Re: [mile] Review of rfc5070bis and schema
"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Tue, 26 April 2016 16:16 UTC
Return-Path: <pkampana@cisco.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B725612D510 for <mile@ietfa.amsl.com>; Tue, 26 Apr 2016 09:16:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.517
X-Spam-Level:
X-Spam-Status: No, score=-15.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 50bY0I5SYXNc for <mile@ietfa.amsl.com>; Tue, 26 Apr 2016 09:16:35 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3722112D13A for <mile@ietf.org>; Tue, 26 Apr 2016 09:16:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18274; q=dns/txt; s=iport; t=1461687395; x=1462896995; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=QWCEzCUZyQ8R5j0gr/2fqs+eug4gP+W0hK1AobVmReQ=; b=fT3pXksda/XLQXbDuC7lVexGS5UBz9pEpW/WyKNIiSoYo8/IniZEeq2W cElQeU90pFg1RQ6GPU0NZIVLEgE1g+CQ2yJehfo5iB5tsO0bz6AdSYiNM 67Awxwiz5CiH1YmKYwN9nf4Y14Qif6wpknAs4w0DFZoR8MUBNksaF4SoY M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AOAgBNkx9X/4UNJK1egzhTfQa5eQENgXQXC4I8gzACHIEgOBQBAQEBAQEBZSeEQQEBAQMBAQEBIAQNOgQHBQcEAgEGAhEEAQEDAiMDAgICJQsUAQgIAgQBDQUIiBoIDpVvnReRIQEBAQEBAQEBAQEBAQEBAQEBAQEBAREEfIUlhEuEGQ6DGIJWBY1UhTgThHEBhXuIFIFuhE2DKXuEOY8vAR4BAUKCBRuBS2yHQj9/AQEB
X-IronPort-AV: E=Sophos;i="5.24,537,1454976000"; d="scan'208";a="265647495"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 26 Apr 2016 16:16:34 +0000
Received: from XCH-ALN-009.cisco.com (xch-aln-009.cisco.com [173.36.7.19]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id u3QGGYve007027 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 26 Apr 2016 16:16:34 GMT
Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-ALN-009.cisco.com (173.36.7.19) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 26 Apr 2016 11:16:33 -0500
Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1104.009; Tue, 26 Apr 2016 11:16:33 -0500
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: "Roman D. Danyliw" <rdd@cert.org>, "mile@ietf.org" <mile@ietf.org>
Thread-Topic: Review of rfc5070bis and schema
Thread-Index: AQHRFdcLj611UqhPTkePeRKNT4Py159lD3TggDhx/6A=
Date: Tue, 26 Apr 2016 16:16:33 +0000
Message-ID: <53ad8503f96c496297396cb7d8aa726a@XCH-ALN-010.cisco.com>
References: <evyjj7c244y0pg0899sgirbg.1446514147343@email.android.com> <359EC4B99E040048A7131E0F4E113AFCD96ECFC8@marathon>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFCD96ECFC8@marathon>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.150.32.95]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/mile/hvOwQoA8M8_guvHnEOJE0OFe9pc>
Subject: Re: [mile] Review of rfc5070bis and schema
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2016 16:16:38 -0000
Hi Roman, Sorry that I haven't reviewed the bis doc recently. As we were revamping the guidance doc https://tools.ietf.org/html/draft-ietf-mile-iodef-guidance-05 we realized that the watchlist elements have been removed from the bis document after the draft-ietf-mile-rfc5070-bis-06 version. The watchlists were used in the predicate logic for indicators of the same incident. Do you remember if there was a decision to remove the watchlist attributes from the classes? I couldn't find more information in the archives and I don't remember if there was a discussion in the list. Panos -----Original Message----- From: mile [mailto:mile-bounces@ietf.org] On Behalf Of Roman D. Danyliw Sent: Monday, March 21, 2016 5:08 PM To: Waltermire, David A. <david.waltermire@nist.gov>; mile@ietf.org Subject: Re: [mile] Review of rfc5070bis and schema Hi David! Thanks again for this review. Almost all have been address in versions -16 to -18. Inline is a response to each item. > -----Original Message----- > From: mile [mailto:mile-bounces@ietf.org] On Behalf Of Waltermire, > David > Sent: Monday, November 02, 2015 8:29 PM [snip] > Section 2.4: > > The following