Re: [Secdispatch] Fw: New Version Notification for draft-paine-smart-indicators-of-compromise-00.txt
Kirsty P <Kirsty.p@ncsc.gov.uk> Fri, 13 March 2020 13:28 UTC
Return-Path: <Kirsty.p@ncsc.gov.uk>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B47AD3A03EF for <secdispatch@ietfa.amsl.com>; Fri, 13 Mar 2020 06:28:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3V-hmht54eNl for <secdispatch@ietfa.amsl.com>; Fri, 13 Mar 2020 06:28:57 -0700 (PDT)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-eopbgr100132.outbound.protection.outlook.com [40.107.10.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F19903A03EC for <secdispatch@ietf.org>; Fri, 13 Mar 2020 06:28:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L1pZaRmOmIWfegfmGYYTJpDkkKInpcFUwTLlAxaXwzLN/LLp1KS1aWHftJJp8Gcgaij9ve75uOV0gOWx46G77GeuM+9Ki/t34yxCk7GoZpNBLgkG+Z1dzDmR61bdqboL+jPPrZ/RNb0pYr+PB0q215Cu5BeG0SkgUgKV3tgXjXPL0guuVLuakaYc0p4PZVKdagThMsIRdigCzyjAAGooPKn36P2zD/kgKLeiHt0IEb20kkbWaIVNWjTT/TD3l4Xs3MhwctPvWLImWuQkS6mqhglaImR3JSCc69dlnsz2PhgVniT2Fy/6mJ8DENGiAUSmaUXYDVH072kN7pXlxjFRag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4jVloRIXlp0WdPSqJ4tzyWzkHA3EJ/O05AXWi1MUF1w=; b=CUXzoqBmD4k2GI49BVT8Tmp8WecUp1n5JGeZmIt4e5edE+s2BPvXcomP45w6NsvKdwZ/qAx6NwLkwu4SoFaIA/L2zJYw8corUhMV7ZZ0Ik6W3wSyBlEO0ftp9AniFMhZH2LlyjnsVewuT1PSLzEbwXUBDiOHrQ1gUT50hq+td2YGJVEkL6k9FEP6FEP8/65GhAGnM70CtfJr37WhCKKifSQax1YPsvkcRLAT2/PjbeX20vC53RlGYhtouxxTs7xPXC4Bq/tyn5M/7Oj37MaqnOB+n0yfog3RDNKm2gWoMQK4GwgZlNLYipHZJ5jATB4jjlF5/gOkt/iyWjcXOTmH8Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4jVloRIXlp0WdPSqJ4tzyWzkHA3EJ/O05AXWi1MUF1w=; b=mURI+DLp2H2WRmd7K9Htco3IJ7Y6dKz5lM0fM5L3zyz23g5DvO+yZyrw3iNZ9q0Ga7CVZI9MiwDp+FZsXTnlQBfl4lXxgWP71jugQyro7frMWYgu1pPvVfN1HXcmV+BXPexneLkOY6WcX1UC361JFprT/mnhuEPb2SM1X++Hmk4=
Received: from LNXP123MB2330.GBRP123.PROD.OUTLOOK.COM (20.179.131.80) by LNXP123MB1689.GBRP123.PROD.OUTLOOK.COM (20.179.129.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.16; Fri, 13 Mar 2020 13:28:48 +0000
Received: from LNXP123MB2330.GBRP123.PROD.OUTLOOK.COM ([fe80::dc7a:97bb:102a:9c1c]) by LNXP123MB2330.GBRP123.PROD.OUTLOOK.COM ([fe80::dc7a:97bb:102a:9c1c%6]) with mapi id 15.20.2793.013; Fri, 13 Mar 2020 13:28:48 +0000
From: Kirsty P <Kirsty.p@ncsc.gov.uk>
To: Michael Richardson <mcr@sandelman.ca>
CC: "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] Fw: New Version Notification for draft-paine-smart-indicators-of-compromise-00.txt
Thread-Index: AQHV+TsjkeM0ZezgBUeK9w+2MoZ0XQ==
Date: Fri, 13 Mar 2020 13:28:48 +0000
Message-ID: <LNXP123MB23307096A4D421A16F43BC90D7FA0@LNXP123MB2330.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kirsty.p@ncsc.gov.uk;
x-originating-ip: [51.140.78.31]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e6cb1316-9eea-45f6-4a3b-08d7c7527688
x-ms-traffictypediagnostic: LNXP123MB1689:
x-microsoft-antispam-prvs: <LNXP123MB1689721D78B0CDD7DE9405E5D7FA0@LNXP123MB1689.GBRP123.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 034119E4F6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(376002)(346002)(396003)(366004)(39850400004)(136003)(199004)(64756008)(81156014)(66556008)(66476007)(66946007)(76116006)(186003)(66446008)(5660300002)(26005)(52536014)(4326008)(8936002)(15650500001)(316002)(81166006)(86362001)(6916009)(33656002)(8676002)(478600001)(966005)(53546011)(55016002)(55236004)(9686003)(6506007)(2906002)(7696005)(71200400001)(19627405001); DIR:OUT; SFP:1102; SCL:1; SRVR:LNXP123MB1689; H:LNXP123MB2330.