idea, I suspect the local copy provided to others violates the ToU.

1. At least one material and free/public/unencumbered URL or no CVE?

2. Allow free but encumbered (e.g., free login, click through ToU) URLs but flag them as such?

If the world really wants CVE IDs, they'll do 1.  Else, those who want to reduce their CVE exposure can hide behind ToU.

An extension of #2 could be to flag or set state of a CVE entry.  Not going so far as the CAN days, but "this entry is incomplete, the issuer gets a D+ passing grade (in the US), but it's in the corpus."  The incompleteness could be for encumbered URLs/references or other issues.

Some of the CNA metrics should be published, including a count/graph of incompleteness (also public-but-not-populated).

 - Art



> On Thu, Jun 21, 2018 at 9:40 PM, Millar, Thomas <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Yeah, this is unacceptable. On to the hard question: how can we enforce free and open access to references?
>
>     -----Original Message-----
>     From: Pascal Meunier [mailto:[hidden email] <mailto:[hidden email]>]
>     Sent: 21 June, 2018 23:30
>     To: Kurt Seifried <[hidden email] <mailto:[hidden email]>>; cve-editorial-board-list <[hidden email] <mailto:[hidden email]>>
>     Subject: Re: REF URL require ToU/Conduct policy
>
>     I get a login dialog "Sign in with your Google Account", so it's a login plus a surrendering of rights, and with it being Google, a tracking of which security information I look at, from where and when, which will be composed with other profiling information, and profiles from other people I interact with or that work in the same organization, and all the other things Google knows or can deduce about us.
>     With little imagination needed, this is chilling -- for businesses, for students, for security researchers, and even for people who are just curious and happen to look it up at the wrong time.  This setup also makes it possible for Google to selectively provide or withhold security information.
>
>     Access to CVE security references should be as anonymous as can be practical, and giving up rights in exchange for access goes against that because agreements require accountability.  Access to security references should also be provided without trackers.  However, policing that may be difficult and onerous.  By comparison it's easy to require access without login and agreements so we should hold that as a minimum.  I'd very much like to see "MUST NOT" chosen for your 2 proposed sentences.
>
>     Pascal
>
>     On Thu, 2018-06-21 at 19:07 -0600, Kurt Seifried wrote:
>     > So real world example I have a CVE request which has a reference url:
>     >
>     > https://issuetracker.google.com/issues/77809383 <https://issuetracker.google.com/issues/77809383>
>     >
>     > the requires:
>     >
>     > Google IssueTracker Terms of Service
>     >
>     >  I acknowledge and agree to the Google Terms of Service
>     > <https://www.google.com/policies/terms/ <https://www.google.com/policies/terms/>> and the Google IssueTracker
>     > Conduct Policy <https://issuetracker.google.com/terms <https://issuetracker.google.com/terms>>.
>     > Which... I dunno. I don't want links that require logins (because you
>     > can't grab them with tools easily), and I feel like this is the same,
>     > and also requiring people to agree to a ToU (that for example maybe
>     > requires you to give up your first born) is not really kosher.
>     >
>     > So I'd like to add to the CVE/CNA docs discussion:
>     >
>     > can we get ruling on reference URL's, specifically:
>     >
>     > 1) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require a login of
>     > any sort (even a free login)
>     > 2) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require acceptance
>     > of ToU/Conduct Policy/etc.
>     >
>     > In my mind I should be able to "wget http://example.org/refurl/" and
>     > get the page. Anything less is not acceptable. But I also think the
>     > board should discuss this and rule on it and document it.
>     >
>
>
>
>
> --
> Kurt Seifried
> [hidden email] <mailto:[hidden email]>




--
Kurt Seifried
[hidden email]



--
Kurt Seifried
[hidden email]