Skip to content

Commit

Permalink
Merge pull request #742 from tschmidtb51/user-agent
Browse files Browse the repository at this point in the history
HTTP User-Agents
  • Loading branch information
tschmidtb51 authored Jun 17, 2024
2 parents 4861537 + 65dea4f commit f86388e
Showing 1 changed file with 18 additions and 3 deletions.
21 changes: 18 additions & 3 deletions csaf_2.1/prose/edit/src/distributing.md
Original file line number Diff line number Diff line change
Expand Up @@ -561,6 +561,21 @@ Each such folder MUST at least:
}
```

### Requirement 24: HTTP User-Agent

Access to the CSAF related files and directories provided, for both metadata and documents, MUST be allowed independent of the
value of HTTP User-Agent.

> Limit the value of HTTP User-Agents to a certain set would hinder adoption of tools retrieving the files.
The only exception is that the temporary blocking of certain HTTP User-Agents is allowed to mitigate an ongoing security incident
(e.g. a DoS attack on the web server serving the CSAF files).
However, a less severe measure with a similar effect SHOULD be used.
CSAF related files and directories SHOULD be exempted from temporary blocking.
The temporary blocking SHOULD be removed as soon as possible, at latest two weeks after the security incident process was completed.

> Also confer to the TC's guidance on content delivery networks and caching.
## Roles

This subsection groups the requirements from the previous subsection into named sets which target the roles with the same name.
Expand Down Expand Up @@ -598,7 +613,7 @@ A CSAF publisher satisfies the "CSAF provider" role if the party fulfills the fo
Firstly, the party:

* satisfies the "CSAF publisher" role profile.
* additionally satisfies the requirements 5 to 7 in section [sec](#requirements).
* additionally satisfies the requirements 5 to 7 and 24 in section [sec](#requirements).

Secondly, the party:

Expand All @@ -622,7 +637,7 @@ A CSAF provider satisfies the "CSAF trusted provider" role if the party:

A distributing party satisfies the "CSAF lister" role if the party:

* satisfies the requirements 6, 21 and 22 in section [sec](#requirements).
* satisfies the requirements 6, 21, 22 and 24 in section [sec](#requirements).
* uses the value `lister` for `/aggregator/category`.
* does not list any mirror pointing to a domain under its own control.

Expand All @@ -633,7 +648,7 @@ A distributing party satisfies the "CSAF lister" role if the party:

A distributing party satisfies the "CSAF aggregator" role if the party:

* satisfies the requirements 1 to 6 and 21 to 23 in section [sec](#requirements).
* satisfies the requirements 1 to 6 and 21 to 24 in section [sec](#requirements).
* uses the value `aggregator` for `/aggregator/category`.
* lists a mirror for at least two disjoint issuing parties pointing to a domain under its own control.
* links the public part of the OpenPGP key used to sign CSAF documents for each mirrored issuing party in
Expand Down

0 comments on commit f86388e

Please sign in to comment.