Re: [sacm] Working Group Last Call for draft-ietf-sacm-vuln-scenario
Adam Montville <adam.w.montville@gmail.com> Wed, 24 August 2016 20:10 UTC
Return-Path: <adam.w.montville@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96A6D12D10D for <sacm@ietfa.amsl.com>; Wed, 24 Aug 2016 13:10:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FYxKuV3r-WHZ for <sacm@ietfa.amsl.com>; Wed, 24 Aug 2016 13:10:32 -0700 (PDT)
Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 893E412B02C for <sacm@ietf.org>; Wed, 24 Aug 2016 13:02:30 -0700 (PDT)
Received: by mail-oi0-x230.google.com with SMTP id f189so38231104oig.3 for <sacm@ietf.org>; Wed, 24 Aug 2016 13:02:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:message-id:mime-version:subject:date:references:to:in-reply-to; bh=EqscieLAqtYTY4B0oUvUQhyVvpmB6ch3UGftsDvyN40=; b=fAvCJfJkgZWzLYFPXh6+9OClwkfshl0t145p87biwAC59oSwcjKEECeIlDxFN+rdOS OjfKNLKPwhLYnw7PvSho11yU1sg6YqxtP9jPf05ffXvXz2HjuuJc4N3k3UBy5Q5Nkv4/ XTQWnytQqoBUxY8595mRkdUYuBWXp/eLrwMiwTZj6hFsKrYKe7gNGQrm8BVO5ZD+YJwn UUczO00dLECvwLU93dM9VToD+NfxxIsfxx5WbFDQNgvo7ZDNNYLhg6QMEmoTlZWSEI2C WIxO4Nuc+QlcMr5EEjF8dS8wHldzstlj67qWXeim7/ixgrkMTFxmivW5+b4tdrwSBGG8 mI9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:message-id:mime-version:subject:date :references:to:in-reply-to; bh=EqscieLAqtYTY4B0oUvUQhyVvpmB6ch3UGftsDvyN40=; b=CFkr4/SUE4MMjIs3bsxD/GLupVGUOK1vzpnmQn1ahSQGPqgjdPtjO4GTD/wcDjI4sw Z4JiJ3vhYrk7nJnxzF59LDpBWxLJMQgkcNkfAwVxGvBUtHbC0L4ckymv6T0TTVdvjDIo KioEdTf7wvCSCawWZqsWXJMBdymZ/qQxuQphtAlJcD+S0kXn8LS8ILPU2WNl6pK5x7S9 XdS6N+zSc4h/Zoo86+VOJEnczeagZZws2IZ/OurTCRpif3WKGt6DrBlbfZa+HGZlmB8b 9OBJdTfeRKOViInUnMEdt+SJSpGbeS8mgMCxr1S4vqIrIUPMrb9RWk0VYpjlDq5kYJxR v8jA==
X-Gm-Message-State: AEkoouvursnROF0t+6SDa04TFLkxJHt9+X7KhUSqRmSV2hSxk0zaGfOcTxjeP3ZMyq9sfA==
X-Received: by 10.202.80.211 with SMTP id e202mr4028886oib.9.1472068949748; Wed, 24 Aug 2016 13:02:29 -0700 (PDT)
Received: from adams-mbp.attlocal.net (99-64-100-131.lightspeed.austtx.sbcglobal.net. [99.64.100.131]) by smtp.gmail.com with ESMTPSA id m43sm4753686otd.36.2016.08.24.13.02.28 for <sacm@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 24 Aug 2016 13:02:29 -0700 (PDT)
From: Adam Montville <adam.w.montville@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_24BE01C9-389D-4366-BBB4-B64DE5EA2D3B"
Message-Id: <FA030A04-3B89-446D-ACC6-F1BDD8013BF4@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Date: Wed, 24 Aug 2016 15:02:28 -0500
References: <B7DD871D-ED83-4399-B7C9-AAC016969C7D@gmail.com> <B57E8E91-8DDB-4E81-AFB5-2F893187CEEC@gmail.com>
To: "<sacm@ietf.org>" <sacm@ietf.org>
In-Reply-To: <B57E8E91-8DDB-4E81-AFB5-2F893187CEEC@gmail.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/oDe1UGrBLTlXNAVUjZ0PZCi1Oog>
Subject: Re: [sacm] Working Group Last Call for draft-ietf-sacm-vuln-scenario
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2016 20:10:33 -0000
I just noticed Jim's comments under a different subject (next time, please provide your comments under the same subject heading which makes judging consensus and open issues a bit less error prone and a bit easier). Does anyone have any comment on Jim's findings? https://mailarchive.ietf.org/arch/msg/sacm/JjvnpiodY9X32yjq72W-FIMLpB4 <https://mailarchive.ietf.org/arch/msg/sacm/JjvnpiodY9X32yjq72W-FIMLpB4> I'll reproduce his comments here. Section 1 - first sentence. This says that it is detailed. I question that statement as I found it to gloss over almost everything The second sentence of the introduction makes a promise that I cannot find fulfilled anyplace in the core text of this document. How is this informing protocol or data model development? What I expect to see if a set of statements in the document along the lines of "This affects means that we need to have a protocol that does X" or "This affects the data model because it needs to do Y." I expect that this is going to be highlighted in the text if that is the function of the document. Section 1 - If prioritization is so important - should it affect the IM? Section 1 - Are we expecting to publish vulnerabilities in the IM long term? If so it would