Re: [mile] Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 22 June 2016 19:52 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2041C12D912; Wed, 22 Jun 2016 12:52:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qb1MQ3vBjpoP; Wed, 22 Jun 2016 12:52:05 -0700 (PDT)
Received: from mail-vk0-x234.google.com (mail-vk0-x234.google.com [IPv6:2607:f8b0:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60A6F12D909; Wed, 22 Jun 2016 12:52:05 -0700 (PDT)
Received: by mail-vk0-x234.google.com with SMTP id j2so76480178vkg.2; Wed, 22 Jun 2016 12:52:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=b+UnzFuh8LoOIFXx98J7ByeiLX7sUHj7dKkzDRQpVVE=; b=p/SisHlrO1T6NfsF9UhmYD/PLIdOnJYKJPgZvL0urRlSYtppUWgLXI91kt2H7Op/GS caZ4LQWjsr1PAcmFGlkZhGXa8Kcod9uUFu09R6MUbcCOqXC5zqf1f0uZ4yq0P+sAflOH Yn4OtpjuSLChsNCNoGmHUdGBwin9Cw5SoCQbi65Q2mkxgCAm6tB2m3TzWkdoo4Atl+AC b+EkGpXLawXsNYv9p5fyuL2vAlbdphpiN8Ct/7Km4GzL7reLztWymbdkmZVrCTRNTZmx EV+EOg8Q44LjH0VagW7eK128lcwjBVB8M14yBbiWjRlsM69ePkKzucoI5c9omS7s9GFu kL1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=b+UnzFuh8LoOIFXx98J7ByeiLX7sUHj7dKkzDRQpVVE=; b=AEc6XrGhadDa2+oleQUupcuCmgWINcl1OX/ixcBoPucox0deXNnWCf4UuEa/ujfQ7F cxFcHj1OJQJ9s9ICF041nO9NnLrYw51vLWG1+Yj38olP5NSQWqQ8+Rb4E4KD9FvSFTJ3 Be1I9OyxDXKWWAo1sELFSiayd1yj07G/GvuyddB6l6eWYlQl0OCtU4fxWet4WJVJFIsA 4GDfGU3+pEw8OrxkgapCz91KV1hoiVQJc2hGl3/dXprNi2+4YQOd2m7cqJJfWX5+bITg gT0ae+6Tg4f1JG0bF2JlEsNUdCkiMB2XqPyMzwtnAPvQBGis3t+Y4qS3yLDCaoF7dQO4 Y7Dg==
X-Gm-Message-State: ALyK8tL/u3Vnlkpu7LUXrvPNse5XtCZ5yEUXO2CMz6uASSksuMelZyz/5Mc5K0RmanhG4jLCiGGa+xOVa7yNbw==
X-Received: by 10.159.54.162 with SMTP id p31mr13282153uap.113.1466625124479; Wed, 22 Jun 2016 12:52:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.36.236 with HTTP; Wed, 22 Jun 2016 12:52:03 -0700 (PDT)
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFCD97668C6@marathon>
References: <20160531232347.20263.30439.idtracker@ietfa.amsl.com> <359EC4B99E040048A7131E0F4E113AFCD974F68E@marathon> <359EC4B99E040048A7131E0F4E113AFCD97668C6@marathon>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Wed, 22 Jun 2016 15:52:03 -0400
Message-ID: <CAHbuEH5W2m2tPrxnz614MFZ1P4mtswMCLb-kUc9Xk4sgFDLDng@mail.gmail.com>
To: "Roman D. Danyliw" <rdd@cert.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/jDD8wXDBlX6NLgeFl-Lv_90SyOE>
Cc: Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>, "mile-chairs@ietf.org" <mile-chairs@ietf.org>, "mile-chairs@tools.ietf.org" <mile-chairs@tools.ietf.org>, "mile@ietf.org" <mile@ietf.org>, "draft-ietf-mile-rfc5070-bis@ietf.org" <draft-ietf-mile-rfc5070-bis@ietf.org>
Subject: Re: [mile] Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2016 19:52:21 -0000
Hi Alissa, Do the updates address your concerns? Thank you, Kathleen On Mon, Jun 20, 2016 at 10:56 AM, Roman D. Danyliw <rdd@cert.org> wrote: > Hello Alissa, > >> -----Original Message----- >> From: Roman D. Danyliw [mailto:rdd@cert.org] >> Sent: Wednesday, June 01, 2016 10:52 PM >> To: Alissa Cooper <alissa@cooperw.in>; The IESG <iesg@ietf.org> > > [snip] > >> > -----Original Message----- >> > From: Alissa Cooper [mailto:alissa@cooperw.in] >> > Sent: Tuesday, May 31, 2016 7:24 PM >> > To: The IESG <iesg@ietf.org> > > [snip] > >> > ---------------------------------------------------------------------- >> > DISCUSS: >> > ---------------------------------------------------------------------- >> > >> > The Confidence class as defined in 3.12.5 seems underspecified. It >> > does not specify a max value, so some implementations might use 1 as >> > the max while others might use 100. >> >> Inherited from RFC5070, there are no ranges specified for a valid numeric >> confidence value. This was an explicit design choice kept in this draft to >> preserve flexibility. Acceptable ranges and how this value should be >> interpreted are handled out of band. This approach is consistent with the >> overall design of the data model. Consider that almost all of the classes in >> the data model are optional. The minimal valid document, shown is Section >> 7.1, isn't useful. Profiling between parties in a data sharing consortium will >> determine which optional-in-the-RFC classes should be mandatory-in-the- >> consortium. This thinking extends to the semantics of classes like >> Confidence. >> >> >> > It's also hard to understand how a single confidence value is supposed >> > to be applied to elements with multiple fields, as in 3.12 and 3.29. >> > What do I do if I have high confidence in my estimate of SystemImpact >> > but low confidence in my estimate of MonetaryImpact? >> >> If the child classes don't have the same Confidence, then each can be >> expressed in a distinct instance of the parent class. For the high confidence >> SystemImpact but low confidence MonetaryImpact do the following (per >> Section 3.12): >> >> <Incident ...