[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: REF URL require ToU/Conduct policy
- To: Kurt Seifried <kurt@seifried.org>, cve-editorial-board-list <cve-editorial-board-list@mitre.org>
- Subject: Re: REF URL require ToU/Conduct policy
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Date: Thu, 21 Jun 2018 23:29:58 -0400
- Authentication-results: spf=softfail (sender IP is 198.49.146.235) smtp.mailfrom=cerias.purdue.edu; imc.mitre.org; dkim=none (message not signed) header.d=none;imc.mitre.org; dmarc=fail action=none header.from=cerias.purdue.edu;
- Delivery-date: Fri Jun 22 07:41:51 2018
- In-reply-to: <CABqVa385i5s0MY4zZL8A8BSbQbJqHxprWvhYr3Gxon3okzqwrQ@mail.gmail.com>
- References: <CABqVa385i5s0MY4zZL8A8BSbQbJqHxprWvhYr3Gxon3okzqwrQ@mail.gmail.com>
- Reply-to: <pmeunier@cerias.purdue.edu>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
I get a login dialog "Sign in with your Google Account", so it's a login plus a surrendering of rights, and with it being Google, a tracking of which security information I look at, from where and when, which will be composed with other profiling information, and profiles from other people I interact with or that work in the same organization, and all the other things Google knows or can deduce about us. With little imagination needed, this is chilling -- for businesses, for students, for security researchers, and even for people who are just curious and happen to look it up at the wrong time. This setup also makes it possible for Google to selectively provide or withhold security information. Access to CVE security references should be as anonymous as can be practical, and giving up rights in exchange for access goes against that because agreements require accountability. Access to security references should also be provided without trackers. However, policing that may be difficult and onerous. By comparison it's easy to require access without login and agreements so we should hold that as a minimum. I'd very much like to see "MUST NOT" chosen for your 2 proposed sentences. Pascal On Thu, 2018-06-21 at 19:07 -0600, Kurt Seifried wrote: > So real world example I have a CVE request which has a reference url: > > https://issuetracker.google.com/issues/77809383 > > the requires: > > Google IssueTracker Terms of Service > > I acknowledge and agree to the Google Terms of Service > <https://www.google.com/policies/terms/> and the Google IssueTracker > Conduct Policy <https://issuetracker.google.com/terms>. > Which... I dunno. I don't want links that require logins (because you > can't > grab them with tools easily), and I feel like this is the same, and > also > requiring people to agree to a ToU (that for example maybe requires > you to > give up your first born) is not really kosher. > > So I'd like to add to the CVE/CNA docs discussion: > > can we get ruling on reference URL's, specifically: > > 1) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require a login > of any > sort (even a free login) > 2) Reference MUST/MUST NOT/SHOULD/SHOULD NOT/etc... require > acceptance of > ToU/Conduct Policy/etc. > > In my mind I should be able to "wget http://example.org/refurl/"; and > get > the page. Anything less is not acceptable. But I also think the board > should discuss this and rule on it and document it. >
- Follow-Ups:
- RE: REF URL require ToU/Conduct policy
- From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- RE: REF URL require ToU/Conduct policy
- References:
- REF URL require ToU/Conduct policy
- From: Kurt Seifried <kurt@seifried.org>
- REF URL require ToU/Conduct policy
- Prev by Date: REF URL require ToU/Conduct policy
- Next by Date: RE: REF URL require ToU/Conduct policy
- Previous by thread: REF URL require ToU/Conduct policy
- Next by thread: RE: REF URL require ToU/Conduct policy
- Index(es):
