Re: [mile] Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
kathleen.moriarty.ietf@gmail.com Thu, 02 June 2016 12:49 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 231C212D6DA; Thu, 2 Jun 2016 05:49:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDcXLesIVOF7; Thu, 2 Jun 2016 05:49:14 -0700 (PDT)
Received: from mail-qk0-x243.google.com (mail-qk0-x243.google.com [IPv6:2607:f8b0:400d:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64B9312D6E1; Thu, 2 Jun 2016 05:49:14 -0700 (PDT)
Received: by mail-qk0-x243.google.com with SMTP id v3so1548278qki.3; Thu, 02 Jun 2016 05:49:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=P3jfQWarXsitDsVOZc8lq9lHDcScvQjneA2Jk4km1uQ=; b=vhgM6Q9dHyDMMg6kC/QLHjgpnk5101WcW5wLU6CdZf+9pxI4YVEe6nv3VERxP72muf 2ZFIif/jzG/830s6BmEIJ/+k1xBJ7z2K5Ocpc+7042HkzyGVvG/oW2qB19gYeKfeATlg MZA852HMeNvA4cnm1lLkbO3yN4EOWxG9PJhfINZtWLNRxeNzzRjzTmZrrlKhrwpxxuV7 mt+zxJkq1A69Fv8xYvxpQ/4jUe+3thlnDnhBqDF4JkJILkGZuz43Q+0ExmG2lCLI2fus LqhpJdOeLFCdJtwphQ58xo1+o0NIsd4BxtWAWhNj9UD4n6LrPEDPWWe2H4zekKyfohjP gUbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=P3jfQWarXsitDsVOZc8lq9lHDcScvQjneA2Jk4km1uQ=; b=QItse372CH9pNsGsQ8RwDL/bxS0awEqszxDCUxpl4m2EFSIwk0NIvx7y/Cm1X+jV+/ Nz2DuPWjUVHwmxtY31XT4qc5w5OdsqBAQI++e14eqjb6y6PbJPaitrdCA60guV+pk6XJ 36Ye+R/YilTA8+aLTgehXQ9oalBqYMZL2H0D6HLv72uuMDg21aRm8vwei1lCpWyE60IV GLVqsABifyM3k64kJd7PSWkqr9mgLVQU4wMO6ESDef/s+meV2ldb0ZzIe4vRr0GcTp3c RIQU0Xx0Vh9wjzmLWcmpVYurV4PV+5EBHFnHkekElqTpSnK2WeaYESAStgghjdu3oqnm wGzw==
X-Gm-Message-State: ALyK8tKM3xSLO6FODRRmYq5o3FFWxcHjcKXoCz7h+sGklEdA4i5g4JUCDXCrE3v+vf7r6A==
X-Received: by 10.55.39.141 with SMTP id n135mr11782252qkn.149.1464871753321; Thu, 02 Jun 2016 05:49:13 -0700 (PDT)
Received: from [192.168.1.6] (209-6-124-204.c3-0.arl-ubr1.sbo-arl.ma.cable.rcn.com. [209.6.124.204]) by smtp.gmail.com with ESMTPSA id j5sm11046681qge.0.2016.06.02.05.49.12 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 02 Jun 2016 05:49:12 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
From: kathleen.moriarty.ietf@gmail.com
Mime-Version: 1.0 (1.0)
Date: Thu, 02 Jun 2016 08:47:57 -0400
Message-Id: <260954C4-A98A-4357-936C-8E2E601E9A90@gmail.com>
References: <20160531232347.20263.30439.idtracker@ietfa.amsl.com> <359EC4B99E040048A7131E0F4E113AFCD974F68E@marathon> <359EC4B99E040048A7131E0F4E113AFCD974F6EE@marathon>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFCD974F6EE@marathon>
To: "Roman D. Danyliw" <rdd@cert.org>
X-Mailer: iPhone Mail (12H143)
Archived-At: <http://mailarchive.ietf.org/arch/msg/mile/iiIncQ2sboDNEoi50vd43tQ6gco>
Cc: "mile-chairs@tools.ietf.org" <mile-chairs@tools.ietf.org>, Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>, "mile-chairs@ietf.org" <mile-chairs@ietf.org>, "mile@ietf.org" <mile@ietf.org>, "draft-ietf-mile-rfc5070-bis@ietf.org" <draft-ietf-mile-rfc5070-bis@ietf.org>
Subject: Re: [mile] Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2016 12:49:17 -0000
Hi, Thanks Alissa for the detailed review and Roman for addressing the issues raised. Inline. Sent from my iPhone > On Jun 1, 2016, at 11:17 PM, Roman D. Danyliw <rdd@cert.org> wrote: > > To clarify, a response to the DISCUSS and COMMENTs are in this thread > >> -----Original Message----- >> From: Roman D. Danyliw [mailto:rdd@cert.org] >> Sent: Wednesday, June 1, 2016 10:52 PM >> To: Alissa Cooper <alissa@cooperw.in>; The IESG <iesg@ietf.org> >> Cc: draft-ietf-mile-rfc5070-bis@ietf.org; mile-chairs@tools.ietf.org; >> mile@ietf.org; mile-chairs@ietf.org; takeshi_takahashi@nict.go.jp >> Subject: RE: Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with >> DISCUSS and COMMENT) >> >> Hello Alissa! >> >> Thanks for the review. A response to the DISCUSS is inline ... >> >>> -----Original Message----- >>> From: Alissa Cooper [mailto:alissa@cooperw.in] >>> Sent: Tuesday, May 31, 2016 7:24 PM >>> To: The IESG <iesg@ietf.org> >>> Cc: draft-ietf-mile-rfc5070-bis@ietf.org; Roman D. Danyliw >>> <rdd@cert.org>; mile-chairs@tools.ietf.org; mile@ietf.org; >>> mile-chairs@ietf.org; takeshi_takahashi@nict.go.jp; mile@ietf.org >>> Subject: Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: >>> (with DISCUSS and COMMENT) >>> >>> Alissa Cooper has entered the following ballot position for >>> draft-ietf-mile-rfc5070-bis-22: Discuss >> >> [snip] >> >>> ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> The Confidence class as defined in 3.12.5 seems underspecified. It >>> does not specify a max value, so some implementations might use 1 as >>> the max while others might use 100. >> >> Inherited from RFC5070, there are no ranges specified for a valid numeric >> confidence value. This was an explicit design choice kept in this draft to >> preserve flexibility. Acceptable ranges and how this value should be >> interpreted are handled out of band. This approach is consistent with the >> overall design of the data model. Consider that almost all of the classes in >> the data model are optional. The minimal valid document, shown is Section >> 7.1, isn't useful. Profiling between parties in a data sharing consortium will >> determine which optional-in-the-RFC classes should be mandatory-in-the- >> consortium. This thinking extends to the semantics of classes like >> Confidence. >> >> >>> It's also hard to understand how a single confidence value is supposed >>> to be applied to elements with multiple fields, as in 3.12 and 3.29. >>> What do I do if I have high confidence in my estimate of SystemImpact >>> but low confidence in my estimate of MonetaryImpact? >> >> If the child classes don't have the same Confidence, then each can be >> expressed in a distinct instance of the parent class. For the high confidence >> SystemImpact but low confidence MonetaryImpact do the following (per >> Section 3.12): >> >> <Incident ...> >> ... >> <Assessment> >> <SystemImpact>...</SystemImpact> >> <Confidence rating="low" /> >> </Assessment> >> <Assessment> >> <MonetaryImpact>...</MonetaryImpact> >> <Confidence rating="high"/> >> </Assessment> >> </Incident> >> >> This same approach doesn't apply to the Indicator class (Section 3.29). There >> is no way to granularly express a different confidence for different child >> elements that compose the Indicator. The value expressed in >> Indicator/Confidence is a reflection of the confidence in the totality of the >> information in that Indicator class. >> >> It would be relatively straightforward to add a Confidence class to >> Observable, IndicatorExpression, AttackPhase, Reference and AttackPhase. >> With some redesign, the same could be done for ObservableReference, >> IndicatorReference, StartTime and EndTime. >> >>> ---------------------------------------------------------------------- >>> COMMENT: >>> ---------------------------------------------------------------------- >>> >>> (1) Section 1: It would be useful to define "cyber," "cyber indicator" >>> (somewhere before 3.29), "cyber threat," and "cyber event." I chuckled >>> when I wrote that, but I'm serious. The term "cyber" did not appear in >>> RFC 5070. It has clearly taken on some (mythical, perhaps) meaning in >>> venues external to the IETF. I think if this document is going to use >>> the term, it needs to explain what it means. If there are some >>> external definitions to point to or adopt, that would be fine. >> >> After a search, it would appear that "cyber" is used in the abstract, Section >> 1.0 (Introduction), 1.3 (About the IODEF Data Model), 3.12.1 (SystemImpact), >> 3.12.2 (BusinessImpact), 3.28 (IndicatorData) and 3.29 (Indicator) -- 14 times >> total. That can be cleaned up. Specifically: >> >> ** Section 1.0 uses the term "cyber security event" once. I'm going to >> assume that isn't controversial. Computer security event or network computer security event might be a better way to phrase this to get rid of the term cyber and have a term that is more easily understood. >> ** Sections 3.12.1 and 3.12.2 use the term "cyber physical system" four >> times. I'm going to assume this isn't controversial. I'd agree this is okay as its used frequently in the energy sector for their various devices (IoT, etc). >> ** s/cyber indicator/indicator/g will address four usages of "cyber"-as-an- >> adjective in the abstract; and Sections 1.0, 3.28 and 3.29 >> ** s/cyber incident report/cybersecurity incident report/g will address one >> more usage of "cyber"-as-an-adjective in Section 1.0 I'm with Stephen and Alissa on this, I don't think cyber adds anything. What about security incident report or network computer security incident report? >> ** I'll reword "cyber threats" and "cyber event mitigation" in Section 1.0; and >> reevaluate the use of "cyber intelligence" >> Thanks, Kathleen >>> (2) Section 3.19.2: If I want to list the admin contact for a >>> particular domain in a Contact element within a DomainContacts >>> element, do I set the role in the Contact to "admin" or to "zone"? I >>> think this is not entirely clear from how the roles are specified in >>> 3.9 since most of the roles are more generic than "zone." >> >> I'd say "admin". You're right about the lack of symmetry of "zone" relative to >> the others. I'll dig through the mailing list to see if I can recollect why we >> have this value. At first blush, I'd say delete it. >> >> Roman > _______________________________________________ > mile mailing list > mile@ietf.org > https://www.ietf.org/mailman/listinfo/mile
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Kathleen Moriarty
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Roman D. Danyliw
- [mile] Alissa Cooper's Discuss on draft-ietf-mile… Alissa Cooper
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Roman D. Danyliw
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Roman D. Danyliw
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… kathleen.moriarty.ietf