Re: [mile] Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
"Roman D. Danyliw" <rdd@cert.org> Thu, 02 June 2016 03:17 UTC
Return-Path: <rdd@cert.org>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08CE312D626; Wed, 1 Jun 2016 20:17:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oQUY59io7Kuo; Wed, 1 Jun 2016 20:17:45 -0700 (PDT)
Received: from plainfield.sei.cmu.edu (plainfield.sei.cmu.edu [192.58.107.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92E3E12D0E7; Wed, 1 Jun 2016 20:17:45 -0700 (PDT)
Received: from timber.sei.cmu.edu (timber.sei.cmu.edu [10.64.21.23]) by plainfield.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u523HhtR015161; Wed, 1 Jun 2016 23:17:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.org; s=jthatj15xw2j; t=1464837463; bh=pS5i3m6S1mfP0S2eVfQjHsYKDQ+zvfFnipEwiWHzzwo=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version:Sender: Reply-To; b=V4nIhq8g5vwKeMhxpDnYZsmVvqUZ5EsjmzsHsh9abzy+/WACdUTqUefKxYi8siH3i a7c9ooGNGYOBuZBFzvRx6TtsVX9gffWZE+auYxOQPSWQwk97jTpoPJbB6PTQv6eCVq xeWCn8DTvvp10lYGASQtyMFUNnojSUgxXYB7baxs=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by timber.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u523FPtY032575; Wed, 1 Jun 2016 23:15:25 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0279.002; Wed, 1 Jun 2016 23:17:40 -0400
From: "Roman D. Danyliw" <rdd@cert.org>
To: Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>
Thread-Topic: Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
Thread-Index: AQHRu5WwUczmdwb9r0SVyBJ6rZUDLZ/VY1fwgAAf1bA=
Date: Thu, 02 Jun 2016 03:17:39 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFCD974F6EE@marathon>
References: <20160531232347.20263.30439.idtracker@ietfa.amsl.com> <359EC4B99E040048A7131E0F4E113AFCD974F68E@marathon>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFCD974F68E@marathon>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/mile/ea_k5zGYnAisambvY-NlFboRA98>
Cc: "mile@ietf.org" <mile@ietf.org>, "draft-ietf-mile-rfc5070-bis@ietf.org" <draft-ietf-mile-rfc5070-bis@ietf.org>, "mile-chairs@ietf.org" <mile-chairs@ietf.org>, "mile-chairs@tools.ietf.org" <mile-chairs@tools.ietf.org>
Subject: Re: [mile] Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2016 03:17:48 -0000
To clarify, a response to the DISCUSS and COMMENTs are in this thread > -----Original Message----- > From: Roman D. Danyliw [mailto:rdd@cert.org] > Sent: Wednesday, June 1, 2016 10:52 PM > To: Alissa Cooper <alissa@cooperw.in>; The IESG <iesg@ietf.org> > Cc: draft-ietf-mile-rfc5070-bis@ietf.org; mile-chairs@tools.ietf.org; > mile@ietf.org; mile-chairs@ietf.org; takeshi_takahashi@nict.go.jp > Subject: RE: Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with > DISCUSS and COMMENT) > > Hello Alissa! > > Thanks for the review. A response to the DISCUSS is inline ... > > > -----Original Message----- > > From: Alissa Cooper [mailto:alissa@cooperw.in] > > Sent: Tuesday, May 31, 2016 7:24 PM > > To: The IESG <iesg@ietf.org> > > Cc: draft-ietf-mile-rfc5070-bis@ietf.org; Roman D. Danyliw > > <rdd@cert.org>; mile-chairs@tools.ietf.org; mile@ietf.org; > > mile-chairs@ietf.org; takeshi_takahashi@nict.go.jp; mile@ietf.org > > Subject: Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: > > (with DISCUSS and COMMENT) > > > > Alissa Cooper has entered the following ballot position for > > draft-ietf-mile-rfc5070-bis-22: Discuss > > [snip] > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > The Confidence class as defined in 3.12.5 seems underspecified. It > > does not specify a max value, so some implementations might use 1 as > > the max while others might use 100. > > Inherited from RFC5070, there are no ranges specified for a valid numeric > confidence value. This was an explicit design choice kept in this draft to > preserve flexibility. Acceptable ranges and how this value should be > interpreted are handled out of band. This approach is consistent with the > overall design of the data model. Consider that almost all of the classes in > the data model are optional. The minimal valid document, shown is