Re: [mile] [EXT] WGLC for CSIRT draft

"Banghart, Stephen A. (Fed)" <> Mon, 28 October 2019 16:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 703EB1208E5 for <>; Mon, 28 Oct 2019 09:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tspu1uleTdPK for <>; Mon, 28 Oct 2019 09:07:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4FDCC1208E1 for <>; Mon, 28 Oct 2019 09:07:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=gh57zx5XT34eh6z2v/sGgLIfSyXQz0gF/PDukzeb6xreDCWi9YazBfajY/ayCEYj3TE/KXfs5X8n1+eNZ9XdR0NPlIaWvv+SbWjlHd5UTycbZvrV5u4pH+Bg1YoOD05a5FcJpjqHvnrjhGieNsB/20zvVM6AtM16g4/26f/Ba06amVldTp+3oJpcsAtBZZ/02PC2QZ1phuVbNBqgXmRMNTEXTRQ5w4FmRLgYWCRJ/k6d6g8xUrUtCgupqVOIHtnmYgY8ESTwkQoRFRF1gXzIMIP11PJFYcEIudJRXx83MphsyPytLimI4CAKEz8D1wriJiSKH/e4CRdi9gppRhxQ/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pfCfwFgVUAWaJHKQWAjyVN0rxtKV+56UqQ7NsV2i77A=; b=cuHaGwvMIyqwpyI6guMIRbDfKPvWCmsaHUzAOfdiUh3rMDPTk+CBm3/PQpfe8+c972wydW7fGKtzW+DTe+epeok7x/Hr5CCWzmmEwOZRNfqGdUXDAU5pE9rOHYm+gkmRfszbaiUK6/hhp2p6MtmiAVKzGGwL0Cl4FzgL4m3gAr5O+XenN8dUOJIx8c2LOgZMHnklQLNMXwnX0/OLBaCL66YYCfPL7oOf/k27epc8RxAU/AWSUowwxB4Qnx5sJqAIwfIUw4whllT205EV8t5rnS6ybmm+wjwqxa0g6Yaj89ItCF+aKvjmIAbvoasH/xzubYxaTGZmp4xTD5G2meFQ4g==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pfCfwFgVUAWaJHKQWAjyVN0rxtKV+56UqQ7NsV2i77A=; b=DsoEF6/edCVz8T09pGtZYS7W71cGEtW4gGfZ8roNkise8t62/Hlmcv0VPzowXyJ3pybD8JhiuS4p05FhDGbItDlpgsck0P4EC7LBgUt9hbdNAqrrPMER0CMZ7mfDWA3pUaRuPLh6DLegJ7f1B2c5csgNwVOjNvWkAt8Eg+Njxdw=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.22; Mon, 28 Oct 2019 16:07:03 +0000
Received: from ([fe80::6055:205c:8957:7d8b]) by ([fe80::6055:205c:8957:7d8b%5]) with mapi id 15.20.2387.023; Mon, 28 Oct 2019 16:07:03 +0000
From: "Banghart, Stephen A. (Fed)" <>
To: Jessica Fitzgerald-McKay <>, "Haynes Jr., Dan" <>
CC: "" <>
Thread-Topic: [mile] [EXT] WGLC for CSIRT draft
Thread-Index: AQHViFx2RYxizVK7YUaQlaW5MRjemadwPV5w
Date: Mon, 28 Oct 2019 16:07:02 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 453f47c8-1839-427c-adbf-08d75bc0df0a
x-ms-traffictypediagnostic: BY5PR09MB4168:|BY5PR09MB4168:
x-ms-exchange-purlcount: 2
x-ld-processed: 2ab5d82f-d8fa-4797-a93e-054655c61dec,ExtAddr
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0204F0BDE2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39860400002)(136003)(376002)(346002)(366004)(189003)(199004)(51914003)(478600001)(966005)(11346002)(33656002)(110136005)(7736002)(476003)(316002)(102836004)(53546011)(6506007)(55016002)(66556008)(66476007)(5660300002)(14454004)(6246003)(6306002)(64756008)(186003)(99286004)(236005)(606006)(76176011)(7696005)(14444005)(9686003)(54896002)(66446008)(256004)(790700001)(81166006)(6116002)(81156014)(8676002)(66574012)(3846002)(71190400001)(446003)(71200400001)(76116006)(26005)(5024004)(74316002)(229853002)(486006)(8936002)(52536014)(4326008)(2906002)(86362001)(6436002)(25786009)(66066001)(66946007)(5070765005); DIR:OUT; SFP:1102; SCL:1; SRVR:BY5PR09MB4168;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nwqQFyONTvFLONhdrtvbpJY2DGcIEA5+aaPcZZ1ZglmjBYFWwr6qc6NmvzNU2VHjO/9ebsW5k8ZwbxBCqVX8OqdP9KnoaMDR5minYqLYRst93yo1r2623HkcPOCzFA/RO92kq41nIMkElck5L+rLCQql6TX/pVuX2/980Mq2iXrPb6cjMtRacKhFYoYYtg2J8SFfDw5CkLJRr2XDiXK25oh53NxmHwI1ajgFfw2jyIEqBvdiUmJpp2Ls4J2mGjvelydHdufpVE4wbPPaYFGTC227dSRmKQG5ASW0jMuAjFI2mQfgcQcCrYAn0XXJQ0XPwbZN12CrvDW4I9j40+egUzeB6ua3lZELfxAiK4wWA0SnvxhJP8YKK5m1pH8zWbhTYwBSsM6en/TR7nICVoq29EvT9FtxcwSQnYBL0+xmWtS6PhEafqm3X0gJpN0mFEK6eLPwAJaqVkqrpZzKMmqsb+wsETPvZBvWr4j47XsIWYY=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY5PR09MB44563C21498A498CA2497816F0660BY5PR09MB4456namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 453f47c8-1839-427c-adbf-08d75bc0df0a
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Oct 2019 16:07:02.8907 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Mcaaiw81qtozqyaM8H4eh5LULbH8Vio4fJhQsf4bASgomknA+Tg1l83SBeU4JwOX
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR09MB4168
Archived-At: <>
Subject: Re: [mile] [EXT] WGLC for CSIRT draft
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Oct 2019 16:07:08 -0000

