[mile] Feedback for draft-ietf-mile-rolie-csirt-05
"Nelson, Alexander J. (Fed)" <alexander.nelson@nist.gov> Mon, 28 October 2019 19:12 UTC
Return-Path: <alexander.nelson@nist.gov>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B80F1200E9 for <mile@ietfa.amsl.com>; Mon, 28 Oct 2019 12:12:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rIy4alV-xUHm for <mile@ietfa.amsl.com>; Mon, 28 Oct 2019 12:12:29 -0700 (PDT)
Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-eopbgr830131.outbound.protection.outlook.com [40.107.83.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4962812006D for <mile@ietf.org>; Mon, 28 Oct 2019 12:12:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Hfj7TJkwsAPLOKneJTptfKdHo1CISCncENkoDPUgHf/BZto2XMP5ejqN1p4lqHnf+NVmQ4sJAW9jwNZ6AqH9bcuBi+vRDR43bOgUKjCsKIN5aMri7wOhe2EQv2NyCFb1nwrhfJyfgJucYVzFTRU7/UfoekjtV+S9hYHrJ6Xwd9kymCmCUkIElh7lRd9P8Ih6bs1HjzSqXVyZV17rcKeJGIcOyv1m6GcJ+4nM8d1RnHw+PXQuE8dPWXqFfwmXY28/JaZ/aeo/e4AknQy1Gr8o1Pd8OP/qp5cMit6ozVVdEYSbP8i+6Bh0r723agdwnBNmzEm7nP7Y/przjbd6KosJwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EseZFEs99G29KuverPvSdTs8LuGSNPTEWQ04ZPOH4sY=; b=XNlFL0CF0cX8P357g3vmzXGjwr1+YWW8kUxqD3voX9GQ2m0Epcd31lE3rS43azm4QcGElSQ5qY+Cy0L1h5XvfqFsjqK/PLxW0jaOO/cf7osIpwuxuQ1Gd/uR74I1a6lDSTcwMD+ei1ubbTP5z0lFKM+HdSG3LrFu3UFV44Hfq3m6fEQzmFQm8ozlFmDxK/kbDf9SPraLiwINI5TK5FPz7lh8yRG90fpMXTAQpmf/XIihXGyve3sK0RyWt6DJSvYaA6XLIKdkU525nRRMX7hjRiYul4RtZ7Ho52NMgtpJViLwjucw29V08Gbr4r/zLa+GgrFpvhiqe9EnNAHaqFH/Dw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EseZFEs99G29KuverPvSdTs8LuGSNPTEWQ04ZPOH4sY=; b=Ke7LuiMktCVa+5f0AAe2zcxLcCDyFrBBph+3EE4nDBB5pls2tPsycm6dGZ9TqK2C+0paaHiQvZmuUfs1FVBHyUxI+JnCJqInWAk5ZI3NcJzG8kOkj/AlGxxq5lHT/0NhSB3aV0kET0zX8GjsuOm5GreMVkTqmD10qVbtc/fJpAs=
Received: from DM6PR09MB3593.namprd09.prod.outlook.com (20.179.50.88) by DM6PR09MB3482.namprd09.prod.outlook.com (20.179.52.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.22; Mon, 28 Oct 2019 19:12:28 +0000
Received: from DM6PR09MB3593.namprd09.prod.outlook.com ([fe80::c46:79db:ae3a:e761]) by DM6PR09MB3593.namprd09.prod.outlook.com ([fe80::c46:79db:ae3a:e761%6]) with mapi id 15.20.2387.023; Mon, 28 Oct 2019 19:12:27 +0000
From: "Nelson, Alexander J. (Fed)" <alexander.nelson@nist.gov>
To: "mile@ietf.org" <mile@ietf.org>
Thread-Topic: Feedback for draft-ietf-mile-rolie-csirt-05
Thread-Index: AQHVjcOjO471MfzD50mXZW2r9pe0tA==
Date: Mon, 28 Oct 2019 19:12:27 +0000
Message-ID: <07C53940-E523-48EE-9074-D874C8B3267D@nist.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=alexander.nelson@nist.gov;
x-originating-ip: [2610:20:6033:252::ced]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 64a15ede-7757-4b4e-807f-08d75bdac60a
x-ms-traffictypediagnostic: DM6PR09MB3482:
