Great example incident to use in https://www.ietf.org/archive/id/draft-bormann-t2trg-deref-id-04.html
We’ll put it in when we release the next revision! Grüße, Carsten > On 2024-12-03, at 13:51, Eliot Lear <[email protected]> wrote: > > Signed PGP part > Could I bring to this group the attached erratum? I am thinking that one of > the reasons to change the text of an RFC would be to ensure that links to > sites don't create security problems for the readers. > > Thanks to Jean Mahoney and Alfonso Alongi for the report. > > Eliot > > > > -------- Forwarded Message -------- > Subject: [Errata Verified] RFC8409 (8196) > Date: Tue, 3 Dec 2024 04:49:41 -0800 (PST) > From: RFC Errata System <[email protected]> > To: [email protected], [email protected], [email protected], [email protected] > CC: [email protected], [email protected], [email protected], > [email protected] > > > The following errata report has been verified for RFC8409, > "The Entity Category Security Assertion Markup Language (SAML) Attribute > Types". > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid8196 > > -------------------------------------- > Status: Verified > Type: Technical > > Reported by: Jean Mahoney <[email protected]> > Date Reported: 2024-12-02 > Verified by: Eliot Lear (ISE & Editorial Board) > > Section: GLOBAL > > Original Text > ------------- > http://macedir.org/entity-category > http://macedir.org/entity-category-support > > Corrected Text > -------------- > (see notes) > > Notes > ----- > (Reported on behalf of Alfonso Alongi <[email protected]>. While > errata reports normally shouldn't cover currently broken URLs that worked at > the time of publication, the domain is used as an attribute namespace and is > specified by normative text.) > > These URLs are no longer valid and now redirect to a casino sponsorship > website. This change in ownership renders these references irrelevant and > misleading for implementations relying on this RFC. > > Use of Non-Secure HTTP Scheme: > The URLs use the http:// scheme instead of https://, which does not guarantee > transport-layer security. This poses risks, especially in contexts where > trust and integrity are critical. > > Relevance of Hardcoding References: > The functionality described in RFC 8409 (Entity Category Attribute and Entity > Category Support Attribute) can be implemented using SAML's existing support > for custom attributes, without reliance on these specific URLs. > > -------------------------------------- > RFC8409 (draft-young-entity-category-07) > -------------------------------------- > Title : The Entity Category Security Assertion Markup Language (SAML) > Attribute Types > Publication Date : August 2018 > Author(s) : I. Young, Ed., L. Johansson, S. Cantor > Category : INFORMATIONAL > Source : INDEPENDENT > Stream : INDEPENDENT > Verifying Party : ISE & Editorial Board > <OpenPGP_0x87B66B46D9D27A33.asc> > > -- rswg mailing list -- [email protected] To unsubscribe send an email to [email protected]
