IETF Logo Mail Archive

Re: [Cacao] [EXT] Consensus call for CACAO Charter

Bret Jordan <jordan.ietf@gmail.com> Wed, 26 June 2019 05:35 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: cacao@ietfa.amsl.com
Delivered-To: cacao@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95A48120310 for <cacao@ietfa.amsl.com>; Tue, 25 Jun 2019 22:35:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.337
X-Spam-Level: *
X-Spam-Status: No, score=1.337 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M3GfwfRIAC-0 for <cacao@ietfa.amsl.com>; Tue, 25 Jun 2019 22:35:45 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 318BC1202CA for <cacao@ietf.org>; Tue, 25 Jun 2019 22:35:45 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id z25so1370928edq.9 for <cacao@ietf.org>; Tue, 25 Jun 2019 22:35:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=4tKf2bHU2WBvsZAhqeDIzMzdEl22X3SJP+wjdQErsvU=; b=OMas5OS1L+D/T81r0LFufvGSSDXAyASTp5ADhhPH2yOdwwgnV4MYMB9zaFktM7+oYk keLF2NRVtDXZRl7wnZRUbw8Z9cOZ2d2vinmmQabuYPi6HwWOlwghBjyAnu0cLH6LwJ7l twH/rqLrUnUEy7GD2gUvd6nJxHqLnUBFglxfs6ASLZNPjFbYLcDwjC3nmg2zvQYOjHvO y3SkAnsFF4k5JYsgYaWCTx/ywJKRfmgdMp10mM+13fGrHwMpoFOdYRK/G1VpVsWz335M BJGEFa2hYk3j8jrQq13IaFvhk37+mQ3ekn5wiz1CXJMPRxpJqRljQ4PGoiBUGF3apumL xHyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=4tKf2bHU2WBvsZAhqeDIzMzdEl22X3SJP+wjdQErsvU=; b=ch8CQLIPQ9eGwYIdPfMDTxN6wjrqQR3oRzxX1+93MbIUPmJeNQn9zdiBoOfAvnIOV1 n7H/ndRxUpLiFUS/kXAqhzvthkbJgCVz+wnTpsRxDFZjri6ihuCmUFsPVtWza3NsmVir 2GEm29vrd7wr6DfJohOLn8862IXKbY6RwUgmL4kLcy9C0nV2XEE75gOWOOy4SvXA9KCF 4VJRCfMs6fz7VaFeTF8NKcAXst255NhZ1IMjUbPi7+BP7Tc4V2YwbaAK8pK8cBAtTrJ1 qFLONYF19wbiRaSNZ2Y2p9RzfKJdBl8a1o3om6R6iY2TycJJ2qTG52CyR6hJRPwF7SU4 gj2A==
X-Gm-Message-State: APjAAAV9B0FKhTpQY88QB7PpVwVmdHefkZbbZqems1uNn1JZ0KwlzGXx lSehNKpbryESPpfVtnya2to=
X-Google-Smtp-Source: APXvYqy3e+0XSX5WmEm3nCQsuavU4O2ggCq6APIno6shr2uifrCu4MGawk4XrAdv3PCRHKcFFT7HJg==
X-Received: by 2002:a50:9168:: with SMTP id f37mr2845910eda.242.1561527343786; Tue, 25 Jun 2019 22:35:43 -0700 (PDT)
Received: from [10.22.234.61] ([77.241.229.232]) by smtp.gmail.com with ESMTPSA id y19sm5335721edd.34.2019.06.25.22.35.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jun 2019 22:35:43 -0700 (PDT)
From: Bret Jordan <jordan.ietf@gmail.com>
Message-Id: <F097C3C2-A3FA-4F6D-9D06-C1E7D0AE5F58@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B748FC8B-0BE0-4C9E-96CE-9E84901DFEF9"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 26 Jun 2019 07:35:41 +0200
In-Reply-To: <etPan.5d1283a1.cd09a53.1c9@cert.org>
Cc: Bret Jordan <bret_jordan=40symantec.com@dmarc.ietf.org>, Allan Thomson <athomson@lookingglasscyber.com>, Carsten Bormann <cabo@tzi.org>, "cacao@ietf.org" <cacao@ietf.org>
To: Chris Inacio <inacio@cert.org>
References: <71E2F960-274F-4DA9-938A-E31AB0C474A4@cert.org> <9BD47F64-D893-4416-8013-02AE2527271B@symantec.com> <2705E843-FAF1-4512-9B9C-D91625A9A383@tzi.org> <etPan.5d123ba6.6d0f767d.1c9@cert.org> <98B45BE0-8EEA-4408-963E-C38991BE6390@lookingglasscyber.com> <etPan.5d1283a1.cd09a53.1c9@cert.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cacao/Wu-lgGuvwf37l7xNnRz1zOD2WDA>
Subject: Re: [Cacao] [EXT] Consensus call for CACAO Charter
X-BeenThere: cacao@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Collaborative Automated Course of Action Operations <cacao.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cacao>, <mailto:cacao-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cacao/>
List-Post: <mailto:cacao@ietf.org>
List-Help: <mailto:cacao-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cacao>, <mailto:cacao-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 05:35:48 -0000