text is diffecult to parse. Consider rephrasing: > > This relationship between multiple > classes being translated instances of the same text is indicated by a > common identifier set in the translation-id attribute. Rewritten. > Section 2.12: > > Isn't this implemented as the PostalAddressType in the schema not xs:string? Yes. Fixed. > Section 2.16: > > There is a cross reference for the text "Section 3.3.8" that looks > like it is incorrect. No, the cross reference is right. Section 3.3.8 of https://www.w3.org/TR/xmlschema-2/. > General schema Comments: > - The schema is missing an XML declaration at the beginning. Fixed. > - Some type names are inconsistant with the overall type naming scheme > (e.g., systemimpact-type-type) That's intentional. The convention to name the types is "<element name> -dash- <attribute name> -type-". There are several attributes named type so that's why it looks odd. > - The type "yes-no-type" is not referenced in the schema. Removed. > - The outline numbering has many singular subsections (e.g., 3.13.1). > This issue may get raised by the RFC editor and should probably get > fixed/clarified before then. There are fewer now. I don't know how easily fix that and keep the document flow. > - Schema types for the REAL i/d type vary between float and double. Is > there a reason for this (e.g., Counter -> xs:double)? If so, it may > make sense to have specific types in the i/d to reflect the distinction. Fixed. REAL is now consistently xs:float. > - The prefixes used in section 3 and subsections (e.g., ds, xml) > should be documented at the beginning of section 3 for clarity. Could you please clarify. Do you mean where a namespace is used in Section 3, it should explained (e.g., xml:lang or ds:DigestAlgorithm)? > Section 3.2: > > - The cardinality of IndicatorData in the schema is 0..1 while in the > i/d it is 0..* Fixed. > - The observable-id attribute is marked as the STRING type, but is an > xs:ID type in the schema. All instances of xs:ID are required to be > unique in an XML instance. For this reason it should be marked as an > ID type in the i/d. This means we need a datatype for ID in section 2. Fixed. ID is a type in Section 2. Currently, Section 2.14. > - The definition for status -> ext-value uses the terminology "An > escape value used to extend this attribute". I recommend against using > the term "escape" here to avoid confusion with escaping. Perhaps it > would be better to use "A value used to indicate that this attribute > is extended and the actual value is provided using the ext-status attribute." Fixed. > Section 3.3: > - The colors values in the restriction class provide mappings to other > provided values, but they do not define the meaning of the colors. > They seem to relate to TLP. Perhaps we should reference the related UK TLP work? It is a reference to the UK. I wasn't able to find a reference. Can you help? > Section 3.6: > - The cardinality of IncidentId, URL, ThreatActor, and Campaign in the > schema are 1..*. In the i/d this matches in the UML text, but not in > the diagrams where they are 0..*. The cardinality on the parent choice > (1..*) should allow the individual elements to be 1..1. Let me know if > you have any questions on this. Fixed. > Section 3.7: > - ThreatActor -> ThreatActorId is inconsistant in the schema (1..1), > diagram (0..1), and text (1..*). > - ThreatActor -> Description is inconsistant in the schema and diagram > (0..*), and text (1..*). Fixed. > Section 3.8 > - Campaign -> CampaignID and Description are inconsistant in the > schema and diagram (0..1), and text (1..