Re: [mile] Feedback on draft-banghart-mile-rolie-csirt-02
"Banghart, Stephen A. (Fed)" <stephen.banghart@nist.gov> Fri, 01 December 2017 15:31 UTC
Return-Path: <stephen.banghart@nist.gov>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AD0A1293FD for <mile@ietfa.amsl.com>; Fri, 1 Dec 2017 07:31:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vzVmeC7jyJ7O for <mile@ietfa.amsl.com>; Fri, 1 Dec 2017 07:31:02 -0800 (PST)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0136.outbound.protection.outlook.com [23.103.201.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32E541293EC for <mile@ietf.org>; Fri, 1 Dec 2017 07:31:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fZBUzpmC9ujLfuu7yMi1H2SPu+t0unqyVnJ8dL7lejQ=; b=OgT8KmLJYSNwNCSc06IQUnJRFMexfXZkF3I82k7ySSUU/FzyIkoM/T/6EFFswE4Y/XleRpsgIgJ7Dbq8y5T2lQKtbkjthYs1mO1kF8cwjBU5ylpRe+9J5AlIWkyCk4EQI8PRgKGKXa6hFctauo5KaYjG+4uvRgrgGf5DZ0nyKSI=
Received: from MWHPR09MB1197.namprd09.prod.outlook.com (10.172.49.143) by MWHPR09MB1198.namprd09.prod.outlook.com (10.172.49.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.282.5; Fri, 1 Dec 2017 15:31:00 +0000
Received: from MWHPR09MB1197.namprd09.prod.outlook.com ([10.172.49.143]) by MWHPR09MB1197.namprd09.prod.outlook.com ([10.172.49.143]) with mapi id 15.20.0282.007; Fri, 1 Dec 2017 15:31:00 +0000
From: "Banghart, Stephen A. (Fed)" <stephen.banghart@nist.gov>
To: Roman Danyliw <rdd@cert.org>
CC: "mile@ietf.org" <mile@ietf.org>
Thread-Topic: Feedback on draft-banghart-mile-rolie-csirt-02
Thread-Index: AdNiE0gmyccQA7GdQdmhMZonzYpWZwGb6TqQ
Date: Fri, 01 Dec 2017 15:31:00 +0000
Message-ID: <MWHPR09MB119785F8BCACE3670ED72D2DF0390@MWHPR09MB1197.namprd09.prod.outlook.com>
References: <359EC4B99E040048A7131E0F4E113AFC010500B1E4@marathon>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC010500B1E4@marathon>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=stephen.banghart@nist.gov;
x-originating-ip: [129.6.251.1]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR09MB1198; 6:6uYDGLliQHYlwCCPMrwdXpoFGLPQSdcQCW+MrSkJFdGrb9wVSo27ZxALX0Dm47DCO4fI9560OXpUgXImoFYhcwSy3WHvL4RWG6B7KTuuJ9CT5lJ4q81KiN7kkofz/1q/HVVfyffEv/uCwsnuoYrWBphTU9FT1g2nvTlJsexEQQI7kLus7rMpbtaswQHf0yTEhVXleyRM/sSTH7e+f/c/6iFsu62ChN0BBVWneONDWtQ0ZI+765DI1ZRF06s7JORkPJ90vQExkATBaY9cfiNGCFM+cSArR0brQrSBnEhAXJK0WDeXni4XrkHn8erKD2GD0N7+gqKb1gU2qp1S/BX0QqYiJPh/vE8WOe4h1bIR3uA=; 5:N2VLHlYu/rVIeP20X+u6JtBX+3KvWGVRYZT2N5842sR467w1eX9RRFLEC++297WQZH1nCr4F5fbxAN1KQ+SkPsjTiQvR+KI9fDsVSfpDUshuPbxLkm9yNH6xLy3zSbey3nYRIZk36yYrrUeaG/ewf72aIrpEZ3ZwhZQTXRUd4Co=; 24:lKNQ8JdSnSYmTdtarh8/EIIcK8BZNxd1sf+jFwR0K1EwJIIHD4sSZZ7/NOkTIRs2mvU+kuLgGKOGAvjkr0gCRu+B8tP0Oz9CsVtBGUGUUk4=; 7:tANZeiUf9bi2mhsvRO1BgiXS41FrGRCsbECgHrpFCMS2xTf3p28kCnPwjLtNHKx7MTpLP4oiSkcLHI8v+vYv40C1htgIjeU7lObiJ+Nik3vPLdnWMNZsoXTkKJjHHuIv1Pu52UKqoL4E2sOHnvwvLfmVvYwnN6JjdXEk4+q08kMStpK2myVFl6Oeb47Ci9+VS1Z1SI2mPW8iSNp72EIgk91UeKyGj8kgDRSpOTv3Mtmw5qJOPOq56DJE/EN8z3tU
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 1a24d074-b711-42fa-c87a-08d538d0868f
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(2017052603286); SRVR:MWHPR09MB1198;
x-ms-traffictypediagnostic: MWHPR09MB1198:
x-microsoft-antispam-prvs: <MWHPR09MB1198FD329AF3A082F29EBD60F0390@MWHPR09MB1198.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(189930954265078)(219752817060721)(211171220733660);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(10201501046)(3231022)(6055026)(6041248)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123555025)(20161123562025)(6072148)(201708071742011); SRVR:MWHPR09MB1198; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:MWHPR09MB1198;
x-forefront-prvs: 05087F0C24
