[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [csaf-comment] Re: CSAF support from vendors
Dear Pedrp, the CSAF field in the security.txt is not mandatory. It is also not required to have a security.txt to advertise that you are using CSAF (e.g. you could use the DNS path to link to your provider-metadata.json). The mechanism stated in section 7.3.1 allows to find the location of a provider-metadata.json for CSAF (trusted) providers. So you could use that (e.g. with the csaf_checker (https://github.com/csaf-poc/csaf_distribution#csaf_checker) or the csaf_downloader (https://github.com/csaf-poc/csaf_distribution#csaf_downloader) to query the domains of your vendors. However, without a CSAF lister / aggregator, there is no easy way to find vendors that produce CSAF but are not a CSAF provider (yet) and therefore just fulfill the CSAF publisher role. Best regards, Thomas -- Thomas Schmidt > -----Original Message----- > From: Mendes, Pedro <pmende01@amgen.com> > Sent: Friday, June 24, 2022 6:33 PM > To: Schmidt, Thomas <thomas.schmidt@bsi.bund.de> > Cc: csaf-comment@lists.oasis-open.org > Subject: RE: [csaf-comment] Re: CSAF support from vendors > > Dear Thomas, > > Thank you for the clarifications. > > Regarding the sentence I was imagining that if security.txt would be properly > filled we could in an easy way identify if a vendor would be publishing the > standard. But I might have misunderstood the requirement. > > In any case your reply already helped. > > Regards, > .pedro > > -----Original Message----- > From: Schmidt, Thomas <thomas.schmidt@bsi.bund.de> > Sent: Friday, June 24, 2022 17:05 > To: csaf-comment@lists.oasis-open.org > Cc: Mendes, Pedro <pmende01@amgen.com> > Subject: RE: [csaf-comment] Re: CSAF support from vendors > > EXTERNAL: Use caution with unknown senders > > > Dear Mr. Mendes, > > currently, there is no public list of all issuing parties (as also coordinators like > BSI, CISA, CERT/CC,... or security researchers could publish CSAF documents). > BSI is in the process of creating a publicly available CSAF lister. (However, > nobody guarantees completeness of such a list.) > > The TC encourages all issuing parties to publicly announce when they support > CSAF. From my personal experience, vendors tend to start producing CSAF > before publicly announcing that. > > Maybe, I'm missing something here, but I didn't get the following sentence: > > I saw that the standard contemplates a provider-metadata.json for > aggregators to be contemplated at the security.txt, but as the field for this > security.txt is a proposal I wonder, if no such space exist, would it be possible > to create it? > > A CSAF aggregator or lister does not have a provider-metadata.json. > Nevertheless, the specification defines in section 7.3.1 a mechanism to > detect a provider-metadata.json > (https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdoc > s.oasis-open.org%2Fcsaf%2Fcsaf%2Fv2.0%2Fcsaf-v2.0.html%23731-finding- > provider- > metadatajson&data=05%7C01%7Cpmende01%40amgen.com%7Ca4874 > 94ad21d4fa3eea708da55fb655a%7C4b4266a6136841afad5a59eb634f7ad8%7C > 0%7C0%7C637916835475726067%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM > C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000 > %7C%7C%7C&sdata=MKCibLe48VCg9gLz5hTNdoOupuKvysvhIzv1J3bh0 > m0%3D&reserved=0). There is also an open source tool available to do > that: > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > ub.com%2Fcsaf- > poc%2Fcsaf_distribution%23csaf_checker&data=05%7C01%7Cpmende0 > 1%40amgen.com%7Ca487494ad21d4fa3eea708da55fb655a%7C4b4266a61368 > 41afad5a59eb634f7ad8%7C0%7C0%7C637916835475726067%7CUnknown%7C > TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL > CJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bHiZFGm2E2W3j1AiEFfV > PUqIT8jvdhG8EL%2BnhElJI14%3D&reserved=0 Basically, it tests > whether it is able to detect a CSAF trusted provider at a given domain. > > Kind regards, > Thomas Schmidt > > -- > Thomas Schmidt > > From: csaf-comment@lists.oasis-open.org <csaf-comment@lists.oasis- > open.org> On Behalf Of Chet Ensign > Sent: Friday, June 24, 2022 5:35 PM > To: Mendes, Pedro <pmende01@amgen.com> > Cc: info@oasis-open.org; project-admin@oasis-open.org; csaf- > comment@lists.oasis-open.org > Subject: [csaf-comment] Re: CSAF support from vendors > > Mr. Mendes, thanks for getting in touch with us and for your adoption of > CSAF. > > The experts here are, of course, the members of the CSAF Technical > Committee (see > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww > w.oasis- > open.org%2Fcommittees%2Fmembership.php%3Fwg_abbrev%3Dcsaf& > ;data=05%7C01%7Cpmende01%40amgen.com%7Ca487494ad21d4fa3eea708 > da55fb655a%7C4b4266a6136841afad5a59eb634f7ad8%7C0%7C0%7C63791683 > 5475726067%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj > oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sd > ata=zbtZnAAWr2IStZRfGzR0Fh09g9NfPnFZ%2BkMY63pqf2I%3D&reserv > ed=0), I am taking the liberty of including the TC's comment email list on my > reply. This is the appropriate channel by which to send questions and > feedback to the TC. This message will go to the list since I am subscribed. If > you wish to use it to continue the exchange with the members, you will need > to subscribe following the instructions at > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww > w.oasis- > open.org%2Fcommittees%2Fcomments%2Findex.php%3Fwg_abbrev%3Dcs > af&data=05%7C01%7Cpmende01%40amgen.com%7Ca487494ad21d4fa3 > eea708da55fb655a%7C4b4266a6136841afad5a59eb634f7ad8%7C0%7C0%7C6 > 37916835475726067%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD > AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C > &sdata=Y0PM3EuXhur%2BHXjy%2BaNj8K6clEKoyZWwwwiVMg5iQik%3 > D&reserved=0. > > Let me know if you have any questions on this and again, thanks for your > interest in CSAF. The TC is doing important work! > > Best regards, > > /chet > > On Fri, Jun 24, 2022 at 11:20 AM 'Mendes, Pedro' via Project Admin > <mailto:project-admin@oasis-open.org> wrote: > Hi good morning, > > I'm writing you an email to know if you have a public page/space where we > can check the vendors that already support CSAF. > > We're trying to get rid of the manual process to manage vulnerabilities from > vendors, however it's kind of tedious process to keep track of which vendors > already support it and are publishing their security advisories in that format. > > > I saw that the standard contemplates a provider-metadata.json for > aggregators to be contemplated at the security.txt, but as the field for this > security.txt is a proposal I wonder, if no such space exist, would it be possible > to create it? > > This would make life easier for lots of people on this side. > > Thank you in advance, > > Best regards, > Pedro Mendes > > > > > -- > > Chet Ensign > Chief Technical Community Steward > OASIS Open > > > > > > tel:+1+201-341-1393 > > > mailto:chet.ensign@oasis-open.org > > > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww > w.oasis- > open.org%2F&data=05%7C01%7Cpmende01%40amgen.com%7Ca48749 > 4ad21d4fa3eea708da55fb655a%7C4b4266a6136841afad5a59eb634f7ad8%7C0 > %7C0%7C637916835475726067%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC > 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000% > 7C%7C%7C&sdata=AYWROIlhI5dg9UMa7tt%2BUoXFnIv3nNAWcPyQ56T > m%2BZY%3D&reserved=0 >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]