see that at least part of publication would be in scope. Section 2 - are you sure you want me to read this? Vulnerability description information: The subject of the first sentence is Information - so it appears to say Information which can adversely impact. Kill everything starting with which Section 3 - bullet point 1 - How much of the processing is processing into something that is SACM IM aware? Actually, looking at most of these assumptions they seem to be things that people have said that SACM should be able to do. It would be useful to call that out and say what things in SACM will support these assumptions. Section 3 - bullet point 4 - I have no idea what this says Section 4.2 - What components are we talking about that it is going to understood by? This is the first time that I know that you have used this word. As far as I know, there is current no reason for any of this data to be SACM data but could all be company proprietary. I found this document to be very hard to review. From my point of view it is lacking any useful information and therefore does not help progress any work in the group. If it is published I will do my best to forget that it ever existed and go forward. Jim Never ask for a review unless you really want one, you will probably not be happy with the results. Appendix I seems to be short on implementation specific details as promised in section 4.1 B.1 para #1 - The last sentence makes zero sense to me B.1 para #2-4 - You need to motivate these paragraphs. > On Aug 24, 2016, at 2:56 PM, Adam Montville <adam.w.montville@gmail.com> wrote: > > There seems to be good consensus on putting our vulnerability draft through to the IESG. Henk had some terminology-related comments that were augmented by Jarrett. The suggestion [1] was to change "Endpoint Vulnerability Assessment Capability" to "Endpoint Vulnerability Assessment Capabilities" (make it plural). Given that we have consensus as it stands, I don't feel that we should require the draft to be updated, but the change is small, and simple, so we could do so easily. Danny, would you be willing to make that small change before we submit the draft to IESG? > > Kind regards, > > Adam > > [1] https://mailarchive.ietf.org/arch/msg/sacm/lPHC95Ug2lQWTYC1HG5s2iMOYic <https://mailarchive.ietf.org/arch/msg/sacm/lPHC95Ug2lQWTYC1HG5s2iMOYic> > >> On Jul 28, 2016, at 9:20 AM, Adam Montville <adam.w.montville@gmail.com <mailto:adam.w.montville@gmail.com>> wrote: >> >> This message starts a Working Group Last Call for the Internet-Draft ‘SACM Vulnerability Assessment Scenario’ — https://datatracker.ietf.org/doc/draft-ietf-sacm-vuln-scenario/ <https://datatracker.ietf.org/doc/draft-ietf-sacm-vuln-scenario/>. Please send your comments, questions, and edit proposals to the WG mail list until August 5, 2016. If you believe the document is ready to be submitted to the IESG for consideration as an Informational RFC, please send a short message stating so. >> >> Kind regards, >> >> Adam >
- Re: [sacm] Working Group Last Call for draft-ietf… Jarrett Lu
- Re: [sacm] Working Group Last Call for draft-ietf… Wolfkiel, Joseph L CIV DISA ID (US)
- Re: [sacm] Working Group Last Call for draft-ietf… Ira McDonald
- Re: [sacm] Working Group Last Call for draft-ietf… John Strassner
- Re: [sacm] Working Group Last Call for draft-ietf… Waltermire, David A. (Fed)
- Re: [sacm] Working Group Last Call for draft-ietf… Henk Birkholz
- Re: [sacm] Working Group Last Call for draft-ietf… Romascanu, Dan (Dan)
- Re: [sacm] Working Group Last Call for draft-ietf… Haynes, Dan
- Re: [sacm] Working Group Last Call for draft-ietf… Adam Montville
- Re: [sacm] Working Group Last Call for draft-ietf… Jessica Fitzgerald-McKay
- [sacm] Working Group Last Call for draft-ietf-sac… Adam Montville
- Re: [sacm] Working Group Last Call for draft-ietf… Adam Montville
- Re: [sacm] Working Group Last Call for draft-ietf… Adam Montville
- Re: [sacm] Working Group Last Call for draft-ietf… Adam Montville
- Re: [sacm] Working Group Last Call for draft-ietf… Jim Schaad
- Re: [sacm] Working Group Last Call for draft-ietf… Haynes, Dan