Re: [scap_interest] Scope of standards potentially moving to IETF

<douglas.m.taylor@bt.com> Thu, 16 February 2012 18:25 UTC

Return-Path: <douglas.m.taylor@bt.com>
X-Original-To: scap_interest@ietfa.amsl.com
Delivered-To: scap_interest@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCE2D11E808C for <scap_interest@ietfa.amsl.com>; Thu, 16 Feb 2012 10:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.598
X-Spam-Level:
X-Spam-Status: No, score=-5.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, GB_I_LETTER=-2, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WQJaKTN5YpjJ for <scap_interest@ietfa.amsl.com>; Thu, 16 Feb 2012 10:25:53 -0800 (PST)
Received: from smtpe1.intersmtp.com (smtp63.intersmtp.com [62.239.224.236]) by ietfa.amsl.com (Postfix) with ESMTP id B784D21F8573 for <scap_interest@ietf.org>; Thu, 16 Feb 2012 10:25:52 -0800 (PST)
Received: from EVHUB71-UKRD.domain1.systemhost.net (10.36.3.154) by RDW083A007ED63.smtp-e3.hygiene.service (10.187.98.12) with Microsoft SMTP Server (TLS) id 8.3.213.0; Thu, 16 Feb 2012 18:25:51 +0000
Received: from EVMHT35-UKDY.domain1.systemhost.net (193.113.31.60) by EVHUB71-UKRD.domain1.systemhost.net (10.36.3.154) with Microsoft SMTP Server (TLS) id 14.1.355.2; Thu, 16 Feb 2012 18:25:51 +0000
Received: from EMV33-UKDY.domain1.systemhost.net ([169.254.2.61]) by EVMHT35-UKDY.domain1.systemhost.net ([193.113.31.60]) with mapi; Thu, 16 Feb 2012 18:25:50 +0000
From: <douglas.m.taylor@bt.com>
To: <scap_interest@ietf.org>
Date: Thu, 16 Feb 2012 18:25:58 +0000
Thread-Topic: [scap_interest] Scope of standards potentially moving to IETF
Thread-Index: Aczs1LNzGMotNfxiQJewGZLo2jTRRAAAmICg
Message-ID: <99BE1B4FCEBDFC418F584DAE5EA8577B0FC6ADAEF6@EMV33-UKDY.domain1.systemhost.net>
References: <4F3CFD5E.2080106@ieca.com> <CB629973.2C9A5%kent_landfield@mcafee.com>
In-Reply-To: <CB629973.2C9A5%kent_landfield@mcafee.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_99BE1B4FCEBDFC418F584DAE5EA8577B0FC6ADAEF6EMV33UKDYdoma_"
MIME-Version: 1.0
Subject: Re: [scap_interest] Scope of standards potentially moving to IETF
X-BeenThere: scap_interest@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <scap_interest.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scap_interest>
List-Post: <mailto:scap_interest@ietf.org>
List-Help: <mailto:scap_interest-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2012 18:25:59 -0000

Interoperability testing/bake offs have long been useful in fully baking standards.  Frankly when I did some in the 90s with various IPSEC product vendors, we found that even little details could be mis-interpreted.  Simple things like little or big endian numbers in IP addresses would completely blow an interoperability test.  Ditto for different interpretations of key exchange steps, etc.  It took years to work out and took pushes by groups like ANX.

With that said, the IETF has never been in the business of certifying or validating products.  Most of those initiatives are either driven by vendors (usually pushed by their customers/service providers) or directly by customers (i.e. US Government or EU standards).  I would see that as a parallel effort to moving SCAP to an IETF standard.

Thanks,

Doug Taylor, CISSP
Bid Response Center, Security Solutions Designer
+1 972 830 8959 office
+1 214 683 4789 mobile

From: scap_interest-bounces@ietf.org [mailto:scap_interest-bounces@ietf.org] On Behalf Of Kent_Landfield@McAfee.com
Sent: Thursday, February 16, 2012 12:00 PM
To: scap_interest@ietf.org
Subject: Re: [scap_interest] Scope of standards potentially moving to IETF

  Would IETF also take a role in validating products?