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(376002)(39860400002)(346002)(366004)(13464003)(51914003)(199003)(189002)(8936002)(86362001)(6436002)(81166006)(8676002)(81156014)(99286004)(230783001)(14454004)(966005)(33656002)(55016002)(76176011)(2950100002)(6246003)(77096006)(54356011)(74316002)(7736002)(6506006)(316002)(68736007)(25786009)(6916009)(305945005)(102836003)(105586002)(3660700001)(3846002)(3280700002)(106356001)(2900100001)(53546010)(101416001)(9686003)(7696005)(45080400002)(5660300001)(229853002)(66066001)(97736004)(478600001)(53936002)(2906002)(189998001)(4326008)(6306002)(6116002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR09MB1198; H:MWHPR09MB1197.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 1a24d074-b711-42fa-c87a-08d538d0868f
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2017 15:31:00.3153 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR09MB1198
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/3zySe38CwKmLReJ3lftg8Ifx9Pw>
Subject: Re: [mile] Feedback on draft-banghart-mile-rolie-csirt-02
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2017 15:31:06 -0000
Roman, Thanks for the review. Comments inline. Several of your points cover sections of the document that are being removed following the decision the group made at IETF100 to trim down the IODEF specific requirements. I'll have the newer version of the document with those changes posted soon. > -----Original Message----- > From: mile [mailto:mile-bounces@ietf.org] On Behalf Of Roman Danyliw > Sent: Monday, November 20, 2017 11:23 AM > To: mile@ietf.org > Subject: [mile] Feedback on draft-banghart-mile-rolie-csirt-02 > > Hi Stephen and John! > > >From my reading of draft-banghart-mile-rolie-csirt-02, I have the following > feedback: > > (1) Section 3, Additional Requirements for the Atom Publishing Protocol > > ** Cite RFC5023 as the reference for Atom Publishing Protocol. > > (2) Section 4, > ** Cite RFC4287 as the reference for Atom Syndication Format. Added reference to both of these, thanks. > (3) Section 3.1.2, User Authorization > > ** In the first sentence, I'd recommend replacing s/When the content model > .../When the content for the Atom <content> element contains an <IODEF- > Document>/ for readability. > ** Also the first sentence states "... the authorization MUST be adjudicated > ... per Section 8.1.1". What specific section in 8.1.1 is being referenced? Is it > @restriction? Is it also worth noting that this adjudication will be done is > outside the scope of the document -- some sites might treat > @restriction="need-to-know" differently? > ** <IODEF-Document> is mentioned but without citation. Per discussion at IETF 100 this entire requirement has been removed as part of the process of removing IODEF specific restriction on the ROLIE protocol. > (4) Section 4, Additonal Requirements for the Atom Syndication Format > ** s/Additonal/Additional/ (typo in the Section title) > > (5) Section 4.1, Additional Requirements for the atom:feed element > ** s/Additonal/Additional/ (typo in the Section title) Thanks for catching this, fixed. > ** The first sentence states "A feed containing IODEF incident content MUST > contain at least two additional <atom:category> elements." What does it > mean to contain "IODEF incident content"? Is "IODEF incident content" an > instance of an <IODEF-Document> whose includes at least one <Incident>? > (6) Section 4.2, Additonal Requirements for the atom:entry element > ** s/Additonal/Additional/ (typo in the Section title) > ** The first sentence states "An entry containing an IODEF payload." What > does it mean to contain an "IODEF payload"? Is it an instance of <IODEF- > Document>? > > (7) Section 4.3.1, The IODEF Document > > ** s/<relatedActivity>/<RelatedActivity>/ > ** s/<history>/<History>/ > > (8) Section 5.1, "incident" information type > > ** The fifth bullet uses the language "effect and result information", it might > be clearer to refer to it as the "incident impact" All of the above sections have been removed as IODEF specific requirements per IETF100. > (9) Section 5.3.1, IODEF Format > > ** Cite