--- 1/draft-ietf-mile-rolie-03.txt 2016-10-24 11:15:57.243105880 -0700 +++ 2/draft-ietf-mile-rolie-04.txt 2016-10-24 11:15:57.315107655 -0700 @@ -1,59 +1,59 @@ MILE Working Group J. Field Internet-Draft Pivotal Intended status: Informational S. Banghart -Expires: January 9, 2017 D. Waltermire +Expires: April 27, 2017 D. Waltermire NIST - July 8, 2016 + October 24, 2016 Resource-Oriented Lightweight Information Exchange - draft-ietf-mile-rolie-03 + draft-ietf-mile-rolie-04 Abstract This document defines a resource-oriented approach for security automation information publication, discovery, and sharing. Using - this approach, producers may publish, share and exchange + this approach, producers may publish, share, and exchange representations of security incidents, attack indicators, software vulnerabilities, configuration checklists, and other security automation information as Web-addressable resources. Furthermore, consumers and other stakeholders may access and search this security information as needed, establishing a rapid and on-demand information exchange network for restricted internal use or public access repositories. This specification extends the Atom Publishing Protocol and Atom Syndication Format to transport and share security automation resource representations. Contributing to this document - The source for this draft is being maintained in GitHub. Suggested + The source for this draft is being maintained on GitHub. Suggested changes should be submitted as pull requests at . Instructions are on that page as well. Editorial changes can be managed in GitHub, but any substantial issues need to be discussed on the MILE mailing list. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on January 9, 2017. + This Internet-Draft will expire on April 27, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -62,89 +62,86 @@ include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. XML-related Conventions . . . . . . . . . . . . . . . . . . . 4 3.1. XML Namespaces . . . . . . . . . . . . . . . . . . . . . 4 - 3.2. RELAX NG Schema . . . . . . . . . . . . . . . . . . . . . 5 + 3.2. RELAX NG Compact Schema . . . . . . . . . . . . . . . . . 5 4. Background and Motivation . . . . . . . . . . . . . . . . . . 5 - 4.1. Message-oriented versus Resource-oriented Architecture . 6 - 4.1.1. Message-oriented Architecture . . . . . . . . . . . . 6 - 4.1.2. Resource-Oriented Architecture . . . . . . . . . . . 7 - 4.2. Use of the Atom Publishing Protocol . . . . . . . . . . . 8 - 5. ROLIE Requirements for the Atom Publishing Protocol . . . . . 9 - 5.1. AtomPub Service Documents . . . . . . . . . . . . . . . . 9 - 5.1.1. Use of the "app:workspace" Element . . . . . . . . . 9 - 5.1.2. Use of the "app:collection" Element . . . . . . . . . 10 - 5.2. Service Discovery . . . . . . . . . . . . . . . . . . . . 11 - 5.3. Transport Layer Security . . . . . . . . . . . . . . . . 11 - 5.4. User Authentication . . . . . . . . . . . . . . . . . . . 11 - 5.5. User Authorization . . . . . . . . . . . . . . . . . . . 12 - 5.6. / (forward slash) Resource URL . . . . . . . . . . . . . 12 - 5.7. HTTP methods . . . . . . . . . . . . . . . . . . . . . . 12 + 4.1. Proactive Sharing . . . . . . . . . . . . . . . . . . . . 5 + 4.2. Knowledge Aggregation . . . . . . . . . . . . . . . . . . 6 + 4.3. Resource-oriented Architecture . . . . . . . . . . . . . 6 + 5. ROLIE Requirements for the Atom Publishing Protocol . . . . . 7 + 5.1. AtomPub Service Documents . . . . . . . . . . . . . . . . 7 + 5.1.1. Use of the "app:workspace" Element . . . . . . . . . 8 + 5.1.2. Use of the "app:collection" Element . . . . . . . . . 8 + 5.2. Service Discovery . . . . . . . . . . . . . . . . . . . . 9 + 5.3. Transport Layer Security . . . . . . . . . . . . . . . . 10 + 5.4. User Authentication and Authorization . . . . . . . . . . 11 + 5.5. / (forward slash) Resource URL . . . . . . . . . . . . . 11 + 5.6. HTTP methods . . . . . . . . . . . . . . . . . . . . . . 11 6. ROLIE Requirements for the Atom Syndication Format . . . . . 12 - 6.1. Use of the "atom:feed" element . . . . . . . . . . . . . 13 + 6.1. Use of the "atom:feed" element . . . . . . . . . . . . . 12 6.1.1. Use of the "atom:category" Element . . . . . . . . . 13 6.1.2. Use of the "atom:link" Element . . . . . . . . . . . 14 - 6.1.3. Use of the "atom:updated" Element . . . . . . . . . . 16 - 6.2. Use of the "atom:entry" Element . . . . . . . . . . . . 16 + 6.1.3. Use of the "atom:updated" Element . . . . . . . . . . 15 + 6.2. Use of the "atom:entry" Element . . . . . . . . . . . . 15 6.2.1. Use of the "atom:content" Element . . . . . . . . . . 16 - 6.2.2. Use of the "atom:link" Element . . . . . . . . . . . 17 + 6.2.2. Use of the "atom:link" Element . . . . . . . . . . . 16 6.2.3. Use of the "rolie:format" Element . . . . . . . . . . 17 - - 6.3. Link Relations . . . . . . . . . . . . . . . . . . . . . 17 - 7. Use of OpenSearch . . . . . . . . . . . . . . . . . . . . . . 17 - 8. Characterizing ROLIE Collections and Resources . . . . . . . 18 - 8.1. Identification of Security Automation Information Types . 18 - 8.2. General Use of the "atom:category" Element . . . . . . . 19 - 8.3. Identification of Security Automation Information Formats 20 - 9. Formal Syntax for the ROLIE Schema . . . . . . . . . . . . . 20 - 10. IANA Considerations TODO . . . . . . . . . . . . . . . . . . 20 - 10.1. XML Namespaces and Schema URNs . . . . . . . . . . . . . 20 - 10.2. ROLIE Parameters . . . . . . . . . . . . . . . . . . . . 21 - 10.3. Security Resource Information Type Registry . . . . . . 21 - 11. Security Considerations TODO . . . . . . . . . . . . . . . . 22 - 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 - 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 - 13.1. Normative References . . . . . . . . . . . . . . . . . . 25 - 13.2. Informative References . . . . . . . . . . . . . . . . . 26 - 13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 27 - Appendix A. Use Case Examples . . . . . . . . . . . . . . . . . 27 - A.1. Service Discovery . . . . . . . . . . . . . . . . . . . . 27 - A.2. Feed Retrieval . . . . . . . . . . . . . . . . . . . . . 30 - A.3. Entry Retrieval . . . . . . . . . . . . . . . . . . . . . 32 - A.4. Use Case: Search . . . . . . . . . . . . . . . . . . . . 34 - Appendix B. XACML Guidance . . . . . . . . . . . . . . . . . . . 36 - Appendix C. Relax NG Schema for ROLIE Extensions . . . . . . . . 38 - Appendix D. Change Tracking . . . . . . . . . . . . . . . . . . 38 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 + 6.2.4. Requirements for a Standalone Entry . . . . . . . . . 18 + 7. Available Extension Points Provided by ROLIE . . . . . . . . 18 + 7.1. The Category Extension Point . . . . . . . . . . . . . . 18 + 7.1.1. General Use of the "atom:category" Element . . . . . 19 + 7.1.2. Identification of Security Automation Information + Types . . . . . . . . . . . . . . . . . . . . . . . . 19 + 7.2. The "rolie:format" Extension Point . . . . . . . . . . . 21 + 7.3. The Link Relation Extension Point . . . . . . . . . . . . 21 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 + 8.1. XML Namespaces and Schema URNs . . . . . . . . . . . . . 21 + 8.2. ROLIE URN Sub-namespace . . . . . . . . . . . . . . . . . 22 + 8.3. ROLIE URN Parameters . . . . . . . . . . . . . . . . . . 22 + 8.4. ROLIE Security Resource Information Type Sub-Registry . . 23 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 24 + 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 + 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 + 11.1. Normative References . . . . . . . . . . . . . . . . . . 26 + 11.2. Informative References . . . . . . . . . . . . . . . . . 28 + 11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 29 + Appendix A. Relax NG Compact Schema for ROLIE . . . . . . . . . 29 + Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 30 + B.1. Service Discovery . . . . . . . . . . . . . . . . . . . . 30 + B.2. Feed Retrieval . . . . . . . . . . . . . . . . . . . . . 33 + B.3. Entry Retrieval . . . . . . . . . . . . . . . . . . . . . 35 + Appendix C. Change History . . . . . . . . . . . . . . . . . . . 36 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37 1. Introduction This document defines a resource-oriented approach to security automation information sharing that follows the REST (Architectural S tyles and the Design of Network-based Software Architectures) architectural style. In this approach, computer security resources are maintained in web-accessible repositories structured as Atom - Syndication Format [RFC4287] feeds. Representations of specific + Syndication Format [RFC4287] Feeds. Representations of specific types of security automation information are categorized and - organized into indexed collections, which may be requested by the - consumer. As the set of resource collections are forward facing, the + organized into indexed Collections which may be requested by the + consumer. As the set of resource Collections are forward facing, the consumer may search all available content for which they are authorized to view, and request the information resources which are desired. Through use of granular authentication and access controls, only authorized consumers may be permitted the ability to read or - write to a given feed. This approach is in contrast to, and meant to + write to a given Feed. This approach is in contrast to, and meant to improve on, the traditional point-to-point messaging system, in which consumers must request individual pieces of information from a server following a triggering event. The point-to-point approach creates a closed system of information sharing that encourages duplication of effort and hinders automated security systems. The goal of this document is to define a RESTful approach to security information communication with two primary intents: 1) increasing communication and sharing of incident reports, vulnerability assessments, configuration checklists, and other security automation @@ -152,23 +149,24 @@ standardized communication system to support automated computer security systems. In order to deal with the great variety in security automation information types and associated resource representations, this specification defines extension points that can be used to add support for new information types and associated resource representations by means of additional supplementary specification documents. This primary document is resource representation agnostic, and defines the core requirements of all implementations. - Those seeking to provide support for specific security automation - information types should refer to the specification for that format - described by the IANA registry found in section 10.3. + An overview of the extension system is provided in Section 7.Those + seeking to provide support for specific security automation + information types should refer to the specification for that domain + described by the IANA registry found in section 8.4. 2. Terminology The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Definitions for some of the common computer security-related terminology used in this document can be found in Section 2 of [RFC5070]. @@ -181,154 +179,113 @@ to uniquely identify XML element names. It uses the following namespace prefix mappings for the indicated namespace URI: "app" is used for the "http://www.w3.org/2007/app" namespace defined in [RFC5023]. "atom" is used for the "http://www.w3.org/2005/Atom" namespace defined in [RFC4287]. "rolie" is used for the "urn:ietf:params:xml:ns:rolie:1.0" - namespace defined in section 10.1 of this specification. + namespace defined in section 8.1 of this specification. -3.2. RELAX NG Schema +3.2. RELAX NG Compact Schema Some sections of this specification are illustrated with fragments of a non-normative RELAX NG Compact schema [relax-NG]. However, the text of this specification provides the definition of conformance. - Complete schemas appear for the "urn:ietf:params:xml:ns:rolie-1.0" - namespace in appendix C. Schema for the "http://www.w3.org/2007/app" - and "http://www.w3.org/2005/Atom" namespaces appear in RFC5023 - appendix B [RFC5023] and RFC4287 appendix B [RFC4287] respectively. + Schema for the "http://www.w3.org/2007/app" and + "http://www.w3.org/2005/Atom" namespaces appear in RFC5023 appendix B + [RFC5023] and RFC4287 appendix B [RFC4287] respectively. 