Re: [scap_interest] Questions from David Harrington

"Waltermire, David" <> Mon, 08 November 2010 10:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 097D23A693A for <>; Mon, 8 Nov 2010 02:01:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8vfgxO5WtxwI for <>; Mon, 8 Nov 2010 02:01:57 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A176F3A6939 for <>; Mon, 8 Nov 2010 02:01:57 -0800 (PST)
Received: from ( []) by (8.13.1/8.13.1) with ESMTP id oA8A282x013569; Mon, 8 Nov 2010 05:02:08 -0500
Received: from ([fe80::d479:3188:aec0:cb66]) by ([]) with mapi; Mon, 8 Nov 2010 05:02:07 -0500
From: "Waltermire, David" <>
To: Stephen Hanna <>, "" <>
Date: Mon, 8 Nov 2010 05:01:47 -0500
Thread-Topic: Questions from David Harrington
Thread-Index: Act8pEQAeCo3PwzYQoC9RpPmilukqwChWNUt
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
X-NIST-MailScanner: Found to be clean
Subject: Re: [scap_interest] Questions from David Harrington
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Nov 2010 10:01:59 -0000

Regarding question 1:

> 1) NIST is a national standardization organization. Is NIST/Mitre/DHS
> willing to give change control
> to IETF to develop this into an international standard?

If a specification is accepted by an IETF working group to be worked through the IETF process, NIST will give change control to the IETF.  We are committed to collaborate within the IETF community to resolve any challenges with the existing specifications and to enhance and extend the supported use cases.

Dave Waltermire
From: [] On Behalf Of Stephen Hanna []
Sent: Friday, November 05, 2010 12:45 AM
Subject: [scap_interest] Questions from David Harrington

David Harrington sent me some questions about SCAP and the SCAP BOF
recently. These questions (included below) are thought-provoking.
They should get some good discussions going on this list.

Since I'm not an SCAP expert, I don't have answers to all of these
myself. I have asked some SCAP experts to answer them. Please use
a separate thread for each question so that people can follow the
discussions more easily.


Steve Hanna


To help the BOF organizers, I have some basic questions I would like
to have answered during the BOF (and on the mailing list)

1) NIST is a national standardization organization. Is NIST/Mitre/DHS
willing to give change control
to IETF to develop this into an international standard?

2) Will the the NVD be made available for use with the international
standard, by the whole IETF community? What requirements must be met
to be allowed to access the NVD database?

3) various proposals to standardize IDS-related technologies have
failed in IETF, mostly
because the industry players seem not very interested in standards.
Major players use their vulnerability and signature libraries as
value-add features. They seem to develop proprietary protocols to suit
their specific applications. Why will this be different?

4) In the past, IDS work has not been considered IETF work; IDS
vendors tend to have their own security-related fora for sharing
information. NEA has been brought into the IETF from the TSG, and the
IEEE has created the Industry Connections Security Group that focuses
on standardizing malware definitions.  I personally would love to have
that community come into the IETF and use the IETF process for
**developing** the specifications, not just for approving the
specifications after they're done. Is the industry seriously
interested in participating in the IETF, or will they continue to
create multiple security fora to develop specifications and then bring
their specifications to the IETF for approval as RFCs?

5) The web page says "leaders in the SCAP community (including NIST,
NSA, MITRE, and commercial vendors) have decided to explore taking the
most stable and successful SCAP specifications to the IETF for
adoption as Standards Track RFCs." Are these leaders expecting the
IETF to rubber-stamp these mature/stable/successful specifications? I
am especially concerned by the explanation that this BOF is to
"explore whether the IETF would be an appropriate venue for such
standardization ***when ready***."  (emphasis mine). We have working
groups explicitly to do the development work, not to accept
specifications when ready.

6) Much of the SCAP standards are agreed-upon definitions, schemas,
etc. These apparently are registered with Mitre. The web
page discusses this: "Formats for the existing enumerations such as
CVE and CCE are good candidates as well. Note we are only talking
about the actual enumeration formats, not the operational
uses/administration of the enumerations. That would remain outside the
IETF, as it is today."
Does this mean IANA would not administer the relevant registries for
these IETF standards? If not, how would the registrations be
administered, and who controls them? What are the requirements
(comparable to RFC5226)?

7) the web site says "We will continue to use this [open contribution]
model for the development of new SCAP specifications and
capabilities." Does this mean the SCAP community will work outside the
WG to continue development of SCAP proposals? The IETF has rules it
follows about things like downrefs, backwards compatibility,
interoperability requirements, etc. What happens if SCAP-developed
specifications do not interoperate properly with IETF standards
developed by the SCAP WG, because SCAP decides to use different rules?

8) I have concerns this appears to be a request to rubber-stamp a
national standard to make it an international standard. So if the IETF
rubber-stamps this work from NIST, will the IETF also rubber-stamp
work by CCSA? and comparable national standards organizations for UK,
France, Germany, Italy, Spain, Korea, Japan, Canada, and ... ?

scap_interest mailing list