Re: [sacm] Working Group Last Call for draft-ietf-sacm-vuln-scenario

[Jim Schaad <ietf@augustcellars.com>]

My memory can easily be faulty on this, nothing like going to a meeting long ago and only partially paying attention.  However I was under the impression that the purpose of this document was to help formulate the solutions that the WG needed to create.  This would include helping to figure out what goes into the IM, what interfaces, and what control are needed.  My impression was not that this was a high level document to describe how to operate a security program.

 

I have no way to evaluate if it meets the second goal, nor am I sure that it is useful to document that goal as I have zero basis to evaluate that on.  I definitely does not meet what I thought the goal of the document was.  This does not mean that I would be so violently oppose to publishing the document as to file an appeal or anything.

 

Jim

 

 

From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Adam Montville
Sent: Thursday, August 25, 2016 5:25 AM
To: <sacm@ietf.org> <sacm@ietf.org>
Subject: Re: [sacm] Working Group Last Call for draft-ietf-sacm-vuln-scenario

 

Jim, I've reviewed your comments, thanks for making them.  I think your perspective is at a lower level than that which this draft intends to live.  The draft is intended to describe an operational scenario not at the network layer, but from the perspective of running and operating a security program.  I think some of the nits you have are probably valid, but many of your comments, I feel, may stem from the desire to have this scenario describe something at a lower level than that which was intended.

 

As someone familiar with security programs and the basic processes and procedures typically embodied by them, this draft made sense to me (as did many of the novel acronyms, having been in this problem domain for a while).

 

 

On Aug 24, 2016, at 3:02 PM, Adam Montville <adam.w.montville@gmail.com <mailto:adam.w.montville@gmail.com> > wrote:

 

I just noticed Jim's comments under a different subject (next time, please provide your comments under the same subject heading which makes judging consensus and open issues a bit less error prone and a bit easier).  Does anyone have any comment on Jim's findings?  https://mailarchive.ietf.org/arch/msg/sacm/JjvnpiodY9X32yjq72W-FIMLpB4  I'll reproduce his comments here.

 

Section 1 - first sentence.  This says that it is detailed.  I question that
statement as I found it to gloss over almost everything

The second sentence of the introduction makes a promise that I cannot find
fulfilled anyplace in the core text of this document.  How is this informing
protocol or data model development?  What I expect to see if a set of
statements in the document along the lines of "This affects means that we
need to have a protocol that does X" or "This affects the data model because
it needs to do Y."  I expect that this is going to be highlighted in the
text if that is the function of the document.

Section 1 - If prioritization is so important - should it affect the IM?

Section 1 - Are we expecting to publish vulnerabilities in the IM long term?
If so it would see that at least part of publication would be in scope.

Section 2 - are you sure you want me to read this?  Vulnerability
description information:  The subject of the first sentence is Information -
so it appears to say Information which can adversely impact. Kill everything
starting with which

Section 3 - bullet point 1 - How much of the processing is processing into
something that is SACM IM aware?  Actually, looking at most of these
assumptions they seem to be things that people have said that SACM should be
able to do.  It would be useful to call that out and say what things in SACM
will support these assumptions.

Section 3 - bullet point 4 - I have no idea what this says

Section 4.2 - What components are we talking about that it is going to
understood by?  This is the first time that I know that you have used this
word.  As far as I know, there is current no reason for any of this data to
be SACM data but could all be company proprietary.


I found this document to be very hard to review.  From my point of view it
is lacking any useful information and therefore does not help progress any
work in the group.  If it is published I will do my best to forget that it
ever existed and go forward.

Jim

Never ask for a review unless you really want one, you will probably not be
happy with the results.



Appendix I seems to be short on implementation specific details as promised
in section 4.1

B.1 para #1 - The last sentence makes zero sense to me

B.1 para #2-4 - You need to motivate these paragraphs.

 

On Aug 24, 2016, at 2:56 PM, Adam Montville <adam.w.montville@gmail.com <mailto:adam.w.montville@gmail.com> > wrote:

 

There seems to be good consensus on putting our vulnerability draft through to the IESG.  Henk had some terminology-related comments that were augmented by Jarrett.  The suggestion [1] was to change "Endpoint Vulnerability Assessment Capability" to "Endpoint Vulnerability Assessment Capabilities" (make it plural).  Given that we have consensus as it stands, I don't feel that we should require the draft to be updated, but the change is small, and simple, so we could do so easily.  Danny, would you be willing to make that small change before we submit the draft to IESG?

 

Kind regards,

 

Adam

 

[1] https://mailarchive.ietf.org/arch/msg/sacm/lPHC95Ug2lQWTYC1HG5s2iMOYic 

 

On Jul 28, 2016, at 9:20 AM, Adam Montville <adam.w.montville@gmail.com <mailto:adam.w.montville@gmail.com> > wrote:

 

This message starts a Working Group Last Call for the Internet-Draft ‘SACM Vulnerability Assessment Scenario’ — https://datatracker.ietf.org/doc/draft-ietf-sacm-vuln-scenario/.  Please send your comments, questions, and edit proposals to the WG mail list until August 5, 2016.  If you believe the document is ready to be submitted to the IESG for consideration as an Informational RFC, please send a short message stating so.

 

Kind regards,

 

Adam