Re: [mile] [Issue #9] Mapping @restriction to TLP
Patrick Curry <patrick.curry@federatedbusiness.org> Mon, 29 July 2013 15:52 UTC
Return-Path: <patrick.curry@federatedbusiness.org>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D2C311E80F7 for <mile@ietfa.amsl.com>; Mon, 29 Jul 2013 08:52:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.23
X-Spam-Level:
X-Spam-Status: No, score=-3.23 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, URI_HEX=0.368]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DClDb0ie68Fz for <mile@ietfa.amsl.com>; Mon, 29 Jul 2013 08:52:18 -0700 (PDT)
Received: from webhost01.bluefrontier.co.uk (webhost01.bluefrontier.co.uk [37.220.88.216]) by ietfa.amsl.com (Postfix) with ESMTP id BC43E21E8087 for <mile@ietf.org>; Mon, 29 Jul 2013 08:51:50 -0700 (PDT)
Received: from host86-137-122-170.range86-137.btcentralplus.com ([86.137.122.170]:53092 helo=weemac.home) by webhost01.bluefrontier.co.uk with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.80.1) (envelope-from <patrick.curry@federatedbusiness.org>) id 1V3pje-000132-7b; Mon, 29 Jul 2013 16:51:46 +0100
Content-Type: multipart/alternative; boundary="Apple-Mail=_EF67E5E6-8EE2-40BA-B66C-CD71D364D6E9"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Patrick Curry <patrick.curry@federatedbusiness.org>
In-Reply-To: <CAA=AuEdZKcNYbgGxJFF133CFjFTCuedUC2bvxj7ZUw_wmTB-BA@mail.gmail.com>
Date: Mon, 29 Jul 2013 16:51:44 +0100
Message-Id: <0B73373D-4B25-4EEF-9ADC-825D5A58089E@federatedbusiness.org>
References: <359EC4B99E040048A7131E0F4E113AFC13C561DA@marathon> <CAA=AuEdZKcNYbgGxJFF133CFjFTCuedUC2bvxj7ZUw_wmTB-BA@mail.gmail.com>
To: Jerome Athias <athiasjerome@gmail.com>
X-Mailer: Apple Mail (2.1508)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - webhost01.bluefrontier.co.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - federatedbusiness.org
X-Get-Message-Sender-Via: webhost01.bluefrontier.co.uk: authenticated_id: patrick.curry@federatedbusiness.org
Cc: "mile@ietf.org" <mile@ietf.org>
Subject: Re: [mile] [Issue #9] Mapping @restriction to TLP
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mile>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2013 15:52:32 -0000
Hi Jerome, From a standards perspective, yes. Three of the major national cyber controls frameworks use TLP for information release. This is different from access control policies, which are a separate-but-linked matter. regards, Patrick Patrick Curry Director British Business Federation Authority - BBFA Ltd M: +44 786 024 9074 T: +44 1980 620606 patrick.curry@federatedbusiness.org www.federatedbusiness.org – a not-for-profit, self-regulating body On 29 Jul 2013, at 15:03, Jerome Athias <athiasjerome@gmail.com> wrote: Hi, It makes sense for me :) (I will cross-post this to this STIX discution http://making-security-measurable.1364806.n2.nabble.com/STIX-Profiles-td7580626.html ) 2013/7/29 Roman D. Danyliw <rdd@cert.org> Hi! See http://trac.tools.ietf.org/wg/mile/trac/ticket/9. The @restriction attribute is currently defined as follows: 1. public. There are no restrictions placed in the information. 2. need-to-know. The information may be shared with other parties that are involved in the incident as determined by the recipient of this document (e.g., multiple victim sites can be informed of each other). 3. private. The information may not be shared. 4. default. The information can be shared according to an information disclosure policy pre-arranged by the communicating parties. Would there be interest in migrating this definition to align with the Traffic Light Protocol originally developed by the UK National Infrastructure Security Coordination Centre, now Center for the Protection of National Infrastructure (http://www.cpni.gov.uk/)? See the following: US-CERT description, www.us-cert.gov/tlp Wikipedia reference, http://en.wikipedia.org/wiki/Traffic_Light_Protocol The current @restriction would require redefinition as the current 'need-to-know' does not map to a defined TLP category. The proposal is to map as follows: red <--> private amber <--> need-to-know green <--> (new proposed value) partner white <--> public 1. public. The information may be freely distributed without restriction. 2. partner. The information may be shared within a closed community of peers, partners, or affected parties, but cannot be published openly. 3. need-to-know. The information may be shared only with members of their own organization that have a need to know. 4. private. The information may not be shared. It is intended only for the named recipients. 5. default. The information can be shared according to an information disclosure policy pre-arranged by the communicating parties. 6. white. Same as public. 7. green. Same as partner. 8. amber. Same as need-to-know. 9. red. Same as private. The down-side of this proposal is that IODEFv2 (MILE) will have different semantics for an identical value present in IODEFv1 (INCH). Any community or application accustomed to tagging data as @restriction="need-to-know" in v1 would now need to use @restriction="partner" or "green" otherwise the information will be restricted more than intended. However, 'partner'/'green' might be too permissive depending on the definition of the consortium. Roman _______________________________________________ mile mailing list mile@ietf.org https://www.ietf.org/mailman/listinfo/mile _______________________________________________ mile mailing list mile@ietf.org https://www.ietf.org/mailman/listinfo/mile
- [mile] [Issue #9] Mapping @restriction to TLP Roman D. Danyliw
- Re: [mile] [Issue #9] Mapping @restriction to TLP Jerome Athias
- Re: [mile] [Issue #9] Mapping @restriction to TLP Patrick Curry