IETF Logo Mail Archive

Re: [mile] Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 22 June 2016 19:52 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2041C12D912; Wed, 22 Jun 2016 12:52:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qb1MQ3vBjpoP; Wed, 22 Jun 2016 12:52:05 -0700 (PDT)
Received: from mail-vk0-x234.google.com (mail-vk0-x234.google.com [IPv6:2607:f8b0:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60A6F12D909; Wed, 22 Jun 2016 12:52:05 -0700 (PDT)
Received: by mail-vk0-x234.google.com with SMTP id j2so76480178vkg.2; Wed, 22 Jun 2016 12:52:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=b+UnzFuh8LoOIFXx98J7ByeiLX7sUHj7dKkzDRQpVVE=; b=p/SisHlrO1T6NfsF9UhmYD/PLIdOnJYKJPgZvL0urRlSYtppUWgLXI91kt2H7Op/GS caZ4LQWjsr1PAcmFGlkZhGXa8Kcod9uUFu09R6MUbcCOqXC5zqf1f0uZ4yq0P+sAflOH Yn4OtpjuSLChsNCNoGmHUdGBwin9Cw5SoCQbi65Q2mkxgCAm6tB2m3TzWkdoo4Atl+AC b+EkGpXLawXsNYv9p5fyuL2vAlbdphpiN8Ct/7Km4GzL7reLztWymbdkmZVrCTRNTZmx EV+EOg8Q44LjH0VagW7eK128lcwjBVB8M14yBbiWjRlsM69ePkKzucoI5c9omS7s9GFu kL1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=b+UnzFuh8LoOIFXx98J7ByeiLX7sUHj7dKkzDRQpVVE=; b=AEc6XrGhadDa2+oleQUupcuCmgWINcl1OX/ixcBoPucox0deXNnWCf4UuEa/ujfQ7F cxFcHj1OJQJ9s9ICF041nO9NnLrYw51vLWG1+Yj38olP5NSQWqQ8+Rb4E4KD9FvSFTJ3 Be1I9OyxDXKWWAo1sELFSiayd1yj07G/GvuyddB6l6eWYlQl0OCtU4fxWet4WJVJFIsA 4GDfGU3+pEw8OrxkgapCz91KV1hoiVQJc2hGl3/dXprNi2+4YQOd2m7cqJJfWX5+bITg gT0ae+6Tg4f1JG0bF2JlEsNUdCkiMB2XqPyMzwtnAPvQBGis3t+Y4qS3yLDCaoF7dQO4 Y7Dg==
X-Gm-Message-State: ALyK8tL/u3Vnlkpu7LUXrvPNse5XtCZ5yEUXO2CMz6uASSksuMelZyz/5Mc5K0RmanhG4jLCiGGa+xOVa7yNbw==
X-Received: by 10.159.54.162 with SMTP id p31mr13282153uap.113.1466625124479; Wed, 22 Jun 2016 12:52:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.36.236 with HTTP; Wed, 22 Jun 2016 12:52:03 -0700 (PDT)
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFCD97668C6@marathon>
References: <20160531232347.20263.30439.idtracker@ietfa.amsl.com> <359EC4B99E040048A7131E0F4E113AFCD974F68E@marathon> <359EC4B99E040048A7131E0F4E113AFCD97668C6@marathon>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Wed, 22 Jun 2016 15:52:03 -0400
Message-ID: <CAHbuEH5W2m2tPrxnz614MFZ1P4mtswMCLb-kUc9Xk4sgFDLDng@mail.gmail.com>
To: "Roman D. Danyliw" <rdd@cert.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/jDD8wXDBlX6NLgeFl-Lv_90SyOE>
Cc: Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>, "mile-chairs@ietf.org" <mile-chairs@ietf.org>, "mile-chairs@tools.ietf.org" <mile-chairs@tools.ietf.org>, "mile@ietf.org" <mile@ietf.org>, "draft-ietf-mile-rfc5070-bis@ietf.org" <draft-ietf-mile-rfc5070-bis@ietf.org>
Subject: Re: [mile] Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2016 19:52:21 -0000

Hi Alissa,

Do the updates address your concerns?

