IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [standards]

74 questions
1
vote
0 answers

Is there a standard for fencing email domains to specific use cases?

To my knowledge, there's no common standard for sysadmins to publish trusted domains for specific use cases. If it exists, I would presume that this might limit phishing attacks. Think of my question here as an extension of SPF/DMARC/DKIM, where you…
Caleb Faruki
  • 195
  • 6
1
vote
0 answers

Is HTTP header Permissions-Policy worth using if no features are used?

From the spec at https://www.w3.org/TR/permissions-policy-1/ it seems there is no way to whitelist features with a default blacklist, and each feature must be individually disabled in every single request - adding a few Kb to every complete page…
captainmish
  • 91
  • 5
1
vote
1 answer

Cyber Essentials at a small business (20 employees) that keeps all business data within SaaS

Background I've recently joined a rapidly growing small business (from 4 to 20 people in last 12 months) with a very DIY IT setup. It's fallen to me (I'm a developer so I just happen to be sitting nearest IT world...) to improve their security and…
El-9876
  • 11
  • 2
1
vote
1 answer

What is the PKCS#7 detached signature format?

This website claims that (emphasis added): In PKCS#7 SignedData, attached and detached formats are supported… In detached format, data that is signed is not embedded inside the SignedData package instead it is placed at some external…
JamesTheAwesomeDude
  • 581
  • 4
  • 15
1
vote
1 answer

How to encode a public key in PKCS#8?

RFC5958 defines a set of enhancements to the PKCS#8 key serialization format, bumping the version field up to 1 and additionally permitting serialization of public keys for arbitrary asymmetric cryptographic algorithms. OneAsymmetricKey ::= SEQUENCE…
JamesTheAwesomeDude
  • 581
  • 4
  • 15
1
vote
1 answer

Is it allowed to store billing address for merchants SAQ A merchants? (PCI DSS)

I know there are many limitations for data storing and processing by PCI DSS. Some of them are explained here. https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf But I can't find any info about storing customers' billing addresses. Is…
Vlad
  • 13
  • 2
1
vote
1 answer

Is there a documented security standard that forbids or discourages rolling your own crypto?

Is there any security standard published by NIST or another reputed body in information security that explicitly forbids or discourages rolling your own crypto? If yes, would you please post the standard name/title, a link to it, and quote the…
Lone Learner
  • 968
  • 1
  • 9
  • 18
1
vote
1 answer

Kerberos over http documentation

The NTLM over HTTP documentation can be found here https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ntht/f09cf6e1-529e-403b-a8a5-7368ee096a6a Where is the Kerberos over HTTP official documentation?
aquaman
  • 73
  • 5
1
vote
2 answers

Why are email clients prevented from seeing the envelope?

Being able to compare the envelope values against the header field values is potentially useful for detecting fraudulent (e.g. spoofed) mail. However, email servers, when receiving mail over SMTP, are not required to record the SMTP envelope values…
sampablokuper
  • 1,961
  • 1
  • 19
  • 33
1
vote
1 answer

Can I describe the PDF's certificate-based signatures using W3C's DSIG Core?

Can I map the specialized specifications of PDF's certificate-based signatures into the [XML DSIG Core] standard? I'm imagining PDF as an "XML file analog", to be mapped into the W3C's ecosystem. ... Expressing in another words, is Adobe's PDF…
Peter Krauss
  • 129
  • 5
1
vote
1 answer

Is there a standard checksum for verifying multipart key fragments?

We will have a symmetric key arriving in three component parts. Once all parts arrive, the key custodians will get together for a ceremony where each enters their part of the key into a secured system. This system will XOR the parts together to…
John Deters
  • 33,650
  • 3
  • 57
  • 110
1
vote
0 answers

Privacy terminology: Online privacy vs Internet Privacy vs Digital Privacy

While, to my eyes, Digital Privacy is the broader term ( anything digital whether online or not), I have seen all 3 used interchangeably (i.e: link vs title). Also, despite having different entries in Wikipedia, not much is clarified. Looking at…
Alvai
  • 39
  • 3
1
vote
1 answer

What is the best Practice / Industry Standard for storing documents with social security numbers, date of birth, financial records, etc?

I am building an app that will be storing sensitive info (SSN's, DOB's, Financial Information, Credit Cards, etc. Is there a standard that will cover all these items and what is the best approach to storing? Should blobs be used?
RTG
  • 19
  • 1
1
vote
1 answer

nodev option for /tmp directory

The CIS standard for Ubuntu 14.04 LTS (01-07-2015) states that the /tmp directory should be mounted with a nodev flag - this is under the FileSystem Configuration (Section 2). This prevents the creation of block and character special devices. Is…
John
  • 223
  • 3
  • 13
1
vote
1 answer

Is this a "standard" security policy?

For our development we work primarily on AWS. We have data on S3 with varying levels of security, prod, integration, development, etc. When working with data, we often have to run ad-hoc analysis. We may not know what the final structure of the…
Carlos Bribiescas
  • 451
  • 3
  • 13
1 2
3
4 5