4. Background and Motivation - It is well known thatthreats to computer security are evolving ever - more rapidly as time goes on. As software increases in complexity, - the number of vulnerabilities in systems and networks can increase - exponentially. Threat actors looking to exploit these - vulnerabilities are making more frequent and more widely distributed - attacks across a large variety of systems. The adoption of liberal - information sharing amongst attackers creates a window of as little - as a few hours between the discovery of a vulnerability and attacks - on a vulnerable system. As the skills and knowledge required to - identify and combat these attacks become more and more specialized, - even a well established and secure system may find itself unable to - quickly respond to an incident. Effective identification of and - response to a sophisticated attack requires open cooperation and - collaboration between defending operators, software vendors, and end- - users. To improve the timeliness of responses, automation must be - used to acquire, contextualize, and put to use shared computer - security information. + Information sharing is one of the core components of automating + security processes. Vulnerabilities, configurations, software + identification, security incidents, and patching data are just a few + of the classes of information that are shared today to enable + effective security on a wide scale. However, as the scale of defense + broadens to sometimes global networks, and the inherent scaling + issues of human-in-the-loop sharing become apparent, the need for + automation and machine-to-machine communication becomes apparent. + +4.1. Proactive Sharing Existing approaches to computer security information sharing often - use message exchange patterns that are point-to-point, and event- - driven. Sometimes, information that may be useful to share with - multiple peers is only made available to peers after they have - specifically requested it. Unfortunately, a sharing peer may not - know, a priori, what information to request from another peer. Some - exsisting systems provide a mechanism for unsolicited information - requests, however these reports are again sent point-to-point, and - must be reviewed for relevance and then prioritized for action by the - recipient, introducing additional latency. + use message exchange patterns that are point-to-point. Sometimes, + information that may be useful to share with multiple peers is only + made available to peers after they have specifically requested it. + Unfortunately, a sharing peer may not know, a priori, what + information to request from another peer. Some existing systems + provide a mechanism for unsolicited information requests, however, + these reports are again sent point-to-point, and must be reviewed for + relevance and then prioritized for action by the recipient, + introducing additional latency. In order to adequately combat evolving threats, computer security - information resource providers should be enabled to share selected - information proactively as appropriate. Proactive sharing greatly - aids knowledge dissemination, and improves response times and - usability. + information resource providers should be able to share selected + information proactively. Proactive sharing greatly aids knowledge + dissemination, and improves response times and usability by allowing + the consumer to choose which information is relevant to its needs. For example, a security analyst can benefit by having the ability to search a comprehensive collection of attack indicators that have been published by a government agency, or by another member of a sharing consortium. The representation of each indicator may include links to the related resources, enabling an appropriately authenticated and authorized analyst to freely navigate the information space of indicators, incidents, vulnerabilities, and other computer security domain concepts as needed. In this way, an analyst can more effectively utilize the super set of information made publicly available. - Consider also the case of an automated endpoint management system - attempting to proactively prevent software flaws from compromising - the security of the affected systems. During its full network sweep, - the endpoint monitoring system would check each endpoint for outdated - or vulnerable software. This system would benefit from having access - to not only the software vendor's list of vulnerabilities, but also - vulnerabilities discovered by other vulnerability researchers. An - advanced system could even give back to this sharing consortium by - sharing any vulnerabilities that it discovers. The natural - conclusion of such a sharing network is an automated security - solution that can dynamically find and collect information from a - globally distributed web of information repositories. - - The following section discusses additional specific technical issues - that motivated the development of this alternative approach. - -4.1. Message-oriented versus Resource-oriented Architecture - - The existing approaches to computer security information sharing are - based upon message-oriented interactions. The following paragraphs - explore some of the architectural constraints associated with - message-oriented interactions and consider the relative merits of an - alternative model based on a resource-oriented architecture for use - in some use case scenarios. - - ROLIE specifies a resource-oriented architecture that attempts to - address the issues present in a message-oriented architecture. - -4.1.1. Message-oriented Architecture +4.2. Knowledge Aggregation - In general, message-based integration architectures may be based upon - either an RPC-style or a document-style binding. The message types - defined by Real-time Inter-network Defense (RID) [RFC6545] represents - an example of an RPC-style request. This approach imposes implied - requirements for conversational state management on both of the - communicating RID endpoint(s). Experience has shown that this state - management frequently becomes the limiting factor with respect to the - runtime scalability of an RPC-style architecture. + Additionally, there is value in maintaining a repository of knowledge + that can be queried by a new consumer, allowing this consumer to + identify and retrieve any information that is relevant to its needs. + In this way, the consumer can gain access to meaningful current and + historic information, catching up to the knowledge level of its + peers. - In addition, the practical scalability of a peer-to-peer message- - based approach will be limited by the administrative procedures - required to manage O(N^2) trust relationships and at least O(N) - policy groups. + Consider the case of an automated endpoint management system + attempting to proactively prevent software flaws and mis-configured + software from compromising the security of the affected systems. + During its full network sweep, the endpoint monitoring system would + check each endpoint for outdated, vulnerable, and mis-configured + software. This system would benefit from having access to not only + the software vendor's list of vulnerabilities and configuration + baselines, but also similar information discovered by other security + researchers. An advanced system could even give back to this sharing + consortium by sharing any relevant information discovered. - As long as the number of participating entities in an information - sharing consortium is limited to a relatively small number of nodes - (i.e., O(2^N), where N < 5), these scalability constraints may not - represent a critical concern. However, when there is a requirement - to support a significantly larger number of participating peers, a - different architectural approach will be required. Towards the goal - to create a large-scale network of entities sharing information, this - traditional architecture only creates small and isolated groupings of - sharing, encouraging effort duplication between these sharing - islands. One alternative to the message-based approach that has - demonstrated scalability and a high degree of connectedness is the - REST [REST] architectural style. + These capabilities support a federated collection of information + repositories that can be queried and contributed to by an + organization, further supporting automated security solutions. -4.1.2. Resource-Oriented Architecture +4.3. Resource-oriented Architecture Applying the REST architectural style to the problem domain of - security information sharing involves exposing information in any + security information sharing involves exposing information of any relevant type as simple Web-addressable resources. Each provider maintains their own repository of data, with public and private sections as needed. Any producer or consumer can then discover these - repositories, search for relevant feeds, and pull information from + repositories, search for relevant Feeds, and pull information from them. By using this approach, an organization can more quickly and easily share relevant data representations with a much larger and potentially more diverse constituency. A consumer may leverage virtually any available HTTP user agent in order to make requests of the service provider. This improved ease of use enables more rapid adoption and broader participation, thereby improving security for everyone. - A key aspect of any RESTful Web service is the ability provide + A key aspect of any RESTful Web service is the ability to provide multiple resource representations. For example, clients may request that a given resource representation be returned as XML, JSON, or in some other format. In order to enable backwards-compatibility and interoperability with existing implementations, the RESTful approach allows the provider to make differing formats available proactively, allowing the consumer to simply select the version that best suits them. Finally, an important principle of the REST architectural style is the focus on hypermedia as the engine of application state (HATEOAS). @@ -325,76 +282,46 @@ multiple resource representations. For example, clients may request that a given resource representation be returned as XML, JSON, or in some other format. In order to enable backwards-compatibility and interoperability with existing implementations, the RESTful approach allows the provider to make differing formats available proactively, allowing the consumer to simply select the version that best suits them. Finally, an important principle of the REST architectural style is the focus on hypermedia as the engine of application state (HATEOAS). - Rather than the server maintaining conversational state for each client, the server will instead include a suitable set of hyperlinks in the resource representation that is returned to the client. The included hyperlinks provide the client with a specific set of permitted state transitions. Using these links the client may perform an operation, such as updating or deleting the resource representation. The client may also be provided with hypertext links that can be used to navigate to any related resource. For example, - the resource representation for an incident object may contain links - to the related indicator resource(s). In this way, the server - remains stateless with respect to a series of client requests. - -4.1.2.1. A Resource-Oriented Use Case: "Mashup" - - In this section we consider an example scenario for creating a - computer security "mashup". - - A producer creates and maintains a feed of information on threat - actors, whilst another creates and maintains a feed of attack - indicators. Each has authorized a large consortium of security - analysts to access these feeds as they see fit. Any one of these - analysts can then make HTTP(s) requests to the servers to collect - sets of information from each provider. The resulting correlations - may yield new insights that enable a more timely and effective - defensive response. Of course, this report may, in turn, be made - available to others as a new Web-addressable resource, reachable via - another URL. By exposing information using the RESTful approach in - this way, the effectiveness of the collaboration amongst a consortium - of cyber security stakeholders can be greatly improved. - -4.2. Use of the Atom Publishing Protocol - - This specification defines a profile of the Atom Publishing Protocol - (AtomPub) [RFC5023] and Atom Syndication Format [RFC4287] providing - implementation requirements for a security information sharing - solution as a RESTful Web service. - - This document assumes that the reader has an understanding of both - the AtomPub and Atom Syndication Format specifications. - - The following two sections of this document provide requirements for - using the Atom Syndication Format and AtomPub as a RESTful binding - for security automation information sharing. + the resource representation for an object may contain links to the + related resource(s). In this way, the server remains stateless with + respect to a series of client requests. 