Agreed on all this. Just want to restate: this guidance is thorough, extremely clear and suited to purpose. Nice work.
From: Larry Golding (Comcast) <
larrygolding@comcast.net>
Sent: Wednesday, June 27, 2018 4:50 PM
To: Michael Fanning <
Michael.Fanning@microsoft.com>; 'O'Neil, Yekaterina Tsipenyuk' <
katrina@microfocus.com>; 'Luke Cartey' <
luke@semmle.com>; 'David Keaton' <
dmk@dmk.com>; 'Mr. Stefan Hagen' <
stefan@hagen.link>; 'OASIS SARIF TC Discussion List' <
sarif@lists.oasis-open.org>
Subject: RE: [sarif] RE: IANA media type registration
Inline
-- Larry
From: Michael Fanning <
Michael.Fanning@microsoft.com >
Sent: Wednesday, June 27, 2018 3:25 PM
To: Larry Golding (Comcast) <
larrygolding@comcast.net >; 'O'Neil, Yekaterina Tsipenyuk' <
katrina@microfocus.com >; 'Luke Cartey' <
luke@semmle.com >;
'David Keaton' <
dmk@dmk.com >; 'Mr. Stefan Hagen' <
stefan@hagen.link >; 'OASIS SARIF TC Discussion List' <
sarif@lists.oasis-open.org >
Subject: RE: [sarif] RE: IANA media type registration
This is improved, thank you.
We deferred an issue around provide mechanisms within SARIF for signing/encrypting data in preference of external mechanisms. Why wouldn’t we cite this as a useful approach? You mention using HTTPS, that’s
no different in mind (i.e., it provides a concrete example of a technology that might protect SARIF that contains sensitive info). On the other hand, if the industry can’t decide on a standard/leading JSON payload encryption/signing standard, may not be worth
mentioning. All things considered, maybe we just drop the point.
[Larry] Yes, that was my thought: since there wasn’t a well-accepted way to do this, we may as well not mention it. This sentence makes me nervous. I don’t think we should even float the idea that a SARIF consumer would expand some executable content from the log file and execute it. This is a very bad idea. Let’s not
even float it is my suggestion. Let’s leave the SHOULD guidance on producers not emitting this data.
[Larry] I think what you’re saying is that you’d like my Item #7 to read something like this:
7) SARIF defines an extensibility mechanism that allows SARIF producers to include arbitrary
properties in a SARIF file (information that is not explicitly defined in the SARIF format).
SARIF producers should not use this mechanism to define properties that contain executable code or
script.
Right?
From: Larry Golding (Comcast) <
larrygolding@comcast.net >
Sent: Wednesday, June 27, 2018 10:01 AM
To: Michael Fanning <
Michael.Fanning@microsoft.com >; 'O'Neil, Yekaterina Tsipenyuk' <
katrina@microfocus.com >; 'Luke Cartey' <
luke@semmle.com >;
'David Keaton' <
dmk@dmk.com >; 'Mr. Stefan Hagen' <
stefan@hagen.link >; 'OASIS SARIF TC Discussion List' <
sarif@lists.oasis-open.org >
Subject: RE: [sarif] RE: IANA media type registration
Point taken. I agree that repeating the “appropriate security” mantra over and over is a bit much.
However, we do need to mention it. In
RFC 6838 , “Media Type Specifications and Registration Procedures,” Section 4.6, “Security Considerations,” it says:
A media type might be
targeted for applications that require some
sort of security assurance but don't provide the necessary
security mechanisms themselves . For example,
a media type could
be defined for storage of
sensitive medical information that in
turn
requires external confidentiality and integrity protection
services , or which is designed for use only within
a secure
environment.
Types SHOULD always document whether or not they
need such services in their security considerations.
(NOTE: How is “SHOULD always” different from “SHALL”?