*). Fixed > Section 3.9 > - The schema is missing the ext-dtype attribute documented in the i/d. Fixed > Section 3.10 > - Is there a reason that Fax is limited to 0..1? I would guess some > organizations may have more than one Fax #. Fixed. > Section 3.10.2 > - The attribute 'translation-id' is missing in the i/d diagram and text. Fixed. ML_STRING classes are now only depicted once in the document. > Section 3.12.1 > - The requirement for at least one of Description or > DetectionConfiguration can be modeled a xs:choice with 1..* > cardinality in the schema. Other classes can probably be improved in the same way. True. I mentioned this in Prague (?). I thought the WG wasn't concerned about this as long as the text provided the clarity. WG: disagree? > Section 3.13: > - The element 'enum:Reference' in the i/d is not in the enum namespace > in the schema. > > Section 3.13.1: > - The element 'ReferenceName' should be 'enum:ReferenceName' in the > i/d text. > - The text starting with "At least one of these classes MUST be present." > appears to be improperly nested in the i/d. > > Section 3.14: > - The text: > > A least one instance of the possible three impact classes (i.e., > Impact, TimeImpact, or MonetaryImpact) MUST be present. > > Should read as: > > A least one instance of the possible five impact classes (i.e., > SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact, or > IntendedImpact) MUST be present. > > - The IntendedImpact class doesn't appear to be documented in this section. > The text is confusing on this: > > Identically defined as Section 3.14.2 but describes intent rather > than the realized impact. > > Should be: > > Identical to the BusinessImpact class defined in Section 3.14.2, but > describes the intent rather > than the realized impact. Fixed. > Section 3.14.1: > - The attribute 'type' does not have the 'unknown' default value > defined in the schema. 'unknown' is not a valid enum value. > - The attribute 'type' allow the enum value admin in the schema. This > value is not documented in the i/d. > > Section 3.14.3: > - The schema is missing the 'ext-metrics' and 'ext-duration' > attributes defined in the i/d. > > Section 3.14.5: > > The 'Confidence' class is defined in the schme as: > > <xs:element name="Confidence"> > <xs:complexType mixed="true"> > <xs:attribute name="rating" use="required" > type="confidence-rating- type"/> > </xs:complexType> > </xs:element> > > To match the i/d it should be defined in the schema as: > > <xs:element name="Confidence"> > <xs:complexType> > <xs:simpleContent> > <xs:extension base="iodef:PositiveFloatType"> > <xs:attribute name="rating" use="required" > type="confidence-rating- type"/> > </xs:extension> > </xs:simpleContent> > </xs:complexType> > </xs:element> Fixed. > Section 3.15: > - The cardinality for 'HistoryItem' is "One or many." This is > different than the use of "One or more." in the rest of the document. > This should be made consistant with the rest of the draft. Also, check for other cases of this. Fixed. This was a pervasive problem. > Section 3.19: > - The schema allows Node to be 1..* while the i/d diagram and text is 1..1. Fixed 1:1. > Section 3.20: > - The schema defines a NodeRole element that is not documented in the i/d. > - The i/d defines a DateTime element that is not defined in the schema. > > Section 3.20.1: > - The base type of this class is xs:string in the schema. The i/d > diagram does not reflect this. > - Should the default for category be ipv6-addr given the emphasis on > transition? Fixed. > Section 3.20.2: > - The base type of this class is MLString in the schema. The i/d > diagram does not reflect this. Fixed. Classes no longer derive the MLString type. > - The i/d diagram and text is also missing the attribute translation-id. > - NodeRole -> Category is inconsistant where the schema has > 'c2-server' and the i/d has 'c2'. Fixed. > Section 3.20.3: > - The schema is missing the ext-unit attribute. Fixed. > Section 3.21.1: > - The values for 'record-type' are not documented in the i/d. There is > a "TODO" placeholder in the i/d. Fixed. RelatedDNS was redefined as an EXTENSION