Re: [Cacao] [EXT] Re: [EXT] RE: Charter

Allan Thomson <athomson@lookingglasscyber.com> Wed, 19 June 2019 15:25 UTC

Return-Path: <athomson@lookingglasscyber.com>
X-Original-To: cacao@ietfa.amsl.com
Delivered-To: cacao@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B3B3120785 for <cacao@ietfa.amsl.com>; Wed, 19 Jun 2019 08:25:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.414
X-Spam-Level:
X-Spam-Status: No, score=-2.414 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.415, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=lookingglasscyber.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2OdJo-Q4bydf for <cacao@ietfa.amsl.com>; Wed, 19 Jun 2019 08:25:30 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-eopbgr780042.outbound.protection.outlook.com [40.107.78.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D13F012077B for <cacao@ietf.org>; Wed, 19 Jun 2019 08:25:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lookingglasscyber.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mjsfa7kSGx8tOWcSNCZpiWB0F84B6L3Z9ZdjVl26ros=; b=buRIPwlaKcmsnZ3X4appSRwwJCdWEQcYclflvctTVcTz3DMK8CK9jYATgNKfTWapBpNAicgs+bUeWFBGCaYkpYIKJMzNsyVYc3EWO6QQV4A0Tuc1HlnppaGuvi5qYJbQtCQtC2rFLOZ170PxIvYGJQZRndCTIr3JfZjEvBWO73U=
Received: from MW2PR18MB2137.namprd18.prod.outlook.com (52.132.182.156) by MW2PR18MB2281.namprd18.prod.outlook.com (52.132.183.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1987.13; Wed, 19 Jun 2019 15:25:05 +0000
Received: from MW2PR18MB2137.namprd18.prod.outlook.com ([fe80::e4f6:b524:4f57:ff3c]) by MW2PR18MB2137.namprd18.prod.outlook.com ([fe80::e4f6:b524:4f57:ff3c%3]) with mapi id 15.20.1987.014; Wed, 19 Jun 2019 15:25:05 +0000
From: Allan Thomson <athomson@lookingglasscyber.com>
To: Bret Jordan <jordan.ietf@gmail.com>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
CC: Bret Jordan <Bret_Jordan@symantec.com>, "cacao@ietf.org" <cacao@ietf.org>
Thread-Topic: [Cacao] [EXT] Re: [EXT] RE: Charter
Thread-Index: AQHVJeH0B7u3NNKDs0mWnx8K+xj9JaaheQuAgACC9ICAAI2iAIAACogAgAAKToCAAArHgP//oe+AgACGBbCAAAZ1AIAABHCAgAAHQwD//8HfAA==
Date: Wed, 19 Jun 2019 15:25:05 +0000
Message-ID: <16585B06-5189-4B34-9A2C-7258B10DDD98@lookingglasscyber.com>
References: <BYAPR16MB30133C3DAF3CF2060CE4B565EDEA0@BYAPR16MB3013.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EAA890F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB30137AC9C00633E80C7C8D65EDEA0@BYAPR16MB3013.namprd16.prod.outlook.com> <779CCF55-FABB-4BA1-9D84-1D9761A32944@tzi.org> <BYAPR16MB30139D44233E0256099264DCEDEA0@BYAPR16MB3013.namprd16.prod.outlook.com> <25088b69-1225-3f3c-b0e2-38e25f1f48fb@article19.org> <A7038D6C-C1C3-4B6A-B928-AC87F7A87AFC@gmail.com> <6130.1560896363@dooku.sandelman.ca> <634A811D-3674-42ED-A46F-9CDD8EFD5CEE@symantec.com> <787AE7BB302AE849A7480A190F8B93302EAA8FE0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <B29832F6-8239-498C-A65D-A22B70A4A691@gmail.com> <787AE7BB302AE849A7480A190F8B93302EAA905B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <05E3F9C3-20C6-47E4-9B68-DE9D81D9C358@lookingglasscyber.com> <787AE7BB302AE849A7480A190F8B93302EAA917C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <92A6388D-ED3D-4B77-BA01-AE97E201681F@symantec.com> <787AE7BB302AE849A7480A190F8B93302EAA91C9@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <A8E5A7FB-F771-477C-90E5-4E2DE4FA69E6@gmail.com>
In-Reply-To: <A8E5A7FB-F771-477C-90E5-4E2DE4FA69E6@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=athomson@lookingglasscyber.com;
x-originating-ip: [38.135.95.26]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4d81b85d-3c21-4cfd-37bd-08d6f4ca4e45
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MW2PR18MB2281;
x-ms-traffictypediagnostic: MW2PR18MB2281:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <MW2PR18MB22819A2266B514652ECF885DDAE50@MW2PR18MB2281.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0073BFEF03
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(396003)(39850400004)(136003)(346002)(189003)(199004)(64756008)(81156014)(54896002)(76116006)(76176011)(229853002)(7736002)(476003)(478600001)(486006)(102836004)(8676002)(99286004)(11346002)(6306002)(2616005)(446003)(68736007)(186003)(4326008)(5660300002)(58126008)(6116002)(8936002)(53546011)(110136005)(14454004)(14444005)(256004)(54906003)(36756003)(606006)(6506007)(236005)(2906002)(66946007)(3846002)(81166006)(25786009)(316002)(2501003)(26005)(33656002)(6512007)(66066001)(71190400001)(71200400001)(86362001)(66476007)(6246003)(91956017)(6486002)(66556008)(66446008)(53936002)(73956011)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:MW2PR18MB2281; H:MW2PR18MB2137.namprd18.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: lookingglasscyber.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: I2Up1a3avbBO5PXgxhYsF3UpieRMxZd5gh78xJbWvSErD5Qp5lIWWh/sI3HZSCD0krnfJQHnScqRQrWaLaco3ADZ7l6fr93yt/ql0tVEuboFZmr1iPh6Y6vkdceaNFQFPg+mFxyodWDLPRKBlm8J4pGAfQ6VX3aBTbvPaTF3sJ/+ieTx4OFV+hNKkrYGQHYMIUBhA7Fa7x5W3ZZTIybaSMHzf+IN0Q93qde26JuxQ+GZyGdKmwpqHBOGMFPDut/1/M0t0DRD2KsWN/6tyUek/vfaxHjx0PqJusbxLmiTx/ArpOKCIidotM40Mcbg5COi995rkt5NcGsVTSxjCyn+BMAcpc9ghnEp9Han7++xDkb3JfMz6j1FDlZ6fWFuklpnU0NHBbjGCYbpb9DfZO5pMdiFEyehtplnJxPruZ8sh3I=
Content-Type: multipart/alternative; boundary="_000_16585B0651894B349A2C7258B10DDD98lookingglasscybercom_"
MIME-Version: 1.0
X-OriginatorOrg: lookingglasscyber.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4d81b85d-3c21-4cfd-37bd-08d6f4ca4e45
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jun 2019 15:25:05.1714 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 11622456-b9ab-4329-8602-bf364508a848
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: athomson@lookingglasscyber.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR18MB2281
Archived-At: <https://mailarchive.ietf.org/arch/msg/cacao/7aho1oQzFVog0Pz43zhmGfcNQ0U>
Subject: Re: [Cacao] [EXT] Re: [EXT] RE: Charter
X-BeenThere: cacao@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Collaborative Automated Course of Action Operations <cacao.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cacao>, <mailto:cacao-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cacao/>
List-Post: <mailto:cacao@ietf.org>
List-Help: <mailto:cacao-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cacao>, <mailto:cacao-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2019 15:25:34 -0000

