Questions tagged [standards]
74 questions
1
vote
0 answers
Is there a standard for fencing email domains to specific use cases?
To my knowledge, there's no common standard for sysadmins to publish trusted domains for specific use cases.
If it exists, I would presume that this might limit phishing attacks. Think of my question here as an extension of SPF/DMARC/DKIM, where you…
![](../../users/profiles/55602.webp)
Caleb Faruki
- 195
- 6
1
vote
0 answers
Is HTTP header Permissions-Policy worth using if no features are used?
From the spec at https://www.w3.org/TR/permissions-policy-1/ it seems there is no way to whitelist features with a default blacklist, and each feature must be individually disabled in every single request - adding a few Kb to every complete page…
![](../../users/profiles/32839.webp)
captainmish
- 91
- 5
1
vote
1 answer
Cyber Essentials at a small business (20 employees) that keeps all business data within SaaS
Background
I've recently joined a rapidly growing small business (from 4 to 20 people in last 12 months) with a very DIY IT setup. It's fallen to me (I'm a developer so I just happen to be sitting nearest IT world...) to improve their security and…
![](../../users/profiles/261557.webp)
El-9876
- 11
- 2
1
vote
1 answer
What is the PKCS#7 detached signature format?
This website claims that (emphasis added):
In PKCS#7 SignedData, attached and detached formats are supported… In detached format, data that is signed is not embedded inside the SignedData package instead it is placed at some external…
![](../../users/profiles/26186.webp)
JamesTheAwesomeDude
- 581
- 4
- 15
1
vote
1 answer
How to encode a public key in PKCS#8?
RFC5958 defines a set of enhancements to the PKCS#8 key serialization format, bumping the version field up to 1 and additionally permitting serialization of public keys for arbitrary asymmetric cryptographic algorithms.
OneAsymmetricKey ::= SEQUENCE…
![](../../users/profiles/26186.webp)
JamesTheAwesomeDude
- 581
- 4
- 15
1
vote
1 answer
Is it allowed to store billing address for merchants SAQ A merchants? (PCI DSS)
I know there are many limitations for data storing and processing by PCI DSS. Some of them are explained here. https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf
But I can't find any info about storing customers' billing addresses. Is…
![](../../users/profiles/239225.webp)
Vlad
- 13
- 2
1
vote
1 answer
Is there a documented security standard that forbids or discourages rolling your own crypto?
Is there any security standard published by NIST or another reputed body in information security that explicitly forbids or discourages rolling your own crypto? If yes, would you please post the standard name/title, a link to it, and quote the…
![](../../users/profiles/108239.webp)
Lone Learner
- 968
- 1
- 9
- 18
1
vote
1 answer
Kerberos over http documentation
The NTLM over HTTP documentation can be found here https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ntht/f09cf6e1-529e-403b-a8a5-7368ee096a6a
Where is the Kerberos over HTTP official documentation?
![](../../users/profiles/216081.webp)
aquaman
- 73
- 5
1
vote
2 answers
Why are email clients prevented from seeing the envelope?
Being able to compare the envelope values against the header field values is potentially useful for detecting fraudulent (e.g. spoofed) mail.
However, email servers, when receiving mail over SMTP, are not required to record the SMTP envelope values…
![](../../users/profiles/10198.webp)
sampablokuper
- 1,961
- 1
- 19
- 33
1
vote
1 answer
Can I describe the PDF's certificate-based signatures using W3C's DSIG Core?
Can I map the specialized specifications of PDF's certificate-based signatures into the [XML DSIG Core] standard?
I'm imagining PDF as an "XML file analog", to be mapped into the W3C's ecosystem.
... Expressing in another words, is Adobe's PDF…
![](../../users/profiles/140435.webp)
Peter Krauss
- 129
- 5
1
vote
1 answer
Is there a standard checksum for verifying multipart key fragments?
We will have a symmetric key arriving in three component parts. Once all parts arrive, the key custodians will get together for a ceremony where each enters their part of the key into a secured system. This system will XOR the parts together to…
![](../../users/profiles/12082.webp)
John Deters
- 33,650
- 3
- 57
- 110
1
vote
0 answers
Privacy terminology: Online privacy vs Internet Privacy vs Digital Privacy
While, to my eyes, Digital Privacy is the broader term ( anything digital whether online or not), I have seen all 3 used interchangeably (i.e: link vs title). Also, despite having different entries in Wikipedia, not much is clarified. Looking at…
![](../../users/profiles/157493.webp)
Alvai
- 39
- 3
1
vote
1 answer
What is the best Practice / Industry Standard for storing documents with social security numbers, date of birth, financial records, etc?
I am building an app that will be storing sensitive info (SSN's, DOB's, Financial Information, Credit Cards, etc.
Is there a standard that will cover all these items and what is the best approach to storing? Should blobs be used?
![](../../users/profiles/131182.webp)
RTG
- 19
- 1
1
vote
1 answer
nodev option for /tmp directory
The CIS standard for Ubuntu 14.04 LTS (01-07-2015) states that the /tmp directory should be mounted with a nodev flag - this is under the FileSystem Configuration (Section 2). This prevents the creation of block and character special devices.
Is…
![](../../users/profiles/30556.webp)
John
- 223
- 3
- 13
1
vote
1 answer
Is this a "standard" security policy?
For our development we work primarily on AWS. We have data on S3 with varying levels of security, prod, integration, development, etc.
When working with data, we often have to run ad-hoc analysis. We may not know what the final structure of the…
![](../../users/profiles/40048.webp)
Carlos Bribiescas
- 451
- 3
- 13