Validated SCAP products today does not mean interoperable products and that is part of the problem existing in the community today. We have fallen into a false sense that if a product have been validated, then it is interoperable with the other SCAP products.  That is not the case.  What occurs in the validation process is a certain set of functionality and features are checked.  The entire set of specifications have not been.  For example: over two years ago there was a section of FDCC content that caused serious problem with domain controllers and affected the network in general.  A vendor found the issue, investigated what was causing the problem and then fixed and tested the solution.  The tested fix was then sent to the FDCC content maintenance team to be corrected in the FDCC content.  Instead of fixing the problem, they disabled the checks because they could not make the fix available.  The reason?  Not all vendors that were SCAP Validated had implemented the needed tests required by the OVAL specifications to use the fix...   These were core tests... That said, the validation program is now going to be testing the specifications more completely which should help.  There is a place for product capability validation and I don't see that going away anytime soon but it still does not assure interoperability.

I have been discussing interoperability testing between vendors for a while now.  That is where you see if you have real compatible products.  In that case, I give you my content and you give me your results in consumable SCAP results formats and visa versa.  The IETF's history of bake offs and interop testing between products would be a real step in the right direction.  This would also encourage vendors to implement the complete specifications in their products instead of just what is needed to "pass the test".

Interoperability is the real goal if we are looking to lay a foundation of plug and play security automation capabilities...

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096
Mobile: +1.817.637.8026
Web: www.mcafee.com<http://www.mcafee.com/>

From: Sean Turner <turners@ieca.com<mailto:turners@ieca.com>>
Date: Thu, 16 Feb 2012 06:58:06 -0600
To: Adam Montville <amontville@tripwire.com<mailto:amontville@tripwire.com>>, "david.oliva@verizon.net<mailto:david.oliva@verizon.net>" <david.oliva@verizon.net<mailto:david.oliva@verizon.net>>
Cc: Michael Aharon Chernin <mchernin@dtcc.com<mailto:mchernin@dtcc.com>>, Kent Landfield <kent_landfield@mcafee.com<mailto:kent_landfield@mcafee.com>>, "scap_interest@ietf.org<mailto:scap_interest@ietf.org>" <scap_interest@ietf.org<mailto:scap_interest@ietf.org>>
Subject: Re: [scap_interest] Scope of standards potentially moving to IETF

(assuming there is a WG) It's mostly up to the WG.  There's still
IETF-wide, IESG and external party review of WG charters.

More inline below ...

spt

On 2/15/12 11:50 AM, Adam Montville wrote:
Hi David,

I think the answer to all three of your questions is really that it's all up to the working group.  The WG has an interest in ensuring interoperability, and standards are created based on running code.  USG may continue to require validation outside the context of the WG.  Finally, as the IETF is an open organization, participation from any organization, including USG, would be welcomed.

Adam

From:<david.oliva@verizon.net<mailto:david.oliva@verizon.net><mailto:david.oliva@verizon.net><mailto:david.oliva@verizon.net%3e>>
Date: Wed, 15 Feb 2012 10:42:34 -0600
To:<mchernin@dtcc.com<mailto:mchernin@dtcc.com><mailto:mchernin@dtcc.com><mailto:mchernin@dtcc.com%3e>>, kent_landfield<kent_landfield@mcafee.com<mailto:kent_landfield@mcafee.com><mailto:kent_landfield@mcafee.com>>,<scap_interest@ietf.org<mailto:scap_interest@ietf.org><mailto:kent_landfield@mcafee.com%3e%3e,%3cscap_interest@ietf.org%3cmailto:scap_interest@ietf.org%3e>>
Subject: Re: [scap_interest] Scope of standards potentially moving to IETF

Hello all:

I also believe that SCAP can be used worlwide and should be marketted accordingly.
Maybe allowing IETF to endorse them is a good idea.

I just have a few questions.

1.  Would IETF also take a role in validating products?

Some lurking greybeards may correct me, but I can't think of a time when
the IETF validated products - but maybe that depends on what you mean.
I can think of many bake-offs/interop events and reports of such events
that listed product x, y, and z and whether they interoperated on tests
a, b, and c.  If by validation you're thinking a letter/certificate from
the IETF saying product x is compliant with RFC ####, then I think that
won't happen.

2.  What mechanisms does IETF provide that encourage the cooperation needed for incorporation future specifications?

An open, consensus driven standardization process would be my answer.
List are open to anyone and drafts/RFCs are available for free.