JSON is a must.

Anything else imo is a nice-to-have.

Most products exchanging intel (and playbooks could be considered as aspect of intel) are doing that using JSON.

There are other translations such as protobufs…etc. STIX2 models intel using JSON not anything else.

Allan Thomson
CTO (+1-408-331-6646)
LookingGlass Cyber Solutions<http://www.lookingglasscyber.com/>

From: Bret Jordan <jordan.ietf@gmail.com>
Date: Wednesday, June 19, 2019 at 5:07 AM
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
Cc: Bret Jordan <Bret_Jordan@symantec.com>, Allan Thomson <athomson@lookingglasscyber.com>, "cacao@ietf.org" <cacao@ietf.org>
Subject: Re: [Cacao] [EXT] Re: [EXT] RE: Charter

The initial version needs to be done in JSON, if we want the market as a whole to adopt this. I have walked the floor at RSA and Blackhat for the past 2 years talking to all of the vendors that would potentially implement this.  They all say the same thing.  If it was JSON, they could easily do it.  If it is something else, well, maybe, maybe not.  We would then be reliant on market pressure and consumers to influence vendors to adopt.  That can take 10 years or more. Usually by then, the standard is failed and the market has moved on.  Let us not be yet another standard on the dusty shelves of of the SDO Library.

Further, anything not JSON would require the Web2.0 world of products and APIs to support something totally different.  CBOR may take off at some point.  YANG my take off at some point.  XML may come back from the dead. But right now, today, JSON is the model that the developers of products use and know. Adding additional hurtles for the solution to be adopted is not a good idea for this first version.

Overtime, once we get our first versions done and out the door and they get adopted, we can make changes or add functionality based on market demand.  If the market comes back and says, hey, we really need this done in a binary format like Protobuf, then great.  We can write a binding for that.



Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."


On Jun 19, 2019, at 1:41 PM, mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> wrote:

Re-,

Please see inline.

Cheers,
Med

De : Bret Jordan [mailto:Bret_Jordan@symantec.com]
Envoyé : mercredi 19 juin 2019 13:26
À : BOUCADAIR Mohamed TGI/OLN
Cc : Allan Thomson; Bret Jordan; cacao@ietf.org<mailto:cacao@ietf.org>
Objet : Re: [Cacao] [EXT] Re: [EXT] RE: Charter

I fundamentally do not support the idea of not using JSON for this work.
[Med] Are you referring to application encoding or data modelling part?

 Over time we may write a binding document for some other serialization.  But we need something that can be implemented and have guaranteed interoperability.
[Med] Why CBOR wouldn’t be an option here? BTW, there might be other requirements such as compactness (that may be worth when actions are enriched/augmented on-path). As a group, we don’t have yet the full set of requirements to make a design choice.

In order to gain mass adoption, we need a solution that can be used by the existing eco system.

Bret
Sent from my Commodore 128D