Thank you,
Kathleen

On Mon, Jun 20, 2016 at 10:56 AM, Roman D. Danyliw <rdd@cert.org> wrote:
> Hello Alissa,
>
>> -----Original Message-----
>> From: Roman D. Danyliw [mailto:rdd@cert.org]
>> Sent: Wednesday, June 01, 2016 10:52 PM
>> To: Alissa Cooper <alissa@cooperw.in>; The IESG <iesg@ietf.org>
>
> [snip]
>
>> > -----Original Message-----
>> > From: Alissa Cooper [mailto:alissa@cooperw.in]
>> > Sent: Tuesday, May 31, 2016 7:24 PM
>> > To: The IESG <iesg@ietf.org>
>
> [snip]
>
>> > ----------------------------------------------------------------------
>> > DISCUSS:
>> > ----------------------------------------------------------------------
>> >
>> > The Confidence class as defined in 3.12.5 seems underspecified. It
>> > does not specify a max value, so some implementations might use 1 as
>> > the max while others might use 100.
>>
>> Inherited from RFC5070, there are no ranges specified for a valid numeric
>> confidence value.  This was an explicit design choice kept in this draft to
>> preserve flexibility.  Acceptable ranges and how this value should be
>> interpreted are handled out of band.  This approach is consistent with the
>> overall design of the data model.  Consider that almost all of the classes in
>> the data model are optional.  The minimal valid document, shown is Section
>> 7.1, isn't useful.  Profiling between parties in a data sharing consortium will
>> determine which optional-in-the-RFC classes should be mandatory-in-the-
>> consortium.  This thinking extends to the semantics of classes like
>> Confidence.
>>
>>
>> > It's also hard to understand how a single confidence value is supposed
>> > to be applied to elements with multiple fields, as in 3.12 and 3.29.
>> > What do I do if I have high confidence in my estimate of SystemImpact
>> > but low confidence in my estimate of MonetaryImpact?
>>
>> If the child classes don't have the same Confidence, then each can be
>> expressed in a distinct instance of the parent class.  For the high confidence
>> SystemImpact but low confidence MonetaryImpact do the following (per
>> Section 3.12):
>>
>> <Incident ...>
>> ...
>>   <Assessment>
>>      <SystemImpact>...</SystemImpact>
>>      <Confidence rating="low" />
>>   </Assessment>
>>   <Assessment>
>>      <MonetaryImpact>...</MonetaryImpact>
>>      <Confidence rating="high"/>
>>   </Assessment>
>> </Incident>
>>
>> This same approach doesn't apply to the Indicator class (Section 3.29).  There
>> is no way to granularly express a different confidence for different child
>> elements that compose the Indicator.  The value expressed in
>> Indicator/Confidence is a reflection of the confidence in the totality of the
>> information in that Indicator class.
>
> The following text was added to the Security considerations in -23 to reiterate the need to negotiate certain values out of band.
>
> 9.1.  Security
> [snip]
>    Certain classes may require out-of-band coordination to agree upon
>    their semantics (e.g., Confidence@rating="low" or DefinedCOA).  This
>    coordination MUST occur prior to operational data exchange to prevent
>    the incorrect interpretation of these select data elements.  When
>    parsing these data elements, implementations should validate, when
>    possible, that they conform to the agreed upon semantics.  These
>    semantics may need to be periodically reevaluated.
>
> The Confidence class was added to IndicatorExpression in the -23 draft that will allow confidence to be set for Observable, IndicatorExpression, ObservableReference and IndicatorReference.
>
> The following figure was added to Section 3.29.5 to clarify its use:
>
>     1                          :    <IndicatorExpression operator="or">
>     2                          :      <IndicatorExpression>
>     3 [O1 with low confidence] :        <Observable>..</Observable>
>     4                          :        <Confidence rating="low" />
>     5                          :      </IndicatorExpression>
>     6                          :      <IndicatorExpression>
>     7 [O2 with high confidence]:        <Observable>..</Observable>
>     8                          :        <Confidence rating="high" />
>     9                          :      </IndicatorExpression>
>    10                          :    </IndicatorExpression>
>
>    Equivalent expression: ((O1) OR (O2))
>
>           Figure 70: Varying confidence on particular Observables
>
>> > ----------------------------------------------------------------------
>> > COMMENT:
>> > ----------------------------------------------------------------------
>> >
>> > (1) Section 1: It would be useful to define "cyber," "cyber indicator"
>> > (somewhere before 3.29), "cyber threat," and "cyber event." I chuckled
>> > when I wrote that, but I'm serious. The term "cyber" did not appear in
>> > RFC 5070. It has clearly taken on some (mythical, perhaps) meaning in
>> > venues external to the IETF. I think if this document is going to use
>> > the term, it needs to explain what it means. If there are some
>> > external definitions to point to or adopt, that would be fine.
>>
>> After a search, it would appear that "cyber" is used in the abstract, Section
>> 1.0 (Introduction), 1.3 (About the IODEF Data Model), 3.12.1 (SystemImpact),
>> 3.12.2 (BusinessImpact), 3.28 (IndicatorData) and 3.29 (Indicator) -- 14 times
>> total.  That can be cleaned up.  Specifically:
>>
>> ** Section 1.0 uses the term "cyber security event" once.  I'm going to
>> assume that isn't controversial.
>> ** Sections 3.12.1 and 3.12.2 use the term "cyber physical system" four
>> times.  I'm going to assume this isn't controversial.
>> ** s/cyber indicator/indicator/g will address four usages of "cyber"-as-an-
>> adjective in the abstract; and Sections 1.0, 3.28 and 3.29
>> ** s/cyber incident report/cybersecurity incident report/g will address one
>> more usage of "cyber"-as-an-adjective in Section 1.0
>> ** I'll reword "cyber threats" and "cyber event mitigation" in Section 1.0; and
>> reevaluate the use of "cyber intelligence"
>
> The use of cyber was cleaned up in -23.
>
>> > (2) Section 3.19.2: If I want to list the admin contact for a
>> > particular domain in a Contact element within a DomainContacts
>> > element, do I set the role in the Contact to "admin" or to "zone"? I
>> > think this is not entirely clear from how the roles are specified in
>> > 3.9 since most of the roles are more generic than "zone."
>>
>> I'd say "admin".  You're right about the lack of symmetry of "zone" relative to
>> the others.  I'll dig through the mailing list to see if I can recollect why we
>> have this value.  At first blush, I'd say delete it.
>
> The "zone" value was deleted in -23 to eliminate confusion.
>
> Thanks for the detailed review.
>
> Roman



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email