3.  How would IETF take into account the input of U.S. Federal agencies in future specifications?

On USG participation, all participants in the IETF (including those of
the USG or any other Gov't) participate as individuals.  They're free
(in fact encouraged) to bring in-scope proposals to the WG.  Assuming
there's a debate about a particular feature/option in their proposal,
I'd expect them to defend their proposal just like everybody else does.
  Rationale like "We're the USG and you shalt do it this way" isn't
going to fly.  Rough consensus will rule the day.

David Oliva

On 02/15/12, Chernin, Michael A.<mchernin@dtcc.com<mailto:mchernin@dtcc.com><mailto:mchernin@dtcc.com><mailto:mchernin@dtcc.com%3e>>  wrote:

Kent, understood. Like the vendors, I do agree that certain standards need to go to IETF. But, today the only people that would be voting during IETF calls would be the federal government and security tool vendors. I am going to be hesitant in supporting a move of all standards until there are standards consumers (private sector customers) who will also be participating in IETF voting. I am trying to balance rapid development of standards using the IETF and complete vendor control of all standards. Once I see more consumer activity during voting, I will be more supportive of a large number of standards moving IETF.

I know I am early and jumping the gun on this, but I just wanted to get my story out there. At this time no standards have been specifically identified and no specific action is required at this time.

Aharon

DTCC Non-Confidential (White)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust&  Clearing Corporation
O: 813-470-2173

From: Kent_Landfield@McAfee.com<mailto:Kent_Landfield@McAfee.com><mailto:Kent_Landfield@McAfee.com>  [mailto:Kent_Landfield@McAfee.com]
Sent: Tuesday, February 14, 2012 6:09 PM
To: Chernin, Michael A.; scap_interest@ietf.org<mailto:scap_interest@ietf.org><mailto:scap_interest@ietf.org>
Subject: Re: [scap_interest] Scope of standards potentially moving to IETF

>From my perspective TBD.

There are some that are unencumbered from and IPR perspective and those are potential candidates. Others will have to move as the appropriate consensus  is achieved and IPR issues are addressed.

The idea here from my perspective is to figure that out.

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096
Mobile: +1.817.637.8026
Web: www.mcafee.com<http://www.mcafee.com/>

From: Michael Aharon Chernin<mchernin@dtcc.com<mailto:mchernin@dtcc.com><mailto:mchernin@dtcc.com><mailto:mchernin@dtcc.com%3e>>
Date: Tue, 14 Feb 2012 16:04:43 -0600
To: "scap_interest@ietf.org<mailto:scap_interest@ietf.org><mailto:scap_interest@ietf.org>"<scap_interest@ietf.org<mailto:scap_interest@ietf.org><mailto:scap_interest@ietf.org%3e%22%3cscap_interest@ietf.org%3cmailto:scap_interest@ietf.org%3e>>
Subject: [scap_interest] Scope of standards potentially moving to IETF

I am just going to jump right on out there and ask. Which standards are we looking to go to IETF? Specific SCAP standards or the entire SCAP umbrella?

Aharon

DTCC Non-Confidential (White)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust&  Clearing Corporation
O: 813-470-2173

<BR>_____________________________________________________________
<FONT size=2><BR>
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses.  The company
accepts no liability for any damage caused by any virus transmitted
by this email.</FONT>
_______________________________________________
scap_interest mailing list
scap_interest@ietf.org<mailto:scap_interest@ietf.org><mailto:scap_interest@ietf.org>
https://www.ietf.org/mailman/listinfo/scap_interest


________________________________

_______________________________________________
scap_interest mailing list
scap_interest@ietf.org<mailto:scap_interest@ietf.org><mailto:scap_interest@ietf.org>
https://www.ietf.org/mailman/listinfo/scap_interest
_______________________________________________ scap_interest mailing list scap_interest@ietf.org<mailto:scap_interest@ietf.org><mailto:scap_interest@ietf.org>  https://www.ietf.org/mailman/listinfo/scap_interest

_______________________________________________
scap_interest mailing list
scap_interest@ietf.org<mailto:scap_interest@ietf.org>
https://www.ietf.org/mailman/listinfo/scap_interest