Re: [mile] [sacm] New draft for review and comment: draft-field-mile-rolie-00.txt

Thanks John.

Authentication was the primary reason for a POST request, we'll look into
your suggestion. The example helped quickly grasp the idea. We'll look into
the draft in detail and come back with any comments. 

There are three specs now which are somewhat related although each for
different purposes,
1. SCAP Messages for IF-M draft -
http://www.trustedcomputinggroup.org/resources/tnc_scap_messages_for_ifm

2. Resource-Oriented Lightweight Indicator Exchange -
http://www.ietf.org/id/draft-field-mile-rolie-00.txt

3. Content Repository interface -
http://tools.ietf.org/html/draft-waltermire-content-repository-00 

I think all should align on a similar content exchange mechanism. Just a
thought, am not sure if it really make sense, haven't gone through each of
them in detail.

Thanks,
Chandra.

-----Original Message-----
From: sacm-bounces@ietf.org [mailto:sacm-bounces@ietf.org] On Behalf Of
Field, John
Sent: Thursday, October 04, 2012 1:28 AM
To: Luis Nunez
Cc: mile@ietf.org; sacm@ietf.org
Subject: Re: [sacm] New draft for review and comment:
draft-field-mile-rolie-00.txt

Luis,

Sorry for the delay in responding, I have been quite busy with a few
projects and also traveling.  Thanks for the feedback; scaprepo does look
interesting...  

I can easily imagine an integration where the representation of an
"incident" or "indicator" resource could also include a link to a
corresponding SCAP repository resource, say an OVAL benchmark or an OVAL
def, etc. that is related to the requested resource...a quick hack of an
example might look something like...

      HTTP/1.1 200 OK
      Date: Wed, 03 Oct 2012 17:30:11 GMT
      Content-Length: nnn
      Content-Type: application/atom+xml;type=entry;charset="utf-8"

      <?xml version="1.0" encoding="UTF-8"?>        
      <entry>
        <id>http://www.example.org/csirt/private/incidents/123456</id>
        <title>Sample Incident</title>
        <link href="http://www.example.org/csirt/private/incidents/123456"
rel="self"/>       <!-- by convention -->
        <link href="http://www.example.org/csirt/private/incidents/123456"
rel="alternate"/>  <!-- required by Atom spec -->
        <published>2012-08-04T18:13:51.0Z</published>
        <updated>2012-08-05T18:13:51.0Z</updated>

        <!-- the next and previous are just sequential access, may not map
to anything related to this IODEF Incident ID -->
        <link href="http://www.example.org/csirt/private/incidents/123457"
rel="next"/>
        <link href="http://www.example.org/csirt/private/incidents/123455"
rel="previous"/>

        <!-- link to SCAP Repo -->
        <link href="
https://www.scaprepo.com/SCAPRepoWebService/something..." rel="scaprepo"/>

        <content type="application/xml">
          <iodef:IODEF-Document lang="en"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0">
            <iodef:Incident purpose="traceback" restriction="need-to-know">
            ...  
          </iodef:IODEF-Document>
        </content>
      </entry>

The possibility of such an integration is exactly what motivated the draft.
The issues that would need to be resolved include making the authentication
to the scaprepo seamless (possible, at least in principal, using existing
Web Single Sign On protocols) and dealing with differences in interaction
style...for example, I notice that scaprepo seems to prefer the use of POST
for all operations (including a read operation).  As a general rule, it is
best to support GET for read operations, and reserve POST for write
operations.  But, this is a relatively minor issue at this point.  The more
important point is that by using a REST approach such an integration would
become possible, and that would be of benefit to users dealing with
indicators, incident response, and assessment and compliance, etc....we
could tie it all together quite nicely.

Thanks for commenting.  I'll take a deeper look at scaprepo when I get some
more time.

Regards,
John

-----Original Message-----
From: Luis Nunez [mailto:lnunez@c3isecurity.com] 
Sent: Thursday, September 06, 2012 11:36 AM
To: Field, John
Cc: sacm@ietf.org; mile@ietf.org
Subject: Re: [sacm] New draft for review and comment:
draft-field-mile-rolie-00.txt

John,
this definitely is of interest and could be related to past discussions
around content repositories.  

I know of two publicly accessible (REST) repositories that could potential
host this type of content.

http://scaprepo.com/SCAPRepoWebService
http://scapsync.com/api/

NIST is also working on a repository with webservices.

It would be interesting to prototype a sample document and flesh out issues.

-ln

On Sep 6, 2012, at 11:10 AM, Field, John wrote:

> All,
> 
> Cross posting this announcement from MILE to SACM, as I think this may be
of interest within the SCAP community as well.  
> 
> The new draft referenced below describes a RESTful HTTP binding for
sharing incident, indicator, and other cyber security-related information.
In particular, the draft includes a suggested approach to retrieving a
related benchmark resource.  
> 
> I hope you'll find this draft to be of interest.  
> 
> Please post any questions or comments to the MILE list.
> 
> Regards,
> John
> 
> // John P. Field 
> // Security Architect 
> // EMC Office of the CTO 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Field, John 
> Sent: Thursday, September 06, 2012 10:53 AM
> To: <mile@ietf.org>
> Subject: New draft for review and comment: draft-field-mile-rolie-00.txt
> 
> All,
> 
> Please note that I have just posted a new draft for review and comment.
As stated in the abstract, the draft describes a RESTful HTTP binding for
sharing incident, indicator, and other cyber security-related information.
I hope you'll find this document to be of interest, and I look forward to
discussing any questions and/or comments that the group may have.
> 
> Regards,
> John
> 
> // John P. Field 
> // Security Architect 
> // EMC Office of the CTO 
> 
> 
> -----Original Message-----
> From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] 
> Sent: Wednesday, September 05, 2012 9:59 PM
> To: Field, John
> Subject: New Version Notification for draft-field-mile-rolie-00.txt
> 
> 
> A new version of I-D, draft-field-mile-rolie-00.txt
> has been successfully submitted by John P. Field and posted to the
> IETF repository.
> 
> Filename:	 draft-field-mile-rolie
> Revision:	 00
> Title:		 Resource-Oriented Lightweight Indicator Exchange
> Creation date:	 2012-09-05
> WG ID:		 Individual Submission
> Number of pages: 41
> URL:
http://www.ietf.org/internet-drafts/draft-field-mile-rolie-00.txt
> Status:          http://datatracker.ietf.org/doc/draft-field-mile-rolie
> Htmlized:        http://tools.ietf.org/html/draft-field-mile-rolie-00
> 
> 
> Abstract:
>   This document defines a resource-oriented approach to cyber security
>   information sharing.  Using this approach, a CSIRT or other
>   stakeholder may share and exchange representations of cyber security
>   incidents, indicators, and other related information as Web-
>   addressable resources.  The transport protocol binding is specified
>   as HTTP(S) with a MIME media type of Atom+XML.  An appropriate set of
>   link relation types specific to cyber security information sharing is
>   defined.  The resource representations leverage the existing IODEF
>   [RFC5070] and RID [RFC6545] specifications as appropriate.
>   Coexistence with deployments that conform to existing specifications
>   including RID [RFC6545] and Transport of Real-time Inter-network
>   Defense (RID) Messages over HTTP/TLS [RFC6546] is supported via
>   appropriate use of HTTP status codes.
> 
> 
> 
> 
> The IETF Secretariat
> 
> 
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm

_______________________________________________
sacm mailing list
sacm@ietf.org
https://www.ietf.org/mailman/listinfo/sacm