Re: [mile] comments on the draft-ietf-mile-rolie-vuln-00 draft

"Banghart, Stephen A. (Fed)" <> Mon, 08 April 2019 17:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A84E21200B7 for <>; Mon, 8 Apr 2019 10:07:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.741
X-Spam-Status: No, score=-1.741 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 60tdpEJ9XyuE for <>; Mon, 8 Apr 2019 10:07:13 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F405112002F for <>; Mon, 8 Apr 2019 10:07:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oZfcjIFp08KfAFZXPZmnQPWhsHNm1Ww6qJ5tGqgnnTc=; b=M8A5CpHj4qOvt3Pag60eAa5vm6q3NahgBl1WCC5yQFs+ctzWWk8m+2Rh95POeNNE5WNVupEHMR7UZpw6IgJmZwOgm8eI5w6ggivQO0vO8azZEQPwtwR2O8K304fNyws3E29nxenBEuDFYXueKRaCi3XuPM5Z1bpgJugLHj8E+NY=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.13; Mon, 8 Apr 2019 17:07:10 +0000
Received: from ([fe80::1ce5:2c44:3260:75d3]) by ([fe80::1ce5:2c44:3260:75d3%7]) with mapi id 15.20.1771.014; Mon, 8 Apr 2019 17:07:10 +0000
From: "Banghart, Stephen A. (Fed)" <>
To: Takeshi Takahashi <>, "" <>
Thread-Topic: [mile] comments on the draft-ietf-mile-rolie-vuln-00 draft
Thread-Index: AdTtDMcDffZbVJr3TyWpHpICA9yR1QBHmUXN
Date: Mon, 8 Apr 2019 17:07:10 +0000
Message-ID: <>
References: <00a301d4ed0c$f1b2bbc0$d5183340$>
In-Reply-To: <00a301d4ed0c$f1b2bbc0$d5183340$>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 454aabb9-6092-47e1-e2ec-08d6bc44a372
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:BN3PR09MB0612;
x-ms-traffictypediagnostic: BN3PR09MB0612:
x-microsoft-antispam-prvs: <>
x-forefront-prvs: 0001227049
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39860400002)(396003)(136003)(366004)(346002)(51914003)(189003)(199004)(5660300002)(2906002)(110136005)(14454004)(55016002)(6436002)(52536014)(53936002)(7696005)(86362001)(8936002)(6246003)(76176011)(229853002)(9686003)(54896002)(66066001)(97736004)(478600001)(25786009)(486006)(7736002)(6116002)(105004)(476003)(71200400001)(446003)(71190400001)(19627405001)(3846002)(106356001)(186003)(33656002)(8676002)(2501003)(102836004)(26005)(6506007)(74316002)(68736007)(81156014)(53546011)(81166006)(99286004)(19627235002)(316002)(256004)(105586002)(11346002)(14444005); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR09MB0612;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: s6NPfiCwesw4qP6SFgB6GeuSfVEIpapcbTLWVZdKwKsruFZc0I8sOQkK8m4zpbjMX4VAPb7M4FyfoZ9gS5B7mu/hVf3NehMSeC4Zv/Uj7oBPDD2lX9RnTbp0y/v97REm3N0wv5k7aCf/jOSO9q4M0CrI7412jwFjqXrpauBPeMNPv+GlX3OtH2+lkelJOtDykJ35IybnAtysXzLO2j1QG+dmtiyNIPueR7D2IgPFx/I9hOWNEv3Y6x1TfXRqa5XJ+Z6dyPOSX3fzJsN3cHOiJ59vX0boraKTBJF1guBQCf3hY+uFSjbhVtrQ6h3ewIsDOMRHOJ/cdDp+hO+cXnkAspAHu4pwpPuMwe1dBu1q42MbunZGPEV7HLC8tEPz1XWh391DGs3Hi97jjCHBLKyKWbc7efTem2TdmDBaZKLcEkk=
Content-Type: multipart/alternative; boundary="_000_BN3PR09MB0609E3FFC190D170D90076C4F02C0BN3PR09MB0609namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 454aabb9-6092-47e1-e2ec-08d6bc44a372
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Apr 2019 17:07:10.3205 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR09MB0612
Archived-At: <>
Subject: Re: [mile] comments on the draft-ietf-mile-rolie-vuln-00 draft
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Apr 2019 17:07:17 -0000


Thank you for the review, I've responded below.

  1.  That is a good idea, thank you. I will make the content id a shared requirement.
  2.  I plan on either releasing an update to this document or creating a new extension on it. I will add a sentence on that in the VDO section.
  3.  Thanks for catching this. I need to add a requirement to use a "rolie:format" element that will point to the CVE XML/JSON Schema. That will identify the entry as a CVE document.
  4.  My intention is that the entry would still have an information-type of "vulnerability" even if you are using plain text VDO. I will clarify this in the document.
  5.  Examples are a good idea. I have examples in the other ROLIE extensions already, I just need to create some for the vulnerability entries.
  6.  The intent is that such a link MUST be supported by the implementation, but it does not need to actually appear in a vulnerability entry. I'll add a sentence clarifying this requirement.
  7.  Generally, if there are new vulnerability formats in the future, it would be possible to simply publish a new document with requirements and guidance for that format. They can reference this document for the information-type.
  8.  Given the current level of requirements in the document, I think it would be best to publish as standards track. However, I'd be willing to talk about it if the chairs/AD have any issues.

Thanks for the editorial comments as well, I've accepted all of your edits.

Thanks again for the review!



From: mile <>; on behalf of Takeshi Takahashi <>;
Sent: Sunday, April 7, 2019 2:41 AM
Subject: [mile] comments on the draft-ietf-mile-rolie-vuln-00 draft

Hi Stephen,

I have read the draft-ietf-mile-rolie-vuln-00 draft and I generally like the draft.

Here are some comments.

  1.  “There must be one rolie:property with the name attribute equal to urn…content-id” seems to be a common requirements for both XML CVE and JSON CVE. Currently, it is written as a XML CVE requirement and as a JSON CVE requirement, but it could be written as a common requirement.
  2.  Regarding VDO, it is not a spec yet. How will you cope with VDO once it becomes a spec (approved by NIST)?
  3.  According to the current text, I could not find any field that indicates that the content is “cve”. By looking at the information-type, we can see the content is a vulnerability information. But we cannot know the content is a cve note or not until we see the content itself. Is my understanding correct? Where can we know that the content is a cve note or not?
  4.  According to the current text, I understood that we will treat a VDO as a plain text at this moment. Then, do we indicate that the content is a vulnerability information or not? It seems to be that we do not indicate so according to the current text. Is that so?
  5.  Section 4 is concisely represented. I like it. However, having some examples will help readers to understand the content properly. How about adding some examples in its appendix or in this section?
  6.  According to section5.1, we MUST send a severity information when sending a vulnerability note. That means, we cannot send an early vulnerability information without a score, correct? Just a clarification.
  7.  I guess you will make this vulnerability rolie extensible enough. Can you add some sentences how we could cope with the other vulnerability notes that may emerge in the future?
  8.  Is it going to be an informational RFC? It has several definitive parts. So, I am just asking your intention.

Editorial comments are not important at this stage, but it won’t harm to list here.

“support Vulnerability use cases” -> “support vulnerability use cases”.

“a automated and efficient fashion” -> “an automated and efficient fashion”.

“a XML” -> “an XML”

In the reference, vdo cannot be a normative reference at this moment, due to its document status.

Thank you, and kind regards,