IODEF with an informative reference Added. > ** The last paragraph states that "The use of the IODEF format imposes > additional requirements on the server." Where are those requirement > documented? Removed this paragraph. > (10) Section 5.3.2, STIX Format > > ** Cite STIX with an informative reference Trying to track down a good single reference for this. I suspect that Bret might be able to help us with this. > > (11) Section 6.1, urn:ietf:params:rolie:property:csirt:ID > > ** The first sentence states that csirt:ID "provides an exposure point for an > identifier ...". What is an "exposure point"? Is that a unique reference? > ** Also, the first sentence states "... identifier from the indicator or incident > document". What is an "indicator" or "incident document" in this content? Rewrote this sentence to: "Provides an XML element that can be populated with an identifier from the indicator or incident document linked to by an atom:content element." This is in the context of being a rolie:property element, a general use key:value pairing defined in the ROLIE core. > (12) Section 8.1.1, Newly registered category values > ** The second sentence notes that "This IODEF content exposure provides > ..." What is meant by "content exposure"? > ** The second and third paragraphs make references to Section 3.2 of IODEF. I agree that the terminology "content exposure" isn't very intuitive. I'll think about the wording on this and redo it for the next version. > Which IODEF -- RFC 5070 or 7970? > ** I'd recommend removing the attribute value examples (i.e., "e.g, public, > need-to-know, private, default", "e.g. traceback, mitigation, reporting, or > other") as these may change with the extension values in the IANA registry > (assuming RFC7970 is the version of IODEF in question). We're intending to reference RFC7970. Thanks for the suggestion on the example values, I've removed them. > (13) Section 10, Security Considerations > > ** The first sentence states that this document is about "us[ing] ROLIE in > high-security use cases". I'm not sure what "high security" means in this > context. > ** In the same sentence, it says that "added care should be taken to fortify > and secure ROLIE" -- like what? I was trying to remain vague, to avoid prescribing actions for CSIRTs to take. With that said references to some of the specific technologies we call out in the ROLIE core document Security considerations would provide some good concrete examples of what "high security" is and how to secure it. > ** Per the second sentence, I recommend: > s/The guidance in the ROILE core specification ... is strongly > recommended/The security and privacy considerations of the ROILE core > specification [I-D.ietf-mile-roile] are applicable./ Changed. > ** In the same sentence, it says that "implementers should consider adding > additional security measures as they see fit" -- like what? I'll add references to the methods we call out in the ROLIE core here as examples. > ** The first sentence of the second paragraph references "closed sharing". > I'm not sure what that means. How about just "private consortium"? I'm trying to reference any security organization or a group of security organizations that are privately sharing information with eachother. Thanks for the review, the document is shaping up, Stephen > Regards, > Roman > > _______________________________________________ > mile mailing list > mile@ietf.org > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.i > etf.org%2Fmailman%2Flistinfo%2Fmile&data=02%7C01%7Cstephen.banghar > t%40nist.gov%7C6e5575bf4a4e44340d2008d53033106d%7C2ab5d82fd8fa4797 > a93e054655c61dec%7C1%7C0%7C636467918241204252&sdata=%2FKfhbkT5N > vuBPE07VUZ3Y3JMJJHPMRMOM8FRqvY9cjc%3D&reserved=0
- [mile] Feedback on draft-banghart-mile-rolie-csir… Roman Danyliw
- Re: [mile] Feedback on draft-banghart-mile-rolie-… Banghart, Stephen A. (Fed)