5. ROLIE Requirements for the Atom Publishing Protocol This section describes a number of restrictions of and extensions to the Atom Publishing Protocol (AtomPub) [RFC5023] that define the use of that protocol in the context of a ROLIE-based solution. + This document assumes that the reader has an understanding of the + Atom Publishing Protocol specification. + 5.1. AtomPub Service Documents As described in RFC5023 section 8 [RFC5023], a Service Document is an XML-based document format that allows a client to dynamically - discover the collections provided by a publisher. A Service Document + discover the Collections provided by a publisher. A Service Document consists of one or more app:workspace elements that may each contain a number of app:collection elements. The general structure of a service document is as follows (from RFC5023 section 4.2 [RFC5023]): Service o- Workspace | | | o- Collection @@ -414,322 +341,347 @@ AtomPub concept of a Workspace, in ROLIE a Workspace represents an aggregation of Collections pertaining to security automation information resources. This specification does not impose any restrictions on the number of Workspaces that may be in a Service Document or the specific Collections to be provided within a given Workspace. The following restrictions are imposed on the use of the app:workspace element in ROLIE: - o A ROLE repository can host Collections containing both public and + o A ROLIE repository can host Collections containing both public and private information entries. It is RECOMMENDED that public and - private collections be segregated into different Workspaces. By + private Collections be segregated into different Workspaces. By doing this, Workspaces that contain private information can be - ignored by clients. + ignored by clients or can be omitted from the Service Document + provided to a client that lacks the appropriate privilege to + access the set of Collections associated with the Workspace. o Appropriate descriptions and naming conventions SHOULD be used to indicate the intended audience of each workspace. This helps to - facilitate the selection of appropriate Workspaces by clients. - - o An implementation can provide any number of Collections within a - given Workspace. It is RECOMMENDED that each collection appear in - only a single Workspace. This helps to reduce the number of - duplicate collections that need to be examined to discover - information that is relevant to a given client. + facilitate the selection of appropriate Workspaces by users. 5.1.2. Use of the "app:collection" Element In AtomPub, a Collection in a Service Document, represented by the "app:collection" element, provides metadata that can be used to point to a specific Atom Feed that contains information Entries that may be of interest to a client. The association between a Collection and a Feed is provided by the "href" attribute of the app:collection element. Building on the AtomPub concept of a Collection, in ROLIE a Collection represents a pointer to a group of security automation information resources pertaining to a given type of security - automation information. Collections are represented as Atom feeds as + automation information. Collections are represented as Atom Feeds as per RFC 5023. Feed specific requirements are defined in section 6.1. The following restrictions are imposed on the use of the app:collection element for ROLIE: o The atom:category elements contained in the app:categories element MUST be the same set of atom:categories used in the Atom Feed - indicated by the app:collection "href" attribute value. This - ensures that the category metadata associated with the Feed is - discoverable in the corresponding Collection in the Service - Document. + resource indicated by the app:collection "href" attribute value. + This ensures that the category metadata associated with the + Collection is discoverable in both the Feed and the corresponding + Collection in the Service Document. o An app:collection pertaining to a security automation information resource Feed MUST contain an app:categories element that minimally contains a single atom:category element with the - "scheme" attribute value of "urn:ietf:params:rolie:information- - type". This category MUST have an appropriate "term" attribute - value as defined in section 8.2. This ensures that a given - Collection corresponds to a specific type of security automation - information. + "scheme" attribute value of + "urn:ietf:params:rolie:category:information-type". This category + MUST have an appropriate "term" attribute value as defined in + section 7.1.1. This ensures that a given Collection corresponds + to a specific type of security automation information. o Any app:collection element that does not contain a descendant atom:category element with the "scheme" attribute value of - "urn:ietf:params:rolie:information-type" MUST be considered a non- - ROLIE Collection. This allows Collections pertaining to security - automation information to co-exist alongside Collections of other - non-ROLIE information within the same AtomPub instance. + "urn:ietf:params:rolie:category:information-type" MUST be + considered a non-ROLIE Collection. This allows Collections + pertaining to security automation information to co-exist + alongside Collections of other non-ROLIE information within the + same AtomPub instance. - o The app:categories element in an app:collection may include + o The app:categories element in an app:collection MAY include additional atom:category elements using a scheme other than - "urn:ietf:params:rolie:information-type". This allows other - category metadata to be included. + "urn:ietf:params:rolie:category:information-type". This allows + other category metadata to be included. 5.2. Service Discovery This specification requires that an implementation MUST publish an Atom Service Document that describes the set of security information - sharing collections that are provided by the repository. + sharing Collections that are provided by the repository. The service document SHOULD be discoverable via the organization's Web home page or another well-known public resource. An example of - this can be found in appendix A.1. + this can be found in appendix B.1. - The service document SHOULD (TODO: MUST?) be located at the - standardized location "https://{host:port}/rolie/servicedocument", - where {host:port} is the authority portion of the URI. Dereferencing - this URI MAY result in a redirect based on a HTTP 3xx status code to - direct the client to the actual service document. This allows - clients to have a well-known location to find a ROLIE service - document, while giving implmentations flexibility over how the - service is deployed. + The service document SHOULD be located at the standardized location + "https://{host:port}/rolie/servicedocument", where {host:port} is the + authority portion of the URI. Dereferencing this URI MAY result in a + redirect based on a HTTP 3xx status code to direct the client to the + actual service document. This allows clients to have a well-known + location to find a ROLIE service document, while giving + implementations flexibility over how the service is deployed. When deploying a service document for use by a closed consortium, the - service document MAY also be digitally signed and/or encrypted. + service document MAY also be digitally signed and/or encrypted. For + example, consider XML Signature Syntax and Processing [xmldsig] and + XML Encryption Syntax and Processing [xmlenc] 5.3. Transport Layer Security - Implementations MUST support server-authenticated TLS. + ROLIE is intended to be handled with TLS. The following requirements + have been derived from [RFC7589]. - Implementations MAY support mutually authenticated TLS. + The most recent published version of TLS MUST be supported, and any + mandatory-to-implement (MTI) cipher suites in that version MUST be + supported as well. - Implementations MAY support client authenticated TLS. + The server MUST support certificate-based client authentication. The + implementation MAY use any TLS cipher suite that supports mutual + authentication. -5.4. User Authentication + During the TLS negotiation, the client MUST carefully examine the + certificate presented by the server to determine if it meets the + client's expectations. Particularly, the client MUST check its + understanding of the server hostname against the server's identity as + presented in the server Certificate message, in order to prevent man- + in-the-middle attacks. Matching is performed according to the rules + laid out in the Security Considerations section of [RFC4642]. - Implementations MUST support user authentication. User - authentication MAY be enabled for specific feeds. + If the match fails, the client MUST either ask for explicit user + confirmation or terminate the connection and indicate the server's + identity is suspect. Additionally, clients MUST verify the binding + between the identity of the servers to which they connect and the + public keys presented by those servers. Clients SHOULD implement the + algorithm in Section 6 of [RFC5280] for general certificate + validation, but MAY supplement that algorithm with other validation + methods that achieve equivalent levels of verification (such as + comparing the server certificate against a local store of already- + verified certificates and identity bindings). If the client has + external information as to the expected identity of the server, the + hostname check MAY be omitted. - Implementations MAY support more than one client authentication - method. + The server MUST be capable of verifying the identity of the client + with certificate-based authentication according to local policy to + ensure that the incoming client request is legitimate before any + configuration or state data is sent to or received from the client. + +5.4. User Authentication and Authorization + + Implementations MUST support user authentication. User + authentication MAY be enabled for specific Feeds. Servers participating in an information sharing consortium and supporting interactive user logins by members of the consortium SHOULD support client authentication via a federated identity scheme - as per SAML 2.0. - -5.5. User Authorization + (e.g., SAML 2.0). This document does not mandate the use of any specific user authorization mechanisms. However, service implementers SHOULD provide appropriate authorization checking for all resource accesses, including individual Atom Entries, Atom Feeds, and Atom Service Documents. - Authorization for a resource MAY be adjudicated based on the