type. > Section 3.21.3: > - The 'SameDomainContact' element is 1..1 in the schema and 0..1 in > the i/d diagram and text. No, the schema is right. These elements are in an xs:choice, not xs:sequence: <xs:choice> <xs:element ref="iodef:SameDomainContact"/> <xs:element ref="iodef:Contact" minOccurs="1" maxOccurs="unbounded"/> </xs:choice> > Section 3.22: > - The choice between 'Port' and 'Portlist' should be changed to be > 1..1 in the schema to reflect the requirement for one of the two to be used in the i/d. Fixed. > Section 3.22.1: > - The 'IANAService' element is 1..1 in the schema and 0..1 in the i/d > diagram and text, Fixed. > Section 3.22.2: > - The attribute 'proto-name' is an xs:integer in the schema and > xs:string in the i/d. It looks like the schema needs to be changed based on the i/d text. >> - The attribute 'ext-dtype' is missing in the schema. > - the attribute 'dtype' is missing values "portlist" and "path" in the schema. Fixed. Now of type EXTENSION. > Section 3.22.4: > - The attribute has the name 'ext-dtype' in the schema and > 'enum-dtype' in the i/d diagram. > - SoftwareReference -> spec-name -> swid entry needs to have the > actual reference provided. Look for "fix me." Fixed. > Section 3.24: > - The cardnalities of EmailHeaderField, HashData, and SignatureData > are 0..* in the i/d diagram and 0..1 in the schema and i/d text. Fixed. > Section 3.25.1: > - The 'RecordItem' element is 1..* in the schema and 0..* in the i/d > diagram and text. Fixed. > Section 3.26.1: > - The attribute 'observable-id' is missing in the schema. Fixed. > Section 3.27.1: > - The element 'ds: X509Data' has a space in the i/d diagram that > should be removed. Fixed. > Section 3.28.1: > - The element 'FileType' has the type xs:integer in the schema and > xs:string in the i/d. The schema should be changed to xs:string based on the i/d text. > - The elements 'SignatureData' and 'AssociatedSoftware' in the i/d are > named differently in the schema. Fixed. > Section 3.29: > - The attribute 'ext-scope', which is defined in the schema, is > missing in the i/d diagram. Fixed. > Section 3.29.1: > - The element 'ds:CannonicalizationMethod' is 0..1 in the i/d and 1..1 > in the schema. Fixed. 0..1 > Section 3.29.2: > - The element AdditionalData is 0..* in the i/d and 1..1 in the schema. Fixed. > Section 3.32: > - The element 'AlternativeIndicatorID' is 0..* in the schema and 0..1 in the i/d. > - The element 'AdditionalData' is missing in the schema. Fixed. > Section 3.32.3: > - The attributes 'restriction' and 'ext-restriction' are defined in > the schema and are missing in the i/d. > - The element 'Service' is missing in the schema. > - The element 'AdditionalData' is 0..1 in the schema and 0..* in the i/d. > - A choice should be used to model the "extactly one" requirement. Fixed. > Section 3.32.3.1: > - The element 'BulkObservableList' is 0..1 in the schema and 1..1 in the i/d. > - The element 'AdditionalData' is 0..1 in the schema and 0..* in the i/d. Fixed. > Section 3.32.4: > - The cardinality of the elements do not match in the schema and i/d. Fixed. > Section 3.32.6: > - It is not clear what the type "EMPTY" means here. > - I don't recall if the "IDREF" data type was defined in section 2. Fixed. Yes, IDREF is a type in Section 2. > Section 3.32.7: > - It is not clear what the type "EMPTY" means here. > - I don't recall if the "IDREF" data type was defined in section 2. Fixed. Yes, IDREF is a type in Section 2. Thank you again! Roman _______________________________________________ mile mailing list mile@ietf.org https://www.ietf.org/mailman/listinfo/mile
- [mile] Review of rfc5070bis and schema Waltermire, David A.
- Re: [mile] Review of rfc5070bis and schema Roman D. Danyliw
- Re: [mile] Review of rfc5070bis and schema Panos Kampanakis (pkampana)
- Re: [mile] Review of rfc5070bis and schema Roman D. Danyliw