Chris,

Thanks for your questions.  Let me try and respond and add to what Allan has said.


> [inacio] In this case, do (at least you and Bret) intend that the data model for CACAO is will use the STIX data model?  Following from that, there isn’t really a data modeling task and that the real work would be creating the necessary serializations for playbooks.  



CACAO will not be using the STIXv2 Data Model since if STIXv2 supported this functionality there would be no need for this group. However, it is vitally important that CACAO be linkable to other STIXv2 data in the graph.  But luckily we know a thing or two about STIXv2.  There is also a lot of concepts that we have learned from designing and implementing cyber threat intelligence based on STIXv2.  So all of that knowledge will flow in to this working group.  Meaning, we know how IDs need to be done to support this, we know how versioning needs to work, we understand what type of data needs to be related in the graph and how to do it. The real challenge will be getting the sequencing of atomic actions and any temporal / conditional logic right.

I am somewhat alarmed that we have to give this much detail and be this prescriptive in the charter.  A charter IMHO should focus on the goals that we want to achieve and some general guidance (subject to change) on how we believe we will be able to solve it. With that said, if we need to give super explicit details about how we are going to write that part of the content then here is some text. 


Old Text:
 - CACAO JSON Data Model
   - Create a JSON data model that can capture and enable collaborative courses of action

New Text
 - Design a data model for CACAO
   - This working group will define a normative data model for CACAO using property tables similar to how the OASIS STIXv2 data model was defined. This data model will be designed to explicitly work with I-JSON and all examples will be done in JSON. The working group will also define JSON as the mandatory to implement serialization for this version of CACAO. The working group may decide to also document the data model in other non-normative forms that would be located in an an appendix. 

Do we need to give that kind of details for all aspects of the Charter?

Some of said there is not much discussion on the list.  Well there is not much to discuss when nearly all of the supporters of this work agreed to version 1 or 2 of the charter.  We are now on version 6 soon to be version 7. I know if I was not a sponsor of this work, I would be bored and some what irritated that we were not yet working on real things.

Also I would imagine that most people will communicate and provide most of their feedback during the weekly working calls (that we will setup) and in the Google Docs directly. So I would think that overall, list traffic will always be light.  But just like we do with the STIX community, we will try to always send notes to the list about what was talked about and discussed on the working calls.  

I am thinking that we may need to add the following to the charter as well, just to keep us from having endless debates about how we are going to do work. Something like:

“This working group plans on holding weekly working calls from 8:00 AM-9:00 AM US-Pacific and the working groups plans on using Google Docs for all specification work. While working group members can always send comments and suggestions via email, it will be encouraged to document all comments and suggestions directly in Google docs to enable a more rapid development and response process."
 
All in all I am really coming around to this idea that we need an IETFv2.  We should be able to spin up working groups in terms of days or weeks rather than months or years.  You could then define actual measurable targets that a working group has to achieve every year, otherwise it gets automatically closed.  We have spent / wasted so much time trying to find the perfect text for the charter.  


Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

>> 
>> text.)
>> 
>>  
>> 
>> Any language you would like to propose?
>> 
>>  
>> 
>> * CACAO data model
>> 
>> A data model will be developed in an appropriate language that will allow serialization into data serialization formats including at a minimum JSON and possibly others.
>> 
>>  
>> 
>> Any better?
>> 
>>  
>> 
>>  
>> 
> 
> Allan,
> 
> [inacio] Thank you for the response, this is REALLY helpful.

v2.23.0 | Report a Bug | By Email