UPDATED: WG Action: RECHARTER: Extended Incident Handling (inch)
The IESG <iesg-secretary@ietf.org> Wed, 21 December 2005 21:10 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EpBE7-0006zl-Dm; Wed, 21 Dec 2005 16:10:23 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EpBE4-0006yu-H7 for ietf-announce@megatron.ietf.org; Wed, 21 Dec 2005 16:10:20 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA27489 for <IETF-Announce@ietf.org>; Wed, 21 Dec 2005 16:09:15 -0500 (EST)
Received: from [132.151.6.50] (helo=newodin.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EpBGj-00011D-U4; Wed, 21 Dec 2005 16:13:06 -0500
Received: from apache by newodin.ietf.org with local (Exim 4.43) id 1EpBE1-0007Zf-ND; Wed, 21 Dec 2005 16:10:17 -0500
Content-Type: text/plain
Mime-Version: 1.0
To: IETF-Announce@ietf.org
From: The IESG <iesg-secretary@ietf.org>
Message-Id: <E1EpBE1-0007Zf-ND@newodin.ietf.org>
Date: Wed, 21 Dec 2005 16:10:17 -0500
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6ffdee8af20de249c24731d8414917d3
Cc: Roman Danyliw <rdd@cert.org>
Subject: UPDATED: WG Action: RECHARTER: Extended Incident Handling (inch)
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: ietf-announce.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
Sender: ietf-announce-bounces@ietf.org
Errors-To: ietf-announce-bounces@ietf.org
The charter of the Extended Incident Handling (inch) working group in the Security Area of the IETF has been updated. For additional information, please contact the Area Directors or the working group Chairs. +++ Extended Incident Handling (inch) ================================== Current Status: Active Working Group Chair(s): Roman Danyliw <rdd@cert.org> Security Area Director(s): Russ Housley <housley@vigilsec.com> Sam Hartman <hartmans-ietf@mit.edu> Security Area Advisor: Sam Hartman <hartmans-ietf@mit.edu> Mailing Lists: General Discussion: inch@nic.surfnet.nl To Subscribe: listserv@nic.surfnet.nl In Body: subscribe inch Archive: http://listserv.surfnet.nl/archives/inch.html Description of Working Group: Background ========== Computer security incidents occur across administrative domains often spanning different organizations and national borders. Therefore, the exchange of incident information and statistics among involved parties and associated Computer Security Incident Response Teams (CSIRTs) is crucial for both reactionary analysis of current intruder activity and proactive identification of trends that can lead to incident prevention. Scope ===== The purpose of the Incident Handling (INCH) working group is to define a data format for exchanging security incident information used by a CSIRT. A CSIRT is defined broadly as an entity (either a team or individual) with a security role or responsibility for a given constituency (e.g., organization, network). The use case for the INCH WG output is to standardize the information model and messaging format currently used in communication between a CSIRT and the: * constituency (e.g., users, customers) from which it receives reports of misuse; * other parties involved in an incident (e.g., technical contact at an attacking site, other CSIRTs); and * analysis centers performing trending across broad data-sets. These INCH developed formats will replace the now largely human- intensive communication processes common in incident handling. The working group will address the issues related to representing and transporting: * the source(s) and target(s) of system misuse, as well as the analysis of their behavior; * the evidence to support this analysis; * status of an incident investigation and analysis process; and * meta-information relevant to sharing sensitive information across administrative domains (e.g., internationalization, authorization, privacy). Constraints =========== The WG will not attempt to define - - an incident taxonomy; - - an archive format for incident information; - - a format for workflow process internal to a CSIRT; or - - a format for computer security related information for which there is already a working standard. Output of Working Group ======================= 1. A set of high-level requirements for a data format to represent information commonly exchanged by CSIRTs. 2. A specification of an extensible, incident data description language that describes a format that satisfies these requirements (Output #1). 3. A set of sample incident reports and their associate representation in the incident data language. 4. A message format specification and associated transport binding to carry the encoded description of an incident (Output #2). 5. Guidelines for implementing the data format (Output #2) and associated communications (Output #4) Goals and Milestones: Done Initial I-D of the incident data language specification Done Initial I-D for the requirements specification Done Initial I-D of the implementation guidelines document Done Initial I-D of the traceback extension specification Done Submit initial draft of phishing extension specification I-D Nov 2005 Initial I-D of a transport binding specification Dec 2005 Submit messaging format specification I-D to the IESG as Proposed Dec 2005 Submit incident data language specification I-D to the IESG as Proposed Dec 2005 Submit requirements I-D to the IESG as Informational Dec 2005 Submit transport binding specification I-D to the IESG as Proposed Dec 2005 Submit phishing extension specification I-D to the IESG as Proposed Feb 2006 Submit implementation guidelines I-D to the IESG as Informational _______________________________________________ IETF-Announce mailing list IETF-Announce@ietf.org https://www1.ietf.org/mailman/listinfo/ietf-announce