Adding securityContact to issuer directory

the-commons-project / vci-directory

Holds membership information for SHC issuers that are part of the VCI (https://vci.org/) Directory.

53 stars 42 forks source link

Adding securityContact to issuer directory #272

Open christianpaquin opened 2 years ago

christianpaquin commented 2 years ago

Issue #52 discussed adding more fields to the directory, one of which was:

securityContact: E-mail address to contact this issuer to report security issues

I didn't see any discussion relating to this particular field before the issue was closed, so I'm resurrecting it here.

If this EU covid pass news is any indication, it is prudent to assume that a VCI issuer key will leak at some point, and there should be a rapid way to contact the issuer.

Thoughts?

supersat commented 2 years ago

There is already a quasi-standard for /.well-known/security.txt (see https://securitytxt.org/ and https://datatracker.ietf.org/doc/html/draft-foudil-securitytxt-12). This supports much richer information (such as a pointer to a GPG key, disclosure policy, etc), and seems to fit in nicely with the /.well-known/jwks.json scheme already used.