x-microsoft-antispam-prvs: <DM6PR09MB348298BA5A0E0C9294B78E0DFD660@DM6PR09MB3482.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0204F0BDE2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(39850400004)(396003)(366004)(346002)(376002)(189003)(199004)(53754006)(99286004)(66556008)(86362001)(316002)(6916009)(6436002)(33656002)(99936001)(5640700003)(305945005)(7736002)(6486002)(478600001)(6512007)(66946007)(2351001)(5660300002)(71200400001)(71190400001)(2906002)(36756003)(25786009)(6116002)(66616009)(102836004)(6506007)(186003)(66476007)(91956017)(76116006)(66446008)(64756008)(2501003)(46003)(1730700003)(50226002)(476003)(8936002)(81156014)(81166006)(486006)(2616005)(8676002)(14454004)(256004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR09MB3482; H:DM6PR09MB3593.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zWI+BPHJCP7pdgGdnoI93NkxTjDrEzT/jdOn8Z+RutAgVWnu942QlpF4Hp3O05BixuGxUrsznxcPsnPyBsu8WFymE6Z/y/WbzupkGEXTqr32DuIFJtp1APzUq49xg1ALHlljfyhpmkUQFvv5OFp1r9KHK9wb8+9ZqhIRong0RRm0l9VSmzlRUxT6Woo2qa4Ajv/ZiZQ5xdlkXirzPqRgBlFV5PWeNW77Z91vaAvIe2g0TOWo06i7s5BIMPnDcWk+effLDRmKRUrH1GaOwzybquW83+j+iyb9IeIXqr1SmPCZB2Ep3AAUS+oazH4Wy3gcQZrpN+IjWQYLPH9OV7aNp+EnixIvylUd1Duz/V1nzC8uGTkWweKiPILRRrKnnydowOJqKiuweFSQh7+OsR2rvHSSSPyMkSpX7UxhMeSn1gZv1YbH5RaoIOGohAA+YHBj
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; boundary="Apple-Mail=_35606CDA-11D9-441B-A395-1D94A458AE58"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 64a15ede-7757-4b4e-807f-08d75bdac60a
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Oct 2019 19:12:27.9379 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: K4N32MxqP3a76KED5XSszMcOiKHTFaLIJSeybsAuMzNVBUandSeo1aHyEgShJPn/
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB3482
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/7rD3BjZ5YIozBGwCWhBUpbPIZQ8>
Subject: [mile] Feedback for draft-ietf-mile-rolie-csirt-05
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Oct 2019 19:12:31 -0000
Hello all,
I was asked to review this document. From some travel timing, the version of the document I looked at was 05, but Stephen informed me that these still happen to apply to version 06.
Nits:
* Section 1, paragraph 4 ("Indicator information describes..."): "Everything from system vulnerabilities to unexpected network traffic..." - the word "unexpected" is a little odd in this sentence as a descriptor of data packaged for analysts' consumption. Would "malice-signaling," or "recognized-malicious" work better?
* Section 4.3.2, paragraph 4: Mentioning "Conversion" of metadata here implies a possibly-destructive data transformation. I don't think that is technically or spiritually what is happening, though. Could this be described as *deriving* a ROLIE repository from the MISP data sources?
* Section 5.1, paragraph 1: The sentence of this paragraph appears to be truncated.
* Table 1, "evidence" through "vector" rows, Description: "...resources that provides..." should say "...resources that provide...".
* Section 8, paragraph 3: "at the workspace level, as such, keeping..." - this first comma joins two sentences that shouldn't be joined.
* Appendix A, XML samples: there are a couple issues that I think xmllint would catch, like attributes needing one or both double-quote characters for their values (see the rolie:property elements, and rolie:format in the STIX example). The STIX example's summary element also has a trailing whitespace.
The document otherwise looks straightforward to me.
--Alex
- [mile] Feedback for draft-ietf-mile-rolie-csirt-05 Nelson, Alexander J. (Fed)