If you discover a security vulnerability in OpenDIVE, please report it responsibly:

1. Do not open a public issue on GitHub.
2. Email: Send a detailed report to mateo@callec.net.
3. Encryption: For sensitive information, use PGP (Key ID: TODO).
4. Response: You will receive an acknowledgment within 48 hours, and a patch or mitigation plan within 7 days.

Only the latest alpha release (0.1.1+draft.00) is currently supported. Security updates will be provided for all future stable releases (>=1.0.0).

• OpenDIVE requires DNSSEC for all DIVE records (_dive, _divekey).
• Without DNSSEC, records are treated as invalid (configurable via --require-dnssec).

• Signatures: Only Ed25519 and Ed448 are supported (RFC 8032).
• Hashes: Only SHA-256, SHA-384, and SHA-512 are allowed.
• Weak algorithms (RSA, ECDSA, SHA-1, MD5) are explicitly rejected.

• Private keys must be stored securely (e.g., HSM, offline).
• Never commit private keys to version control.
• Key rotation is recommended (see RFC §7.1).

• Reports are sent only over HTTPS to the report-to endpoint.
• Reports include minimal metadata (URL, hash, failure reason).

1. Enable DNSSEC Validation: Always use --require-dnssec in production.

   dive verify --require-dnssec https://example.com/file

2. Monitor Key Rotation: Use dive dns to inspect key records and ensure they are up-to-date.

   dive dns example.com --key-id mykey

3. Use HTTPS: OpenDIVE enforces HTTPS if the https-required directive is set.

4. Audit Dependencies: Regularly update dnspython and cryptography to patch vulnerabilities.

• No formal audit has been conducted yet.
• Contributions to improve security are welcome!

• Author: Matéo Florian CALLEC
• License: MIT