value(s) - of the associated Atom element(s). - -5.6. / (forward slash) Resource URL +5.5. / (forward slash) Resource URL The "/" resource MAY be provided for compatibility with existing deployments that are using Transport of Real-time Inter-network - Defense (RID) Messages over HTTP/TLS [RFC6546]. Consistent with - RFC6546 errata, a client requesting a GET on "/" MUST receive an HTTP - status code 405 Method Not Allowed. An implementation MAY provide - full support for RFC6546 such that a POST to "/" containing a - recognized RID message type just works. Alternatively, a client - requesting a POST to "/" MAY receive an HTTP status code 307 - Temporary Redirect. In this case, the location header in the HTTP - response will provide the URL of the appropriate RID endpoint, and - the client may repeat the POST method at the indicated location. - This resource could also leverage the new draft by reschke that - proposes HTTP status code 308 (cf: draft-reschke-http-status- - 308-07.txt). TODO + Defense (RID) Messages over HTTP/TLS [RFC6546]. If the "/" resource + is supported the following behavior MUST be also supported: -5.7. HTTP methods + o Consistent with RFC6546 errata, a client requesting a GET on "/" + SHOULD receive an HTTP status code 405 Method Not Allowed. + + o An implementation MAY provide full support for [RFC6546] such that + a POST to "/" containing a recognized RID message is handled + correctly as a RID request. Alternatively, a client requesting a + POST to "/" MAY receive an HTTP status code 307 Temporary + Redirect. In this case, the location header in the HTTP response + will provide the URL of the appropriate RID endpoint, and the + client may repeat the POST method at the indicated location. + + If the "/" resource is unsupported, then a request for this resource + MUST provide a 404 HTTP status code. + +5.6. HTTP methods Clients MUST be capable of recognizing and processing any standard - HTTP status code, as defined in [RFC5023] Section 5 + HTTP status code, as defined in [RFC5023] Section 5. 6. ROLIE Requirements for the Atom Syndication Format This section describes a number of restrictions of and extensions to the Atom Syndication Format [RFC4287] that define the use of that format in the context of a ROLIE-based solution. + This document assumes that the reader has an understanding of the + Atom Syndication Format specification. + 6.1. Use of the "atom:feed" element As described in RFC4287 section 4.1.1 [RFC4287], an Atom Feed is an XML-based document format that describes a list of related - information items, also known as a collection. Each Feed document, - represented using the atom:feed element, contains a collection of + information items, also known as a Collection. Each Feed document, + represented using the atom:feed element, contains a Collection of zero or more related information items individually called a "member - entry" or "entry". + Entry" or "Entry". When applied to the problem domain of security automation information sharing, an Atom Feed may be used to represent any meaningful - collection of security automation information resources including a - set of configuration checklists or software vulnerabilities. Each - entry in an atom:feed represents an individual resource, such as a - specific checklist or software vulnerability record. Additional - Feeds can be used to represent collections of other meaningful and - useful security automation resources. + Collection of security automation information resources. Each Entry + in an atom:feed represents an individual resource (e.g., a specific + checklist , a software vulnerability record). Additional Feeds can + be used to represent other Collections of security automation + resources. - This Atom feed definition represents a stricter definition of the - Atom entry element. Any element not specified here inherits its - definition and requirements from RFC 4287. + This Atom Feed definition represents a stricter definition of the + atom:feed element defined in RFC 4287 for use in a ROLIE Any element + not specified here inherits its definition and requirements from + [RFC4287]. atomFeed = element atom:feed { atomCommonAttributes, (atomAuthor* & atomCategory+ & atomContributor* & atomGenerator? & atomIcon? & atomId - & atomLink* + & atomLink+ & atomLogo? & atomRights? & atomSubtitle? & atomTitle & atomUpdated & extensionElement*), atomEntry* } 6.1.1. Use of the "atom:category" Element - An atom:feed may be categorized and may contain information from zero + An atom:feed can be categorized and can contain information from zero or more categories. In Atom the naming scheme and the semantic meaning of the terms used to identify an Atom category are application-defined. The following restrictions are imposed on the use of the - atom:category element when used in a ROLIE atom:feed: + atom:category element when used in an atom:feed: o An atom:feed element MUST minimally contain a single atom:category element with the "scheme" attribute value of - "urn:ietf:params:rolie:information-type". This category MUST have - an appropriate "term" attribute value as defined in section 8.2. - This ensures that a given Collection corresponds to a specific - type of security automation information. All member entries in - the collection MUST represent security automation information - records of this information type. + "urn:ietf:params:rolie:category:information-type". This category + MUST have an appropriate "term" attribute value as defined in + section 7.1.1. This ensures that a given Collection corresponds + to a specific type of security automation information. All member + entries in the Collection MUST represent security automation + information records of this information type. o Any atom:feed element that does not contain a child atom:category element with the "scheme" attribute value of - "urn:ietf:params:rolie:information-type" MUST NOT be considered a - ROLIE Collection. This allows Feeds pertaining to security - automation information to co-exist alongside Feeds of other non- - ROLIE information within the same AtomPub instance. + "urn:ietf:params:rolie:category:information-type" MUST NOT be + considered a ROLIE Collection. This allows Feeds pertaining to + security automation information to co-exist alongside Feeds of + other non-ROLIE information within the same AtomPub instance. o An atom:feed may include additional atom:category elements using a - scheme other than "urn:ietf:params:rolie:information-type". This - allows other category metadata to be included. + scheme other than "urn:ietf:params:rolie:category:information- + type". This allows other category metadata to be included. 6.1.2. Use of the "atom:link" Element Link relations defined by the atom:link element are used to represent state transitions using a stateless approach. In Atom a type of link - relationship can be defined using the "rel" attribute. The following - are link relations that provide state transitions related to a ROLIE - Atom feed. - - o "service" - Indicates that the href value of the link identifies a - resource IRI that can be used to retrieve an Atom Service Document - associated with the feed. A feed MUST include one or more links - with rel="service" to point to the service document(s) that are - associated with the feed. The "service" link relationship type is - defined in the IANA Link Relations Registry [1]. - - o "search" - Indicates that the href value of the link identifies a - resource IRI that can be used to search through the containing - feed and related resources. A feed MAY include one or more links - with rel="search" to point TBD. The "search" link relationship - type is defined in the IANA Link Relations Registry [2]. - - An atom:feed MAY include additional link relationships not specified - in this document. If a client encounters an unknown link - relationship type, the client MUST ignore the unrecognized link and - continue processing the remaining resource representation as if the - unrecognized link element did not appear. + relationship can be defined using the "rel" attribute. - The Feed Paging and Archiving [RFC5005] Atom extension provides - capabilities for paging and archiving of feeds. + A ROLIE atom:feed MUST contain one or more atom:link elements with + rel="service" and href attribute whose value is a IRI that points to + an Atom Service Document associated with the atom:feed. When a + client is presented with a Feed as its initial view into a + repository, a link with the service relationship provides a means to + discover additional security automation information. The "service" + link relationship is defined in the IANA Link Relations Registry [1]. - A atom:feed can contain an arbitrary number of entries. In some - cases, a complete feed may consist of a large number of entries. - Additionally, as new and updated entries are ordered at the beginning - of a feed, a client may only be interested in retriving the first X - entries in a feed to process only the entries that have changed since - the last access to a ROLIE repository feed. As a practical matter, - the full result set will likely need to be divided into more - manageable portions. Based on RFC5005 section 3 [RFC5005], the links - SHOULD be included in all feeds to support paging using the following - link relation types: + An atom:feed can contain an arbitrary number of Entries. In some + cases, a complete Feed may consist of a large number of Entries. + Additionally, as new and updated Entries are ordered at the beginning + of a Feed, a client may only be interested in retrieving the first N + entries in a Feed to process only the Entries that have changed since + the last retrieval of the Feed. As a practical matter, a large set + of Entries will likely need to be divided into more manageable + portions. Based on RFC5005 section 3 [RFC5005], link elements SHOULD + be included in all Feeds to support paging using the following link + relation types: - o "first" - Indicates that the href value of the link identifies a - resource IRI for the furthest preceding page of the feed. + o "first" - Indicates that the href attribute value of the link + identifies a resource IRI for the furthest preceding page of the + Feed. - o "last" - Indicates that the href value of the link identifies a - resource IRI for the furthest following page of the feed. + o "last" - Indicates that the href attribute value of the link + identifies a resource IRI for the furthest following page of the + Feed. - o "previous" - Indicates that the href value of the link identifies - a resource IRI for the immediately preceeding page of the feed. + o "previous" - Indicates that the href attribute value of the link + identifies a resource IRI for the immediately preceding page of + the Feed. - o "next" - Indicates that the href value of the link identifies a - resource IRI for the immediately following page of the feed. + o "next" - Indicates that the href attribute value of the link + identifies a resource IRI for the immediately following page of + the Feed. For example: + b7f65304-b63b-4246-88e2-c104049c5fd7 Paged Feed 2012-05-04T18:13:51.0Z Example Paged Feed - An historical feed may need to be stable, and/or divided into some - defined epochs. Implementations SHOULD support the mechanisms - described in RFC5005 section 4 [RFC5005] to provide capabilities for - maintaining archiving of feeds. + A reference to a historical Feed may need to be stable, and/or a Feed + may need to be divided into a series of defined epochs. + Implementations SHOULD support the mechanisms described in RFC5005 + section 4 [RFC5005] to provide link-based state transitions for + maintaining archiving of Feeds. + + An atom:feed MAY include additional link relationships not specified + in this document. If a client encounters an unknown link + relationship type, the client MUST ignore the unrecognized link and + continue processing as if the unrecognized link element did not + appear. The definition of new Link relations that provide additional + state transition extensions is discussed in section 7.3. 