Jess and Danny,

Thanks for the reviews, I’ll provide my responses to both of your comments inline below.

From: mile <> On Behalf Of Jessica Fitzgerald-McKay
Sent: Monday, October 21, 2019 6:11 PM
To: Haynes Jr., Dan <>
Subject: Re: [mile] [EXT] WGLC for CSIRT draft

A few more nits. When these and Danny's edits are addresses, this document is ready to move forward.


Introduction- Expand CSIRT on first use

The first use is in the abstract and is expanded, I’ll expand it in the introduction as well.

                  - change "ensure the security of their systems" to "improve the security of their systems"


Section 4.3- edit MISP document section to avoid ending on a preposition ("actively being worked on")

Updated to “MISP is defined by a family of internet drafts currently being developed in the IETF”.

  - link to the MISP drafts, as informative references

Moved from normative to informative

Section 8- edit first comma in first sentence to a semi colon or period


On Mon, Oct 21, 2019 at 4:38 PM Haynes Jr., Dan <<>> wrote:
Hi Nancy and Stephen,

I have some minor nits and questions.

  *   Abstract

     *   Change “This document extends…to add the information type categories…(CSIRT) use cases.” to “This document extends…to add the indicator and incident information type categories…(CSIRT) use cases.”
     *   Remove “The indicator and incident information types are defined as ROLIE extensions.”

Updated both of these.

  *   Section 2

     *   Should this also reference RFC 8174?


  *   Section 3.1

     *   Change “…that in is the abstract realm…” to “…that is in the abstract realm…”.


  *   Section 3.1

     *   Change “Some examples of indicator information is provided below,…” to “Some examples of indicator information are provided below,…”.


  *   Section 4.2.2

     *   Is “Feed” a defined term?

I added text in the terminology section that references RFC8322

  *   Section 4.3

     *   Change “day-to=day” should be “day-to-day”.


  *   Section 4.3.1

     *   Bullet 4: Change “…element in the attached MISP Event .” to “…element in the attached MISP Event.”.
     *   Bullet 5: Change “This ensures better compatibility…and a MISP Manifest” to “This ensures better compatibility…and a MISP Manifest.”.


  *   Section 5.1

     *   Change “If a ROLIE server supports…MUST be support” to “If a ROLIE server supports the incident information-type, then these link relations MUST be supported.”

  *   Section 5.2

     *   Change “If a ROLIE server supports…MUST be supported.” to “If a ROLIE server supports the indicator information-type, then these link relations MUST be supported.”

  *   Section 8

     *   Change “When sharing IODEF 2 documents…” to “When sharing IODEF Version 2 documents.”.

All fixed.

Beyond that, I am comfortable with moving this draft forward.



From: mile <<>> on behalf of "Nancy Cam-Winget (ncamwing)" <<>>
Date: Monday, September 23, 2019 at 4:29 PM
To: "<>" <<>>
Subject: [EXT] [mile] WGLC for CSIRT draft

Fellow MILE participants,

This is a Working Group Last Call for<>

Please provide your review and feedback to the draft’s readiness by Oct 21st so that we can move it forward.

Warm regards,
mile mailing list<><>