Re: [scap_interest] Questions from David Harrington

Hi,

I don't speak at any level for MITRE, NSA, NIST, or anyone else other than myself, but I'd like to provide some preliminary feedback to David's concerns ... hopefully, more authoritative individuals will speak up on behalf of the organizations cited in David's questions.

- My understanding is that you should think of the existing SCAP work as "rough consensus and running code".
- Many of the SCAP components are publicly available via nist.gov and MITRE's "making security measurable" site (http://msm.mitre.org).
- There is a lot more vendor support for some of the constituent SCAP standards in major COTS products than might be apparent w/o some investigation.
- The IETF should feel free to extend or refine existing SCAP standards and public implementations as it deems best for the Internet community.  Ideally, however, we'd seek a highly collaborative approach between Internet, user community, and industry on this particular front.
- MITRE is a federally funded R&D center (FFRDC) working in the public interest as a trusted advisor to its sponsors, and as an FFRDC is "prohibited from manufacturing products, competing with industry, or working for [e.g., representing]  commercial companies,".

Cheers,
BobN

-----Original Message-----
From: scap_interest-bounces@ietf.org [mailto:scap_interest-bounces@ietf.org] On Behalf Of Stephen Hanna
Sent: Friday, November 05, 2010 12:45 AM
To: scap_interest@ietf.org
Subject: [scap_interest] Questions from David Harrington

David Harrington sent me some questions about SCAP and the SCAP BOF
recently. These questions (included below) are thought-provoking.
They should get some good discussions going on this list.

Since I'm not an SCAP expert, I don't have answers to all of these
myself. I have asked some SCAP experts to answer them. Please use
a separate thread for each question so that people can follow the
discussions more easily.

Thanks,

Steve Hanna

-----------

To help the BOF organizers, I have some basic questions I would like
to have answered during the BOF (and on the mailing list)

1) NIST is a national standardization organization. Is NIST/Mitre/DHS
willing to give change control
to IETF to develop this into an international standard? 

2) Will the the NVD be made available for use with the international
standard, by the whole IETF community? What requirements must be met
to be allowed to access the NVD database?

3) various proposals to standardize IDS-related technologies have
failed in IETF, mostly
because the industry players seem not very interested in standards.
Major players use their vulnerability and signature libraries as
value-add features. They seem to develop proprietary protocols to suit
their specific applications. Why will this be different?

4) In the past, IDS work has not been considered IETF work; IDS
vendors tend to have their own security-related fora for sharing
information. NEA has been brought into the IETF from the TSG, and the
IEEE has created the Industry Connections Security Group that focuses
on standardizing malware definitions.  I personally would love to have
that community come into the IETF and use the IETF process for
**developing** the specifications, not just for approving the
specifications after they're done. Is the industry seriously
interested in participating in the IETF, or will they continue to
create multiple security fora to develop specifications and then bring
their specifications to the IETF for approval as RFCs?

5) The web page says "leaders in the SCAP community (including NIST,
NSA, MITRE, and commercial vendors) have decided to explore taking the
most stable and successful SCAP specifications to the IETF for
adoption as Standards Track RFCs." Are these leaders expecting the
IETF to rubber-stamp these mature/stable/successful specifications? I
am especially concerned by the explanation that this BOF is to
"explore whether the IETF would be an appropriate venue for such
standardization ***when ready***."  (emphasis mine). We have working
groups explicitly to do the development work, not to accept
specifications when ready.

6) Much of the SCAP standards are agreed-upon definitions, schemas,
etc. These apparently are registered with Mitre. The listshow.net web
page discusses this: "Formats for the existing enumerations such as
CVE and CCE are good candidates as well. Note we are only talking
about the actual enumeration formats, not the operational
uses/administration of the enumerations. That would remain outside the
IETF, as it is today."
Does this mean IANA would not administer the relevant registries for
these IETF standards? If not, how would the registrations be
administered, and who controls them? What are the requirements
(comparable to RFC5226)?

7) the web site says "We will continue to use this [open contribution]
model for the development of new SCAP specifications and
capabilities." Does this mean the SCAP community will work outside the
WG to continue development of SCAP proposals? The IETF has rules it
follows about things like downrefs, backwards compatibility,
interoperability requirements, etc. What happens if SCAP-developed
specifications do not interoperate properly with IETF standards
developed by the SCAP WG, because SCAP decides to use different rules?

8) I have concerns this appears to be a request to rubber-stamp a
national standard to make it an international standard. So if the IETF
rubber-stamps this work from NIST, will the IETF also rubber-stamp
work by CCSA? and comparable national standards organizations for UK,
France, Germany, Italy, Spain, Korea, Japan, Canada, and ... ?

_______________________________________________
scap_interest mailing list
scap_interest@ietf.org
https://www.ietf.org/mailman/listinfo/scap_interest