6.1.3. Use of the "atom:updated" Element The atom:updated element MUST be populated with the current time at - the instant the feed representation was last updated by adding, - updating, or deleting an entry; or changing any metadata for the - feed. + the instant the Feed representation was last updated by adding, + updating, or deleting an Entry; or changing any metadata for the + Feed. 6.2. Use of the "atom:entry" Element - Each entry in an Atom feed, represented by the atom:entry element, + Each Entry in an Atom Feed, represented by the atom:entry element, describes a single information record, format, and type combination. The following atom:entry schema definition represents a stricter - representation of the atom:entry element defined in RFC 4287 for use - in a ROLE-based Atom Feed. + representation of the atom:entry element defined in [RFC4287] for use + in a ROLIE-based Atom Feed. atomEntry = element atom:entry { atomCommonAttributes, (atomAuthor* & atomCategory* & atomContent & atomContributor* & atomId & atomLink* @@ -738,106 +690,201 @@ & atomSource? & atomSummary? & atomTitle & atomUpdated & rolieFormat & extensionElement*) } 6.2.1. Use of the "atom:content" Element - There MUST be exactly one atomContent element in the entry. The - content element MUST adhere to this definition: + There MUST be exactly one atomContent element in the Entry. The + content element MUST adhere to this definition, which is a stricter + representation of the atom:content element defined in [RFC4287]: atomContent = element atom:content { atomCommonAttributes, attribute type { atomMediaType }, attribute src { atomUri }, empty } - The type attribute MUST be the serialization type of the content, for - example, XML or JSON. The src attribute is a link to the payload. + The type attribute MUST identify the serialization type of the + content, for example, application/xml or application/json. A + prefixed media type MAY be used to reflect a specific model used with + a given serialization approach (e.g., application/rdf+xml). The src + attribute MUST be an IRI that can be dereferenced to retrieve the + related content data. 6.2.2. Use of the "atom:link" Element - There MAY be zero or more atom:link elements in the entry. The - content element MUST adhere to this definition: + Link relations can be included in an atom:entry to represent state + transitions for the Entry. - The link element follows the definition laid out in the Atom - Syndication Document. + If there is a need to provide the same information in different data + models and/or serialization formats, separate Entry instances can be + included in the same or a different Feed. Such an alternate content + representation can be indicated using an atom:link having a rel + attribute with the value "alternate". - If there entries with the same format and category but a different - type, it MUST be linked to using the "alternate" link relation. + An atom:feed MAY include additional link relationships not specified + in this document. If a client encounters an unknown link + relationship type, the client MUST ignore the unrecognized link and + continue processing as if the unrecognized link element did not + appear. The definition of new Link relations that provide additional + state transition extensions is discussed in section 7.3. 6.2.3. Use of the "rolie:format" Element - There MUST be exactly one rolie:format element in the Entry. This - format SHOULD be one of the formats listed under the category of this - entry as discussed in the and Content Model section. The format is - contained in the content of this tag. + As mentioned earlier, a key goal of this specification is to allow a + consumer to review a set of published security automation information + resources, and then identify and retrieve any resources of interest. + The format of the data is a key criteria to consider when deciding + what information to retrieve. For a given type of security + automation information, it is expected that a number of different + formats may be used to represent this information. To support this + use case, both the serialization format and the specific data model + expressed in that format must be known by the consumer. -6.3. Link Relations + The rolie:format element is used to describe the data model used to + express the information referenced in the atom:content element of an + atom:entry. It also allows a schema to be identified that can be + used when parsing the content to verify or better understand the + structure of the content. - In addition to the standard Link Relations defined by the Atom - specification, this specification defines the following additional - Link Relation terms, which are introduced specifically in support of - the Resource-Oriented Lightweight Information Exchange protocol. + There MUST be exactly one rolie:format element in an atom:entry. The + element MUST adhere to this definition: - TODO: This section needs to be expanded. + rolieFormat = + element rolie:format { + atomCommonAttributes, + attribute ns { atomURI }, + attribute version { text } ?, + attribute schema-location { atomURI } ?, + attribute schema-type { atomMediaType } ?, + empty + } -7. Use of OpenSearch + The rolie:format element MUST provide a "ns" attribute that + identifies the data model of the resource referenced by the + atom:content element. For example, the namespace used may be an XML + namespace URI, or an identifier that represents a serialized JSON + model. The URI used for the "ns" attribute value MUST be an absolute + or opaque URI. The resource identified by the URI need not be + resolvable. - Implementers MUST support OpenSearch 1.1 [opensearch] as the - mechanism for describing how clients may form search requests. + The rolie:format element MAY provide a "version" attribute that + identifies the version of the format used for the related + atom:content. - Implementers MUST provide a link with a relationship type of - "search". This link SHALL return an Open Search Description Document - as defined in OpenSearch 1.1. + The rolie:format element MAY provide a "schema-location" element that + is a URI that identifies a schema resource that can be used to + validate the related atom:content. - Implementers MUST fully qualify all OpenSearch URL template parameter - names using the defined XML namespaces, as appropriate. + The rolie:format element MAY provide a "schema-type" element, which + is a mime type identifying the format of the schema resource + identified by the "schema-location" attribute. -8. Characterizing ROLIE Collections and Resources +6.2.4. Requirements for a Standalone Entry - This specification does not require a particular security automation - information type or content format; rather, it provides extension - points using IANA tables to allow for future extensions of supported - information types and formats. + If an Entry is ever shared as a standalone resource, separate from + its containing Feed, then the following additional requirements + apply: - A given security automation information type is respresented using - the "atom:category" element. In this way, an "atom:category" element - can be used to: + o The Entry MUST have a atom:link element with rel="collection" and + href="[IRI of the containing Collection]". This allows the Feed + or Feeds for which the Entry is a member to be discovered, along + with the related information the Feed may contain. In the case of + the Entry have multiple containing Feeds, the Entry MUST have one + atom:link for each related Feed. + + o The Entry MUST declare the information-type of the content + resource referenced by the Entry (see Section 7.1.2). + +7. Available Extension Points Provided by ROLIE + + This specification does not require particular information types or + data formats, rather, ROLIE is intended to be extended by additional + specifications that add new categories and link relations. The + primary point of extension is through the information-type category, + which is used to enumerate the set of all types of information + supported by ROLIE. Additional specifications can register new + information-type records with IANA that serve as the main + characterizing feature of a ROLIE Collection or Resource. These + additional specifications defining new information-type values, can + describe requirements for including specific categories, link + relations, as well as, use of specific data formats supporting a + given information-type. + +7.1. The Category Extension Point + + The atom:category element, defined in RFC 4287 section 4.2.2 + [RFC4287], provides a mechanism to provide additional categorization + information for a content resource in ROLIE. The ability to define + new categories is one of the core extension points provided by Atom. + A Category Document, defined in RFC 5023 section 7 [RFC5023], + provides a mechanism for an Atom repository to make discoverable the + atom:category terms and allowed values used by a given repository. + + ROLIE adds to this existing Atom extension mechanism by allowing + ROLIE specific category extensions to be registered with IANA, and + additionally has assigned an information-type category that has + special meaning for implementations of ROLIE. These aspects are + discussed in the following subsections. + +7.1.1. General Use of the "atom:category" Element + + The atom:category element can be used for characterizing a ROLIE + Resource. As discussed earlier in this document, an atom:category + element has a "term" attribute that indicates the assigned category + value, and a "scheme" attribute that provides an identifier for the + category type. The "scheme" provides a means to describe how a set + of category terms should be used and provides a namespace that can be + used to differentiate terms provided by multiple organizations with + different semantic meaning. + + To further differentiate category types used in ROLIE, an IANA sub- + registry has been established for ROLIE protocol parameters to + support the registration of new category "scheme" attribute values by + ROLIE extension specifications. Use of this extension point is + discussed in section 8.3. + +7.1.2. Identification of Security Automation Information Types + + A ROLIE specific extension point is provided through the + atom:category "scheme" value + "urn:ietf:params:rolie:category:information-type". This value is a + Uniform Resource Name (URN) [RFC2141] that is registered with IANA as + described in section 8.3. When used as the "scheme" attribute in + this way, the "term" attribute is expected to be a registered value + as defined in section Section 8.4. Through this mechanism a given + security automation information type can be used to: 1. identify that an "app:collection" element in a Service Document - points to an Atom feed that contains entries pertaining to a + points to an Atom Feed that contains entries pertaining to a specific type of security automation information (see section 5.1.2), or - 2. identify that an "atom:feed" element in an Atom feed contains + 2. identify that an "atom:feed" element in an Atom Feed contains entries pertaining to a specific type of security automation information (see section 6.1.1). - As mentioned earlier, a key goal of this specification is to allow a - consumer to identify security automation information resources of - interest, and then choose a suitable format of the information to - retrieve. For a given type of security automation information, it is - expected that a number of different formats may be used to represent - this information. To support this use case, both the serialization - format and the specific data model expressed in that format must be - known by the consumer. + 3. identify the information-type of a standalone Resource (see + section 6.2.4). - The following sections describe how information types are defined and - used, and how specific content formats are declared in ROLIE. + For example, the notional security automation information type + "incident" would