[scap_interest] Questions from David Harrington
Stephen Hanna <shanna@juniper.net> Fri, 05 November 2010 04:49 UTC
Return-Path: <shanna@juniper.net>
X-Original-To: scap_interest@core3.amsl.com
Delivered-To: scap_interest@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7076C3A67B5 for <scap_interest@core3.amsl.com>; Thu, 4 Nov 2010 21:49:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vyMhWn0LDnKV for <scap_interest@core3.amsl.com>; Thu, 4 Nov 2010 21:49:23 -0700 (PDT)
Received: from exprod7og111.obsmtp.com (exprod7og111.obsmtp.com [64.18.2.175]) by core3.amsl.com (Postfix) with ESMTP id 4526D3A67C2 for <scap_interest@ietf.org>; Thu, 4 Nov 2010 21:49:23 -0700 (PDT)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob111.postini.com ([64.18.6.12]) with SMTP ID DSNKTNOM3gYU2BUSW1r4A1rilI6P7FDyCo8r@postini.com; Thu, 04 Nov 2010 21:49:35 PDT
Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.2.254.0; Thu, 4 Nov 2010 21:45:30 -0700
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe01-wf.jnpr.net ([fe80::d0d1:653d:5b91:a123%11]) with mapi; Fri, 5 Nov 2010 00:45:29 -0400
From: Stephen Hanna <shanna@juniper.net>
To: "scap_interest@ietf.org" <scap_interest@ietf.org>
Date: Fri, 05 Nov 2010 00:45:26 -0400
Thread-Topic: Questions from David Harrington
Thread-Index: Act8pEQAeCo3PwzYQoC9RpPmilukqw==
Message-ID: <AC6674AB7BC78549BB231821ABF7A9AE907230F827@EMBX01-WF.jnpr.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [scap_interest] Questions from David Harrington
X-BeenThere: scap_interest@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <scap_interest.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scap_interest>
List-Post: <mailto:scap_interest@ietf.org>
List-Help: <mailto:scap_interest-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Nov 2010 04:49:24 -0000
David Harrington sent me some questions about SCAP and the SCAP BOF recently. These questions (included below) are thought-provoking. They should get some good discussions going on this list. Since I'm not an SCAP expert, I don't have answers to all of these myself. I have asked some SCAP experts to answer them. Please use a separate thread for each question so that people can follow the discussions more easily. Thanks, Steve Hanna ----------- To help the BOF organizers, I have some basic questions I would like to have answered during the BOF (and on the mailing list) 1) NIST is a national standardization organization. Is NIST/Mitre/DHS willing to give change control to IETF to develop this into an international standard? 2) Will the the NVD be made available for use with the international standard, by the whole IETF community? What requirements must be met to be allowed to access the NVD database? 3) various proposals to standardize IDS-related technologies have failed in IETF, mostly because the industry players seem not very interested in standards. Major players use their vulnerability and signature libraries as value-add features. They seem to develop proprietary protocols to suit their specific applications. Why will this be different? 4) In the past, IDS work has not been considered IETF work; IDS vendors tend to have their own security-related fora for sharing information. NEA has been brought into the IETF from the TSG, and the IEEE has created the Industry Connections Security Group that focuses on standardizing malware definitions. I personally would love to have that community come into the IETF and use the IETF process for **developing** the specifications, not just for approving the specifications after they're done. Is the industry seriously interested in participating in the IETF, or will they continue to create multiple security fora to develop specifications and then bring their specifications to the IETF for approval as RFCs? 5) The web page says "leaders in the SCAP community (including NIST, NSA, MITRE, and commercial vendors) have decided to explore taking the most stable and successful SCAP specifications to the IETF for adoption as Standards Track RFCs." Are these leaders expecting the IETF to rubber-stamp these mature/stable/successful specifications? I am especially concerned by the explanation that this BOF is to "explore whether the IETF would be an appropriate venue for such standardization ***when ready***." (emphasis mine). We have working groups explicitly to do the development work, not to accept specifications when ready. 6) Much of the SCAP standards are agreed-upon definitions, schemas, etc. These apparently are registered with Mitre. The listshow.net web page discusses this: "Formats for the existing enumerations such as CVE and CCE are good candidates as well. Note we are only talking about the actual enumeration formats, not the operational uses/administration of the enumerations. That would remain outside the IETF, as it is today." Does this mean IANA would not administer the relevant registries for these IETF standards? If not, how would the registrations be administered, and who controls them? What are the requirements (comparable to RFC5226)? 7) the web site says "We will continue to use this [open contribution] model for the development of new SCAP specifications and capabilities." Does this mean the SCAP community will work outside the WG to continue development of SCAP proposals? The IETF has rules it follows about things like downrefs, backwards compatibility, interoperability requirements, etc. What happens if SCAP-developed specifications do not interoperate properly with IETF standards developed by the SCAP WG, because SCAP decides to use different rules? 8) I have concerns this appears to be a request to rubber-stamp a national standard to make it an international standard. So if the IETF rubber-stamps this work from NIST, will the IETF also rubber-stamp work by CCSA? and comparable national standards organizations for UK, France, Germany, Italy, Spain, Korea, Japan, Canada, and ... ?
- [scap_interest] Questions from David Harrington Stephen Hanna
- Re: [scap_interest] Questions from David Harringt… Natale, Bob
- Re: [scap_interest] Questions from David Harringt… Waltermire, David
- Re: [scap_interest] Questions from David Harringt… Steve Hanna