Section > 7.1, isn't useful. Profiling between parties in a data sharing consortium will > determine which optional-in-the-RFC classes should be mandatory-in-the- > consortium. This thinking extends to the semantics of classes like > Confidence. > > > > It's also hard to understand how a single confidence value is supposed > > to be applied to elements with multiple fields, as in 3.12 and 3.29. > > What do I do if I have high confidence in my estimate of SystemImpact > > but low confidence in my estimate of MonetaryImpact? > > If the child classes don't have the same Confidence, then each can be > expressed in a distinct instance of the parent class. For the high confidence > SystemImpact but low confidence MonetaryImpact do the following (per > Section 3.12): > > <Incident ...> > ... > <Assessment> > <SystemImpact>...</SystemImpact> > <Confidence rating="low" /> > </Assessment> > <Assessment> > <MonetaryImpact>...</MonetaryImpact> > <Confidence rating="high"/> > </Assessment> > </Incident> > > This same approach doesn't apply to the Indicator class (Section 3.29). There > is no way to granularly express a different confidence for different child > elements that compose the Indicator. The value expressed in > Indicator/Confidence is a reflection of the confidence in the totality of the > information in that Indicator class. > > It would be relatively straightforward to add a Confidence class to > Observable, IndicatorExpression, AttackPhase, Reference and AttackPhase. > With some redesign, the same could be done for ObservableReference, > IndicatorReference, StartTime and EndTime. > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > (1) Section 1: It would be useful to define "cyber," "cyber indicator" > > (somewhere before 3.29), "cyber threat," and "cyber event." I chuckled > > when I wrote that, but I'm serious. The term "cyber" did not appear in > > RFC 5070. It has clearly taken on some (mythical, perhaps) meaning in > > venues external to the IETF. I think if this document is going to use > > the term, it needs to explain what it means. If there are some > > external definitions to point to or adopt, that would be fine. > > After a search, it would appear that "cyber" is used in the abstract, Section > 1.0 (Introduction), 1.3 (About the IODEF Data Model), 3.12.1 (SystemImpact), > 3.12.2 (BusinessImpact), 3.28 (IndicatorData) and 3.29 (Indicator) -- 14 times > total. That can be cleaned up. Specifically: > > ** Section 1.0 uses the term "cyber security event" once. I'm going to > assume that isn't controversial. > ** Sections 3.12.1 and 3.12.2 use the term "cyber physical system" four > times. I'm going to assume this isn't controversial. > ** s/cyber indicator/indicator/g will address four usages of "cyber"-as-an- > adjective in the abstract; and Sections 1.0, 3.28 and 3.29 > ** s/cyber incident report/cybersecurity incident report/g will address one > more usage of "cyber"-as-an-adjective in Section 1.0 > ** I'll reword "cyber threats" and "cyber event mitigation" in Section 1.0; and > reevaluate the use of "cyber intelligence" > > > (2) Section 3.19.2: If I want to list the admin contact for a > > particular domain in a Contact element within a DomainContacts > > element, do I set the role in the Contact to "admin" or to "zone"? I > > think this is not entirely clear from how the roles are specified in > > 3.9 since most of the roles are more generic than "zone." > > I'd say "admin". You're right about the lack of symmetry of "zone" relative to > the others. I'll dig through the mailing list to see if I can recollect why we > have this value. At first blush, I'd say delete it. > > Roman
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Kathleen Moriarty
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Roman D. Danyliw
- [mile] Alissa Cooper's Discuss on draft-ietf-mile… Alissa Cooper
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Roman D. Danyliw
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Roman D. Danyliw
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… kathleen.moriarty.ietf