be identified as follows: -8.1. Identification of Security Automation Information Types + A security automation information type represents a class of information that represents the same or similar information model [RFC3444]. Notional examples of information types include: indicator: Computing device- or network-related "observable features and phenomenon that aid in the forensic or proactive detection of malicious activity; and associated meta-data" (from [I-D.ietf-mile-rfc5070-bis]). @@ -846,200 +893,229 @@ vulnerability reports: Information identifying and describing a vulnerability in hardware or software. configuration checklists: Content that can be used to assess the configuration settings related to installed software. software tags: Metadata used to identify and characterize installable software. - This is a short list to inspire thought on possible information - types, which will also include other information used to automate - security processes. + This is a short list to inspire new engineering of information type + extensions that support the automation of security processes. This document does not specific any information types. Instead, - information types in ROLIE are expected to be defined in extension + information types in ROLIE are expected to be registered in extension documents that describe one or more new information types. This allows the information types used by ROLIE implementations to grow over time to support new security automation use cases. These - extension documents may also enhance ROLIE resource representations - by defining link relations, categories, and other AtomPub and Atom - Syndication Format data model extensions to address the - representational needs of specific information types. New + extension documents may also enhance ROLIE Resource representations + by defining link relations, other categories, and other AtomPub and + Atom Syndication Format data model extensions to address the + representational needs of these specific information types. New information types are added to ROLIE through registrations to the - IANA Security Resource Information Type registry defined in section - 10.3. - -8.2. General Use of the "atom:category" Element - - The core extension point within this specification is the ability to - define different security automation information types, which can be - used to characterize the type of information contained in a ROLIE - resource collection. The information type of a resource collection - is characterized using an "atom:category" element with a "scheme" - attribute value of "urn:ietf:params:rolie:information-type", and a - "term" attribute value identifying the specific information type - declared. - - For example, the security automation information type "incident" - would be identified as follows: - - - - The Uniform Resource Name (URN) [RFC2141] - "urn:ietf:params:rolie:information-type" is registered with IANA as - described in section 10.2. - - Registered security automation information type values are defined in - the IANA table described in section 10.3. - -8.3. Identification of Security Automation Information Formats + IANA ROLIE Security Resource Information Type registry defined in + section 8.4. - A given information type may have a number of supported formats. - Each format is expected to have a specification that defines the data - model for the format. As described in section 6.2.3, the - "rolie:format" element is used to describe the specific data model - used to represent the resource referenced by a given "atom:entry". - By declaring the data model used in this way, a consumer can choose - to download or ignore the resource, or look for alternate formats. - This saves the consumer from downloading and parsing resources that - the consumer is not interested in or resources expressed in formats - that are not understandable by the consumer. +7.2. The "rolie:format" Extension Point - TODO: Need to describe the structure and use of the rolie:format - element. + Security automation data pertaining to a given information type may + be expressed using a number of supported formats. As described in + section 6.2.3, the rolie:format element is used to describe the + specific data model used to represent the Resource referenced by a + given "atom:entry". The structure provided by the rolie:format + element, provides a mechanism for extension within the atom:entry + model. ROLIE extensions MAY further restrict which data models are + allowed to be used for a given information-type -9. Formal Syntax for the ROLIE Schema + By declaring the data model used for a given Resource, a consumer can + choose to download or ignore the resource, or look for alternate + formats. This saves the consumer from downloading and parsing + resources that the consumer is not interested in or resources + expressed in formats that are not supported by the consumer. - TODO: define a schema for the "rolie:format" element. +7.3. The Link Relation Extension Point -10. IANA Considerations TODO + This document uses several link relations defined in the IANA Link + Relation Types registry [2]. Additional link relations can be + registered in this registry to allow new relationships to be + represented in ROLIE according to RFC 4287 section 4.2.7.2 [RFC4287]. + Based on the preceding reference, if the link relation is too + specific or limited in the intended use, an absolute IRI can be used + in lieu of registering a new simple name with IANA. - This document defines a resource-oriented approach to security - information sharing, where such information may include a variety of - security resource categories, such as software identifiers (e.g. - tags), incident reports, configuration assessment guidance, - vulnerability assessment guidance, and so on. +8. IANA Considerations - TODO: Complete registration request specifics. + This document has a number of IANA considerations described in the + following subsections. -10.1. XML Namespaces and Schema URNs +8.1. XML Namespaces and Schema URNs This document uses URNs to describe XML namespaces and XML schemas conforming to a registry mechanism described in [RFC3688]. ROLIE XML Namespace The ROLIE namespace (rolie-1.0) has been registered in the "ns" registry. URI: urn:ietf:params:xml:ns:rolie-1.0 Registrant Contact: IESG XML: None. Namespace URIs do not represent an XML specification. ROLIE XML Schema The ROLIE schema (rolie-1.0) has been registered in the "schema" registry. URI: urn:ietf:params:xml:schema:rolie-1.0 Registrant Contact: IESG - XML: See section 9 of this document. + XML: See section A of this document. -10.2. ROLIE Parameters +8.2. ROLIE URN Sub-namespace - ROLIE uses URNs to represent category schemes. This section creates - and registers an IETF URN sub-namespace for use in ROLIE - specifications and future extensions. + IANA has added an entry to the "IETF URN Sub-namespace for Registered + Protocol Parameter Identifiers" registry located at + as per + RFC3553 [RFC3553]. - TODO: Add entry for: "urn:ietf:params:rolie:category:information- - type" + The entry is as follows: -10.3. Security Resource Information Type Registry + Registry name: rolie - This document creates the following registry for IANA to manage: + Specification: This document - Name of Registry: "Security Resource Information Type" + Repository: ROLIE URN Parameters. See Section 8.3 [TO BE REMOVED: + This registration should take place at the following location: + https://www.iana.org/assignments/rolie] - Location of Registry: https://www.iana.org/assignments/security- - resource-information-type + Index value: See Section 8.3 - Fields to record in the registry: +8.3. ROLIE URN Parameters - Full Name: The full name of the security resource information - type as a string from the printable ASCII character set RFC0020 - with individual embedded spaces allowed. The ABNF RFC5234 - syntax for this field is: + A new top-level registry has been created, entitled "Resource + Oriented Lightweight Information Exchange (ROLIE) Parameters". [TO + BE REMOVED: This registration should take place at the following + location: https://www.iana.org/assignments/rolie] - 1*VCHAR *(SP 1*VCHAR) + In this top-level registry, a sub-registry entitled "ROLIE URN + Parameters" has been created. Registration in this repository is via + the Specification Required policy [RFC5226]. Designated Expert + reviews should be routed through the MILE WG mailing list. Failing + this, the Designated Expert will be assigned by the IESG. - Security Resource Index: This is an IANA-assigned positive - integer that identifies the registration. The first entry - added to this registry uses the value 1, and this value is - incremented for each subsequent entry added to the registry. + Each entry in this sub-registry must record the following fields: - Description: A complete description of the security resource - information type as a string from the printable ASCII character - set RFC0020 with individual embedded spaces allowed. The ABNF - RFC5324 syntax for this field is: + Name: A URN segment that adheres to the pattern {type}:{label}. + The keywords are defined as follows: - 1*VCHAR *(SP 1*VCHAR) + {type}: The parameter type. The allowed values are "category" + and "format". "category" denotes a category extension as + discussed in Section 7.1, "format" denotes a additional + supported format as discussed in Section 7.2. - Specification URI/Reference: A list of one or more URIs - [RFC3986] from which the registered specification can be - obtained. The registered specification MUST be readily and - publicly available from that URI. The URI SHOULD be a stable - reference. + {label}: A required US-ASCII string that conforms to the URN + syntax requirements (see [RFC2141]). This string must be + unique within the namespace defined by the {type} keyword. - Initial registry contents: None. + Extension IRI: The identifier to use within ROLIE, which is the + full URN using the form: urn:ietf:params:rolie:{name}, where + {name} is the "name" field of this registration. - Allocation Policy: Specification required RFC5226 (which implies - expert review RFC5226). + Reference: A static link to the specification and section that the + definition of the parameter can be found. - The Designated Expert is expected to consult with the MILE (Managed - Incident Lightweight Exchange) working group or is successor if any - such WG exists (e.g., via email to the working group's mailing list). - The Designated Expert is expected to review the request and validate - the appropriateness of the name, description, and associated - specifications for the security resource category. + Sub-registry: An optional field that links to an IANA sub-registry + for this parameter. If the {type} is "category", the sub-registry + must contain a "name" field whose registered values MUST be US- + ASCII. The list of names are the allowed values of the "term" + attribute in the atom:category element. (See Section 7.1.2). -11. Security Considerations TODO + This repository has the following initial values: - This document defines a resource-oriented approach to lightweight - information exchange using HTTP, TLS, Atom Syndicate Format, and Atom - Publishing Protocol. As such, implementers must understand the - security considerations described in those specifications. + +-----------+--------------------+------+---------------------------+ + | Name | Extension IRI | Refe | Sub-Registry | + | | | renc | | + | | | e | | + +-----------+--------------------+------+---------------------------+ + | category: | urn:ietf:params:ro | This | [TO BE REMOVED: This | + | informati | lie:category | docu | registration should take | + | on-type | :information-type | ment | place at the following | + | | | , Se | location: https://www.ian | + | | | ctio | a.org/assignments/rolie/c | + | | | n | ategory/information-type] | + | | | 9.4 | | + +-----------+--------------------+------+---------------------------+ - In addition, there are a number of additional security considerations - that are