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: I/8Ey3qgCbAk+8XFpgSwGm73Uw6hOj56ciwz84wCCfTfhvCwZKYVtK9RjGZhmChlYz1ermCrOyZdSxeiIhWJ8LyFGLVX6VeGhQWKnEdllhWGyv35t6TrBNHYq8E7mc7YJWHoiijByba1Yo8kgQQza2BYM/gJTW1QjGjr6oX14RzRTxgWSKYHCMnULV0LyePGZG24dRttTgviFcPfoPjfUmVl8ldvr3+K4xWQWKq/2czyfTViiT/0vgPn5m0UcZ04j2u7iabQHmbznpPxK6AFf5VqIs9ac7r6x2TcNIVUQr7nuhSvpfyiNmw9qeKRRF121ZbEXL6MxD45P78Ry5QbUDuH7vbAplXl8Sng7WOUVthjip8vN3Oxz4tDXXE3g1jr/l4/qFWa4e3ZTcDmDbIeyaVljKyZm1yYGK2xkBawGRFO7v5CfFfSlQguz51jyU9fMh51BvVCnL2S02F6c03sCo1W/IjiwP0BTnObV0cKGIh8EoZe5bWf0IQURdQFlupOs0RMczPS0Y9X2ofnFUok+w==
x-ms-exchange-antispam-messagedata: n2HDxK144Sv/zIk7/bFCu35DCK3pBreRysEkZUW4BCz735w4OCJjYTljg0BsGjKJoYFpH5nDV9eSqbjuLopEpduw57kqgolI7Cham74+k5wC32ezorAhov4P/uVkQ2APvmlYQnZiVaPwHQJj+KrPRw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_LNXP123MB23307096A4D421A16F43BC90D7FA0LNXP123MB2330GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: e6cb1316-9eea-45f6-4a3b-08d7c7527688
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2020 13:28:48.4924 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pBi8NE93JS/3uGSePfi/7Uygwsf+/mYLFayBPfoBlkHzOveJrchd0P9BfljV206A3DAz8yYVclImjlhFY7py0Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LNXP123MB1689
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/lfeiBALLDkmkdvmd4HtMw-7ej94>
Subject: Re: [Secdispatch] Fw: New Version Notification for draft-paine-smart-indicators-of-compromise-00.txt
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2020 13:29:00 -0000
Thanks for your interest in the draft. You’re right that we’re not setting out to specify a protocol, or necessarily an example of Best Current Practice, but the ability to detect and use Indicators of Compromise to protect against attack can be impacted heavily by protocol design decisions, so there is a clear benefit in providing a reference to help designers to consider this impact. Given that, I hope that this will become an Informational RFC, but I’m keen to hear more thoughts on the most appropriate way to publish what we believe to be an important aid to those considering protocol security. ________________________________ From: Michael Richardson Sent: Tuesday, March 10, 2020 17:38 To: Kirsty P Cc: secdispatch@ietf.org Subject: Re: [Secdispatch] Fw: New Version Notification for draft-paine-smart-indicators-of-compromise-00.txt Hi, thank you for this interesting document. It uses terminology which I did not know existed before. The document does not specify a protocol of any kind, although MISP-project is referenced. It does not seem to be about any kind of directly implementable Best Current Practice, but seems like background for something bigger. I'm not sure how publishing this as an RFC would be helpful. Are you considering ways to represent the Indicators such that they can be more easily exchanged? I believe that the IETF has done a bunch of work in that area (INCH, MILE, IODEF come to mind), but perhaps not exactly in this direction. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright ©
- [Secdispatch] Fw: New Version Notification for dr… Kirsty P
- Re: [Secdispatch] Fw: New Version Notification fo… Michael Richardson
- Re: [Secdispatch] Fw: New Version Notification fo… Kirsty P
- Re: [Secdispatch] Fw: New Version Notification fo… Benjamin Kaduk