Re: [mile] Stephen Farrell's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
"Roman D. Danyliw" <rdd@cert.org> Fri, 24 June 2016 18:23 UTC
Return-Path: <rdd@cert.org>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 093E912D532; Fri, 24 Jun 2016 11:23:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WDr2YeUwZHoD; Fri, 24 Jun 2016 11:23:00 -0700 (PDT)
Received: from plainfield.sei.cmu.edu (plainfield.sei.cmu.edu [192.58.107.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A102212D08E; Fri, 24 Jun 2016 11:23:00 -0700 (PDT)
Received: from pawpaw.sei.cmu.edu (pawpaw.sei.cmu.edu [10.64.21.22]) by plainfield.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u5OIMv1d026442; Fri, 24 Jun 2016 14:22:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.org; s=jthatj15xw2j; t=1466792577; bh=fKWCup7k6NY41HATUwpiAh5rZK8GCH87T5OiG9I5g5A=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version:Sender: Reply-To; b=BvQ/SXknQ3nH01kv2gGyqwVHUgevlZE4DidqLOTBTMjiYWRpHfIbZ5l8SrShFsOqF hrcnbZzm3WQJBGCBg75zJpij3a64mh3EELHdNXsMR/B/DxEpQJ3HYMeXNGIlxVNpE7 YXlyeJbEnFAVetGlU3D5lr054JjzsJkM9Xs4gdIs=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by pawpaw.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u5OIMmJX010038; Fri, 24 Jun 2016 14:22:48 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0279.002; Fri, 24 Jun 2016 14:22:47 -0400
From: "Roman D. Danyliw" <rdd@cert.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
Thread-Index: AQHRvGGk6V8kvuhBE0Wq6WhbUhyk4p/VbZAwgAEqngCAG/xNQIAFNCEAgAFF7bA=
Date: Fri, 24 Jun 2016 18:22:47 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFCD976BA35@marathon>
References: <20160601234150.16188.9970.idtracker@ietfa.amsl.com> <359EC4B99E040048A7131E0F4E113AFCD974F737@marathon> <5750568A.7020302@cs.tcd.ie> <359EC4B99E040048A7131E0F4E113AFCD97669C8@marathon> <576C2DDC.8000606@cs.tcd.ie>
In-Reply-To: <576C2DDC.8000606@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/ioIB8dhDQ9EPnTug9okHoYeNHA8>
Cc: "mile@ietf.org" <mile@ietf.org>, "draft-ietf-mile-rfc5070-bis@ietf.org" <draft-ietf-mile-rfc5070-bis@ietf.org>, "mile-chairs@ietf.org" <mile-chairs@ietf.org>, "mile-chairs@tools.ietf.org" <mile-chairs@tools.ietf.org>
Subject: Re: [mile] Stephen Farrell's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jun 2016 18:23:08 -0000
Hello Stephen! > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > Sent: Thursday, June 23, 2016 2:44 PM > To: Roman D. Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org> > Cc: mile@ietf.org; draft-ietf-mile-rfc5070-bis@ietf.org; > takeshi_takahashi@nict.go.jp; mile-chairs@ietf.org; mile- > chairs@tools.ietf.org > Subject: Re: Stephen Farrell's Discuss on draft-ietf-mile-rfc5070-bis-22: (with > DISCUSS and COMMENT) > > > Hiya, > > Sorry for being slow responding. See below for my belated > response:-) > > On 20/06/16 16:34, Roman D. Danyliw wrote: > > Hi Stephen! > > > >> -----Original Message----- > >> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > >> Sent: Thursday, June 02, 2016 11:54 AM > >> To: Roman D. Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org> > >> Cc: mile@ietf.org; draft-ietf-mile-rfc5070-bis@ietf.org; > >> takeshi_takahashi@nict.go.jp; mile-chairs@ietf.org; mile- > >> chairs@tools.ietf.org > >> Subject: Re: Stephen Farrell's Discuss on draft-ietf-mile-rfc5070-bis-22: > (with > >> DISCUSS and COMMENT) > >> > >> > >> Hiya, > >> > >> On 02/06/16 04:36, Roman D. Danyliw wrote: > >>> Hello Stephen! > >>> > >>> Thanks for the review. A response to the DISCUSS and COMMENTs is > >>> inline ... > >>> > >>>> -----Original Message----- From: Stephen Farrell > >>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, June 1, 2016 > >>>> 7:42 PM To: The IESG <iesg@ietf.org> Cc: > >>>> draft-ietf-mile-rfc5070-bis@ietf.org; Roman D. Danyliw > >>>> <rdd@cert.org>; mile-chairs@tools.ietf.org; mile@ietf.org; > >>>> mile-chairs@ietf.org; takeshi_takahashi@nict.go.jp; mile@ietf.org > >>>> Subject: Stephen Farrell's Discuss on > >>>> draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT) > >>> > >>> [snip] > >>> > >>>> ---------------------------------------------------------------------- > >>>> > >>>> > >> DISCUSS: > >>>> ---------------------------------------------------------------------- > >>>> > >>>> > >>>> > >> (1) 3.6: Does one confidence value apply to all of these? > >>>> That seems wrong. And over-confidence is attributing threat actor > >>>> identity is a real issue with real consequences, hence the discuss > >>>> to make sure we bottom out on this. I think it's just too > >>>> error-prone to be ablve to associate