unique to this specification. +8.4. ROLIE Security Resource Information Type Sub-Registry + + A new sub-registry has been created to store ROLIE information-type + values. + + Name of Registry: "ROLIE Information-Types" + + Location of Registry: + https://www.iana.org/assignments/rolie/category/information-type + + Fields to record in the registry: + + name: The full name of the security resource information type + as a string from the printable ASCII character set [RFC0020] + with individual embedded spaces allowed. The ABNF [RFC5234] + syntax for this field is: + + 1*VCHAR *(SP 1*VCHAR) + + index: This is an IANA-assigned positive integer that + identifies the registration. The first entry added to this + registry uses the value 1, and this value is incremented for + each subsequent entry added to the registry. + + reference: A list of one or more URIs [RFC3986] from which the + registered specification can be obtained. The registered + specification MUST be readily and publicly available from that + URI. The URI SHOULD be a stable reference. + + Allocation Policy: Specification required as per [RFC5226] + +9. Security Considerations + + This document defines a resource-oriented approach for lightweight + information exchange using HTTP over TLS, the Atom Syndication + Format, and the Atom Publishing Protocol. As such, implementers must + understand the security considerations described in those + specifications. All that follows is guidance, more specific + instruction is out of scope for this document and will be located in + a dedicated informational document. + + All security measures SHOULD be enforced at the source, that is, a + provider SHOULD NOT return any Feed content or member Entry content + for which the client identity has not been specifically + authenticated, authorized, and audited. The approach described herein is based upon all policy enforcements being implemented at the point when a resource representation is created. As such, producers sharing cyber security information using this specification must take care to authenticate their HTTP clients using a suitably strong user authentication mechanism. Sharing communities that are exchanging information on well-known indicators and incidents for purposes of public education may choose to rely - upon, e.g. HTTP Authentication, or similar. However, sharing - communities that are engaged in sensitive collaborative analysis and/ - or operational response for indicators and incidents targeting high + upon HTTP Authentication or similar. However, sharing communities + that are engaged in sensitive collaborative analysis and/or + operational response for indicators and incidents targeting high value information systems should adopt a suitably stronger user - authentication solution, such as TLS client certificates, or a risk- - based or multi-factor approach. In general, trust in the sharing - consortium will depend upon the members maintaining adequate user - authentication mechanisms. + authentication solution, such as a risk-based or multi-factor + approach. In general, trust in the sharing consortium will depend + upon the members maintaining adequate user authentication mechanisms. Collaborating consortiums may benefit from the adoption of a federated identity solution, such as those based upon SAML-core - [SAML-core] and SAML-bind [SAML-bind] and SAML-prof [SAML-prof] for Web-based authentication and cross-organizational single sign-on. Dependency on a trusted third party identity provider implies that appropriate care must be exercised to sufficiently secure the Identity provider. Any attacks on the federated identity system would present a risk to the CSIRT, as a relying party. Potential mitigations include deployment of a federation-aware identity provider that is under the control of the information sharing consortium, with suitably stringent technical and management controls. @@ -1037,46 +1113,33 @@ Web-based authentication and cross-organizational single sign-on. Dependency on a trusted third party identity provider implies that appropriate care must be exercised to sufficiently secure the Identity provider. Any attacks on the federated identity system would present a risk to the CSIRT, as a relying party. Potential mitigations include deployment of a federation-aware identity provider that is under the control of the information sharing consortium, with suitably stringent technical and management controls. - All security measures MUST be enforced at the source, that is, a - provider SHALL NOT return any feed content or member entry content - for which the client identity has not been specifically - authenticated, authorized, and audited. - - Sharing communities that have a requirement for forward message - security (such that client systems are required to participate in - providing message level security and/or distributed authorization - policy enforcement), MUST use TODO. - - The implementation details of the authorization scheme chosen by a - ROLIE-compliant provider are out of scope for this specification. - Implementers are free to choose any suitable authorization mechanism - that is capable of fulfilling the policy enforcement requirements - relevant to their consortium and/or organization. - Authorization of resource representations is the responsibility of the source system, i.e. based on the authenticated user identity associated with an HTTP(S) request. The required authorization policies that are to be enforced must therefore be managed by the security administrators of the source system. Various authorization architectures would be suitable for this purpose, such as RBAC [3] and/or ABAC, as embodied in XACML [XACML]. In particular, implementers adopting XACML may benefit from the capability to represent their authorization policies in a standardized, - interoperable format. + interoperable format. Note that implementers are free to choose any + suitable authorization mechanism that is capable of fulfilling the + policy enforcement requirements relevant to their consortium and/or + organization. Additional security requirements such as enforcing message-level security at the destination system could supplement the security enforcements performed at the source system, however these destination-provided policy enforcements are out of scope for this specification. Implementers requiring this capability should consider leveraging, e.g. the element in the RID schema. Refer to RFC6545 section 9 for more information. When security policies relevant to the source system are to be @@ -1094,45 +1157,42 @@ document will enable users to more easily perform correlations across separate, and potentially unrelated, cyber security information providers. A client may succeed in assembling a data set that would not have been permitted within the context of the authorization policies of either provider when considered individually. Thus, providers may face a risk of an attacker obtaining an access that constitutes an undetected separation of duties (SOD) violation. It is important to note that this risk is not unique to this specification, and a similar potential for abuse exists with any other cyber security information sharing protocol. However, the wide - availability of tools for HTTP clients and Atom feed handling implies + availability of tools for HTTP clients and Atom Feed handling implies that the resources and technical skills required for a successful exploit may be less than it was previously. This risk can be best mitigated through appropriate vetting of the client at account provisioning time. In addition, any increase in the risk of this type of abuse should be offset by the corresponding increase in effectiveness that this specification affords to the defenders. - While it is a goal of this specification to enable more agile cyber - security information sharing across a broader and varying - constituency, there is nothing in this specification that necessarily - requires this type of deployment. A cyber security information - sharing consortium may chose to adopt this specification while - continuing to operate as a gated community with strictly limited - membership. - -12. Acknowledgements +10. Acknowledgements - The author gratefully acknowledges the valuable contributions of Tom + The authors gratefully acknowledge the valuable contributions of Tom Maguire, Kathleen Moriarty, and Vijayanand Bharadwaj. These individuals provided detailed review comments on earlier drafts, and - many suggestions that have helped to improve this document . + made many suggestions that have helped to improve this document. -13. References -13.1. Normative References +11. References + +11.1. Normative References + + [RFC0020] Cerf, V., "ASCII format for network interchange", STD 80, + RFC 20, DOI 10.17487/RFC0020, October 1969, + . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, . @@ -1156,37 +1216,59 @@ [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident Object Description Exchange Format", RFC 5070, DOI 10.17487/RFC5070, December 2007, . [RFC6546] Trammell, B., "Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS", RFC 6546, DOI 10.17487/RFC6546, April 2012, . + [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An + IETF URN Sub-namespace for Registered Protocol + Parameters", BCP 73, RFC 3553, DOI 10.17487/RFC3553, June + 2003, . + + [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an + IANA Considerations Section in RFCs", BCP 26, RFC 5226, + DOI 10.17487/RFC5226, May 2008, + . + [W3C.REC-xml-names-20091208] Bray, T., Hollander, D., Layman, A., Tobin, R., and H. Thompson, "Namespaces in XML 1.0 (Third Edition)", World Wide Web Consortium Recommendation REC-xml-names-20091208, December 2009, . + [RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the + NETCONF Protocol over Transport Layer Security (TLS) with + Mutual X.509 Authentication", RFC 7589, + DOI 10.17487/RFC7589, June 2015, + . + + [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., + Housley, R., and W. Polk, "Internet X.509 Public Key + Infrastructure Certificate and Certificate Revocation List + (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, + . + + [RFC4642] Murchison, K., Vinocur, J., and C. Newman, "Using + Transport Layer Security (TLS) with Network News Transfer + Protocol (NNTP)", RFC 4642, DOI 10.17487/RFC4642, October + 2006, . + [relax-NG] Clark, J., Ed., "RELAX NG Compact Syntax", 11 2002, . - [opensearch] - Clinton, D., "OpenSearch 1.1 draft 5 specification", OASIS - Committee Specification saml-core-2.0-os, 2011, - . - [SAML-core] Cantor, S., Kemp, J., Philpott, R., and E. Maler, "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0", OASIS Standard saml-core- 2.0-os, March 2005, . [SAML-prof] Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, P., Philpott, R., and E. Maler, "Profiles for the OASIS @@ -1195,529 +1277,372 @@ . [SAML-bind] Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E. Maler, "Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0", OASIS Standard saml-bindings- 2.0-os, March 2005, . -13.2. Informative References +11.2. Informative References [RFC2141] Moats, R., "URN Syntax", RFC 2141, DOI 10.17487/RFC2141, May 1997, . [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between Information Models and Data Models", RFC 3444, DOI 10.17487/RFC3444, January 2003, . - [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", - RFC 6545, DOI 10.17487/RFC6545, April 2012, - . - [I-D.ietf-mile-rfc5070-bis] Danyliw, R., "The Incident Object Description Exchange - Format v2", draft-ietf-mile-rfc5070-bis-25 (work in - progress), June 2016. + Format v2", draft-ietf-mile-rfc5070-bis-26 (work in + progress), October 2016. + + [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax + Specifications: ABNF", STD 68, RFC 5234, + DOI 10.17487/RFC5234, January 2008, + . + + [xmldsig] Bartel, M., Boyer, J., Fox, B., LaMacchia, B., and E. + Simon, "XML Signature Syntax and Processing (Second + Edition)", June 2008, . + + [xmlenc] Imamura, T., Dillaway, B., and E. Simon, "XML