> >> ... >> <Assessment> >> <SystemImpact>...</SystemImpact> >> <Confidence rating="low" /> >> </Assessment> >> <Assessment> >> <MonetaryImpact>...</MonetaryImpact> >> <Confidence rating="high"/> >> </Assessment> >> </Incident> >> >> This same approach doesn't apply to the Indicator class (Section 3.29). There >> is no way to granularly express a different confidence for different child >> elements that compose the Indicator. The value expressed in >> Indicator/Confidence is a reflection of the confidence in the totality of the >> information in that Indicator class. > > The following text was added to the Security considerations in -23 to reiterate the need to negotiate certain values out of band. > > 9.1. Security > [snip] > Certain classes may require out-of-band coordination to agree upon > their semantics (e.g., Confidence@rating="low" or DefinedCOA). This > coordination MUST occur prior to operational data exchange to prevent > the incorrect interpretation of these select data elements. When > parsing these data elements, implementations should validate, when > possible, that they conform to the agreed upon semantics. These > semantics may need to be periodically reevaluated. > > The Confidence class was added to IndicatorExpression in the -23 draft that will allow confidence to be set for Observable, IndicatorExpression, ObservableReference and IndicatorReference. > > The following figure was added to Section 3.29.5 to clarify its use: > > 1 : <IndicatorExpression operator="or"> > 2 : <IndicatorExpression> > 3 [O1 with low confidence] : <Observable>..</Observable> > 4 : <Confidence rating="low" /> > 5 : </IndicatorExpression> > 6 : <IndicatorExpression> > 7 [O2 with high confidence]: <Observable>..</Observable> > 8 : <Confidence rating="high" /> > 9 : </IndicatorExpression> > 10 : </IndicatorExpression> > > Equivalent expression: ((O1) OR (O2)) > > Figure 70: Varying confidence on particular Observables > >> > ---------------------------------------------------------------------- >> > COMMENT: >> > ---------------------------------------------------------------------- >> > >> > (1) Section 1: It would be useful to define "cyber," "cyber indicator" >> > (somewhere before 3.29), "cyber threat," and "cyber event." I chuckled >> > when I wrote that, but I'm serious. The term "cyber" did not appear in >> > RFC 5070. It has clearly taken on some (mythical, perhaps) meaning in >> > venues external to the IETF. I think if this document is going to use >> > the term, it needs to explain what it means. If there are some >> > external definitions to point to or adopt, that would be fine. >> >> After a search, it would appear that "cyber" is used in the abstract, Section >> 1.0 (Introduction), 1.3 (About the IODEF Data Model), 3.12.1 (SystemImpact), >> 3.12.2 (BusinessImpact), 3.28 (IndicatorData) and 3.29 (Indicator) -- 14 times >> total. That can be cleaned up. Specifically: >> >> ** Section 1.0 uses the term "cyber security event" once. I'm going to >> assume that isn't controversial. >> ** Sections 3.12.1 and 3.12.2 use the term "cyber physical system" four >> times. I'm going to assume this isn't controversial. >> ** s/cyber indicator/indicator/g will address four usages of "cyber"-as-an- >> adjective in the abstract; and Sections 1.0, 3.28 and 3.29 >> ** s/cyber incident report/cybersecurity incident report/g will address one >> more usage of "cyber"-as-an-adjective in Section 1.0 >> ** I'll reword "cyber threats" and "cyber event mitigation" in Section 1.0; and >> reevaluate the use of "cyber intelligence" > > The use of cyber was cleaned up in -23. > >> > (2) Section 3.19.2: If I want to list the admin contact for a >> > particular domain in a Contact element within a DomainContacts >> > element, do I set the role in the Contact to "admin" or to "zone"? I >> > think this is not entirely clear from how the roles are specified in >> > 3.9 since most of the roles are more generic than "zone." >> >> I'd say "admin". You're right about the lack of symmetry of "zone" relative to >> the others. I'll dig through the mailing list to see if I can recollect why we >> have this value. At first blush, I'd say delete it. > > The "zone" value was deleted in -23 to eliminate confusion. > > Thanks for the detailed review. > > Roman -- Best regards, Kathleen
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Kathleen Moriarty
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Roman D. Danyliw
- [mile] Alissa Cooper's Discuss on draft-ietf-mile… Alissa Cooper
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Roman D. Danyliw
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Roman D. Danyliw
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… kathleen.moriarty.ietf