Re: [scap_interest] Questions from David Harrington (Question 2)
"Waltermire, David" <david.waltermire@nist.gov> Mon, 08 November 2010 10:23 UTC
Return-Path: <david.waltermire@nist.gov>
X-Original-To: scap_interest@core3.amsl.com
Delivered-To: scap_interest@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD4D93A6992 for <scap_interest@core3.amsl.com>; Mon, 8 Nov 2010 02:23:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ae1EsYjO+wNc for <scap_interest@core3.amsl.com>; Mon, 8 Nov 2010 02:23:52 -0800 (PST)
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by core3.amsl.com (Postfix) with ESMTP id 5F1DF3A6939 for <scap_interest@ietf.org>; Mon, 8 Nov 2010 02:23:52 -0800 (PST)
Received: from WSXGHUB2.xchange.nist.gov (WSXGHUB2.xchange.nist.gov [129.6.18.19]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id oA8AO0tx023943; Mon, 8 Nov 2010 05:24:00 -0500
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB2.xchange.nist.gov ([129.6.18.19]) with mapi; Mon, 8 Nov 2010 05:23:41 -0500
From: "Waltermire, David" <david.waltermire@nist.gov>
To: Stephen Hanna <shanna@juniper.net>, "scap_interest@ietf.org" <scap_interest@ietf.org>
Date: Mon, 08 Nov 2010 05:23:40 -0500
Thread-Topic: Questions from David Harrington (Question 2)
Thread-Index: AQHLfy1CbA8XUQRqjEyyIyAOjTn2cg==
Message-ID: <D7A0423E5E193F40BE6E94126930C49307D757F486@MBCLUSTER.xchange.nist.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: david.waltermire@nist.gov
Subject: Re: [scap_interest] Questions from David Harrington (Question 2)
X-BeenThere: scap_interest@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <scap_interest.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scap_interest>
List-Post: <mailto:scap_interest@ietf.org>
List-Help: <mailto:scap_interest-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2010 10:23:53 -0000
Regarding question 2: > 2) Will the the NVD be made available for use with the international > standard, by the whole IETF community? What requirements must be met > to be allowed to access the NVD database? The NVD is already available for use by the international community. The security reference data contained within the NVD (data feeds based on CVE, CCE, CPE) is freely available to anyone that visits the site. The NVD supports language bundles for internationalization and contains some language translations contributed by the international community. When applicable, we are committed to enhancing the NVD to support standards developed within the IETF. Sincerely, David Waltermire NIST ________________________________________ From: scap_interest-bounces@ietf.org [scap_interest-bounces@ietf.org] On Behalf Of Stephen Hanna [shanna@juniper.net] Sent: Friday, November 05, 2010 12:45 AM To: scap_interest@ietf.org Subject: [scap_interest] Questions from David Harrington David Harrington sent me some questions about SCAP and the SCAP BOF recently. These questions (included below) are thought-provoking. They should get some good discussions going on this list. Since I'm not an SCAP expert, I don't have answers to all of these myself. I have asked some SCAP experts to answer them. Please use a separate thread for each question so that people can follow the discussions more easily. Thanks, Steve Hanna ----------- To help the BOF organizers, I have some basic questions I would like to have answered during the BOF (and on the mailing list) 1) NIST is a national standardization organization. Is NIST/Mitre/DHS willing to give change control to IETF to develop this into an international standard? 2) Will the the NVD be made available for use with the international standard, by the whole IETF community? What requirements must be met to be allowed to access the NVD database? 3) various proposals to standardize IDS-related technologies have failed in IETF, mostly because the industry players seem not very interested in standards. Major players use their vulnerability and signature libraries as value-add features. They seem to develop proprietary protocols to suit their specific applications. Why will this be different? 4) In the past, IDS work has not been considered IETF work; IDS vendors tend to have their own security-related fora for sharing information. NEA has been brought into the IETF from the TSG, and the IEEE has created the Industry Connections Security Group that focuses on standardizing malware definitions. I personally would love to have that community come into the IETF and use the IETF process for **developing** the specifications, not just for approving the specifications after they're done. Is the industry seriously interested in participating in the IETF, or will they continue to create multiple security fora to develop specifications and then bring their specifications to the IETF for approval as RFCs? 5) The web page says "leaders in the SCAP community (including NIST, NSA, MITRE, and commercial vendors) have decided to explore taking the most stable and successful SCAP specifications to the IETF for adoption as Standards Track RFCs." Are these leaders expecting the IETF to rubber-stamp these mature/stable/successful specifications? I am especially concerned by the explanation that this BOF is to "explore whether the IETF would be an appropriate venue for such standardization ***when ready***." (emphasis mine). We have working groups explicitly to do the development work, not to accept specifications when ready. 6) Much of the SCAP standards are agreed-upon definitions, schemas, etc. These apparently are registered with Mitre. The listshow.net web page discusses this: "Formats for the existing enumerations such as CVE and CCE are good candidates as well. Note we are only talking about the actual enumeration formats, not the operational uses/administration of the enumerations. That would remain outside the IETF, as it is today." Does this mean IANA would not administer the relevant registries for these IETF standards? If not, how would the registrations be administered, and who controls them? What are the requirements (comparable to RFC5226)? 7) the web site says "We will continue to use this [open contribution] model for the development of new SCAP specifications and capabilities." Does this mean the SCAP community will work outside the WG to continue development of SCAP proposals? The IETF has rules it follows about things like downrefs, backwards compatibility, interoperability requirements, etc. What happens if SCAP-developed specifications do not interoperate properly with IETF standards developed by the SCAP WG, because SCAP decides to use different rules? 8) I have concerns this appears to be a request to rubber-stamp a national standard to make it an international standard. So if the IETF rubber-stamps this work from NIST, will the IETF also rubber-stamp work by CCSA? and comparable national standards organizations for UK, France, Germany, Italy, Spain, Korea, Japan, Canada, and ... ? _______________________________________________ scap_interest mailing list scap_interest@ietf.org https://www.ietf.org/mailman/listinfo/scap_interest
- Re: [scap_interest] Questions from David Harringtā¦ Waltermire, David