one confidence value with two > >>>> things about which one can have very different concreteness. Mixing > >>>> up high confidence in a campaign with a lack of confidence in > >>>> threat actor identification is precisely the kind of thing that > >>>> goes wrong, or that could be deliberately manipulated (for > >>>> eventual media/marketing reasons). (This overlaps with but isn't > >>>> quite the same as Alissa's 2nd discuss point. In this case, I'm > >>>> explicitly worried about the threat actor identity confidence, as > >>>> that has possibly severe impacts, so the resolution here could > >>>> differ from what results from Alissa's discuss.) > >>> > >>> The RelatedActivity class (Section 3.6) does have the ability to > >>> provide a single confidence value on all of the child classes in it. > >>> Per your example, yes, a single confidence value could be made both > >>> on the campaign and the actor. However, if more granularity was > >>> desired, one can express different confidence values for both the > >>> campaign and actor as follows (ThreatActor with low confidence but > >>> the Campaign with high confidence): > >>> > >>> <Incident ...> ... <RelatedActivity> <ThreatActor>...</ThreatActor> > >>> <Confidence rating="low" /> </RelatedActivity> <RelatedActivity> > >>> <Campaign>...</Campaign> <Confidence rating="high"/> > >>> </RelatedActivity> </Incident> > >> > >> Right, it's clear one can do the right thing, but it's not clear > >> what semantics apply when one does not do that. You could address > >> that in various ways, but I think in particular for the confidence/ > >> threat-actor combination, the draft does need to say how to interpret > >> whatever the document contains. > > > > The following was added to the Security Considerations of -23 to explicitly > call out that confidence assessment should not necessarily be trusted. > > > > 9.1. Security > > [snip] > > An IODEF implementation may act on the data in the document. These > > actions might be explicitly requested in the document or the result > > of analytical logic that triggered on data in the document. ... > > > > The recipient may > > interpret the contents of the document differently based on who sent > > it; or vary actions based on the sender. While the sender of the > > document may explicitly convey confidence in the data in a granular > > way using the Confidence class, the recipient is free to ignore or > > refine this information to make its own assessment. > > > > Certain classes may require out-of-band coordination to agree upon > > their semantics (e.g., Confidence@rating="low" or DefinedCOA). This > > coordination MUST occur prior to operational data exchange to prevent > > the incorrect interpretation of these select data elements. When > > parsing these data elements, implementations should validate, when > > possible, that they conform to the agreed upon semantics. These > > semantics may need to be periodically reevaluated. > > Hmm. I guess I'm still not convinced that that calls out the > problem I raised sufficiently clearly. I'll also be interested > in your response to Alissa's related discuss. (I think sorting > hers out properly will fix mine for sure though.) The changes made for Alissa's discuss is described here: https://www.ietf.org/mail-archive/web/mile/current/msg01939.html > TBH, I wonder if the right thing here is to say that documents > with ambiguous confidence elements MUST be treated as if the > confidence element were omitted. > > Would that work? Definitely. Would this last sentence address your concern: "... While the sender of the document may explicitly convey confidence in the data in a granular way using the Confidence class, the recipient is free to ignore or refine this information to make its own assessment. [start new text] Ambiguous Confidence elements in a document MUST be ignored by the recipient. " It's a restatement of your suggestion to match the existing style of the text. Roman
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Kathleen Moriarty
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Roman D. Danyliw
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Roman D. Danyliw
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Kathleen Moriarty
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Roman D. Danyliw
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Kathleen Moriarty
- [mile] Stephen Farrell's Discuss on draft-ietf-mi… Stephen Farrell
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Roman D. Danyliw
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Stephen Farrell