Encryption + Syntax and Processing", December 2002, + . [XACML] Rissanen, E., "eXtensible Access Control Markup Language (XACML) Version 3.0", August 2010, . [REST] Fielding, R., "Architectural Styles and the Design of Network-based Software Architectures", 2000, . -13.3. URIs +11.3. URIs [1] https://www.iana.org/assignments/link-relations/link- relations.xhtml [2] https://www.iana.org/assignments/link-relations/link- relations.xhtml [3] http://csrc.nist.gov/groups/SNS/rbac/ -Appendix A. Use Case Examples +Appendix A. Relax NG Compact Schema for ROLIE -A.1. Service Discovery + This appendix is informative. + + The Relax NG schema below defines the rolie:format element. + + # -*- rnc -*- + # RELAX NG Compact Syntax Grammar for the rolie:format element + + namespace rolie = "urn:ietf:params:xml:ns:rolie-1.0" + namespace atom = "http://www.w3.org/2005/Atom" + + # rolie:format + + rolieFormat = + element rolie:format { + atom:atomCommonAttributes, + attribute ns { atom:atomURI }, + attribute version { text } ?, + attribute schema-location { atom:atomURI } ?, + attribute schema-type { atom:atomMediaType } ?, + empty + } + +Appendix B. Examples of Use + +B.1. Service Discovery This section provides a non-normative example of a client doing - service discovery. TODO: Standardize location of doc? + service discovery. An Atom service document enables a client to dynamically discover - what feeds a particular publisher makes available. Thus, a provider + what Feeds a particular publisher makes available. Thus, a provider uses an Atom service document to enable clients or other authorized parties to determine what specific information the provider makes - available to the community. The service document could be made - available at any well known location, such as via a link from the - CSIRT's home page. One common technique is to include a link in the - section of the organization's home page, as shown below: - - Example of bootstrapping Service Document discovery: - - + available to the community. While the service document is at a + required location, the service document could also be made available + at any well known location, such as via a link from the producer's + home page. - A client may then format an HTTP GET request to retrieve the service - document: + A client may format an HTTP GET request to retrieve the service + document from the specified location: - GET /provider/svcdoc.xml + GET /rolie/servicedocument Host: www.example.org Accept: application/atomsvc+xml Notice the use of the HTTP Accept: request header, indicating the MIME type for Atom service discovery. The response to this GET request will be an XML document that contains information on the - specific feed collections that are provided by the CSIRT. + specific Feed Collections that are provided by the provider. Example HTTP GET response: HTTP/1.1 200 OK Date: Fri, 24 Aug 2012 17:09:11 GMT Content-Length: 570 Content-Type: application/atomsvc+xml;charset="utf-8" + xmlns:atom="http://www.w3.org/2005/Atom"> - Incidents - - Incidents Feed + Vulnerabilities + + Vulnerabilities Feed - application/atom+xml; type=entry This simple Service Document example shows that this server provides - one workspace, named "Incidents". Within that workspace, the - producer makes one feed collection available. When attempting to GET - or POST entries to that feed collection, the client must indicate a - content type of application/atom+xml. + one workspace, named "Vunerabilities". Within that workspace, the + producer makes one Feed Collection available. - A server may also offer a number of different feeds, each containing + A server may also offer a number of different Feeds, each containing different types of security automation information. In the following - example, the feeds have been categorized. This categorization will - help the clients to decide which feeds will meet their needs. + example, the Feeds have been categorized. This categorization will + help the clients to decide which Feeds will meet their needs. HTTP/1.1 200 OK Date: Fri, 24 Aug 2012 17:10:11 GMT Content-Length: 1912 Content-Type: application/atomsvc+xml;charset="utf-8" Public Security Information Sharing + href="http://example.org/provider/public/vulns"> Public Vulnerabilities - application/atom+xml; type=entry + - - Public Incidents - application/atom+xml; type=entry - - - - Private Consortium Sharing + href="http://example.org/provider/private/vulns"> Incidents - application/atom+xml;type=entry + + scheme="urn:ietf:params:rolie:category:information-type" + term="incidents"/> - In this example, the CSIRT is providing a total of three feed - collections, organized into two different workspaces. The first - workspace contains two feeds, consisting of publicly available - software vulnerabilities and publicly available incidents, - respectively. The second workspace provides one additional feed, for - use by a sharing consortium. The feed contains incident information - containing entries related to three purposes: traceback, mitigation, - and reporting. The entries in this feed are categorized with a - restriction of either "Need-to-Know" or "private". An appropriately - authenticated and authorized client may then proceed to make GET - requests for one or more of these feeds. The publicly provided - incident information may be accessible with or without - authentication. However, users accessing the feed targeted to the + In this example, the provider is making available a total of two Feed + Collections, organized into two different workspaces. The first + workspace contains a Feed consisting of publicly available software + vulnerabilities. The second workspace provides one additional + vulnerability Feed, for use by a private sharing consortium. An + appropriately authenticated and authorized client may then proceed to + make GET requests for one or more of these Feeds. The publicly + provided incident information may be accessible with or without + authentication. However, users accessing the Feed targeted to the private sharing consortium would be expected to authenticate, and appropriate authorization policies would subsequently be enforced by - the feed provider. + the Feed provider. -A.2. Feed Retrieval +B.2. Feed Retrieval This section provides a non-normative example of a client retrieving - an incident feed. TODO + an incident Feed. - Having discovered the available security information sharing feeds, - an authenticated and authorized client who is a member of the private - sharing consortium may be interested in receiving the feed of known - incidents. The client may retrieve this feed by performing an HTTP - GET operation on the indicated URL. + Having discovered the available security information sharing Feeds, a + client who is a member of the general public may be interested in + receiving the Feed of public vulnerabilities. The client may + retrieve this Feed by performing an HTTP GET operation on the + indicated URL. Example HTTP GET request for a Feed: - GET /provider/private/incidents + GET /provider/vulns Host: www.example.org Accept: application/atom+xml The corresponding HTTP response would be an XML document containing - the incidents feed: + the incidents Feed: Example HTTP GET response for a Feed: HTTP/1.1 200 OK Date: Fri, 24 Aug 2012 17:20:11 GMT Content-Length: 2882 Content-Type: application/atom+xml;type=feed;charset="utf-8" - - - Example Provider ROLIE Feed Generator - - - http://www.example.org/provider/private/incidents + http://www.example.org/provider/vulns Atom formatted representation of a feed of XML incident documents - - + scheme="urn:ietf:params:rolie:category:information-type" + term="vulnerability"/> 2012-05-04T18:13:51.0Z - - provider@example.org - Example Provider - - - - - + + + - http://www.example.org/provider/private/incidents/123456 + http://www.example.org/provider/vulns/123456 Sample Incident - - - - - - - 2014-08-04T18:13:51.0Z 2014-08-05T18:13:51.0Z A short description of this resource + - This feed document has two atom entries, one of which has been - elided. The completed entry illustrates an Atom element that + + This Feed document has two atom entries, one of which has been + elided. The completed Entry illustrates an Atom element that provides a summary of essential details about one particular incident. Based upon this summary information and the provided category information, a client may choose to do an HTTP GET operation to retrieve the full details of the incident. This example exemplifies the benefits a RESTful alternative has to traditional point-to-point messaging systems. -A.3. Entry Retrieval +B.3. Entry Retrieval This section provides a non-normative example of a client retrieving - an incident as an Atom entry. TODO + an incident as an Atom Entry. - Having retrieved the feed of interest, the client may then decide + Having retrieved the Feed of interest, the client may then decide based on the description and/or category information that one of the - entries in the feed is of further interest. The client may retrieve + entries in the Feed is of further interest. The client may retrieve this incident Entry by performing an HTTP GET operation on the indicated URL. Example HTTP GET request for an Entry: - GET /provider/private/incidents/123456 + GET /provider/vulns/123456 Host: www.example.org Accept: application/atom+xml The corresponding HTTP response would be an XML document containing the incident: Example HTTP GET response for an Entry: HTTP/1.1 200 OK Date: Fri, 24 Aug 2012 17:30:11 GMT Content-Length: 4965 Content-Type: application/atom+xml;type=entry;charset="utf-8" - http://www.example.org/provider/private/incidents/123456 + http://www.example.org/provider/vulns/123456 Sample Incident - - - - 2012-08-04T18:13:51.0Z 2012-08-05T18:13:51.0Z - A short description of this incident resource - - - - - - - - - - - - - - - Example - - + + As can be seen in the example response, above, an XML document is - contained within the Atom element. The client may now - process the XML document as needed. + linked to in the attributes of the Atom element. The + client may now process the XML document as needed. Note also that, as described previously, the content of the Atom element is application-defined. The Atom categories have been assigned based on the IANA table content model. Finally, it should be noted that in order to optimize the client - experience, and avoid an additional round trip, a feed provider may - choose to include the entry content inline, as part of the feed + experience, and avoid an additional round trip, a Feed provider may + choose to include certain Entry elements inline, as part of the Feed document. That is, an Atom element within a Feed document - may contain an Atom element as a child. In this case, the - client will receive the full content of the entries within the feed. - The decision of whether to include the entry content inline or to - include it as a link is a design choice left to the feed provider - (e.g. based upon local environmental factors such as the number of - entries contained in a feed, the available network bandwidth, the - available server compute cycles, the expected client usage patterns, - etc.). - -A.4. Use Case: Search - - This section provides a non-normative example of a search use case. - - The following example provides a RESTful solution to handling search - results. Note that in the RESTful approach described herein there is - no requirement to define a query language. Instead, implementations - may provide support for search operations via existing search - facilities, and advertise these capabilities via an appropriate URL - template. Clients dynamically retrieve the search description - document, and invoke specific searches via an instantiated URL - template. - - An HTTP response body may include a link relationship of type - "search." This link provides a reference to an OpenSearch - description document. - - Example HTTP response that includes a "search" link: - - HTTP/1.1 200 OK - Date: Fri, 24 Aug 2012 17:20:11 GMT - Content-Length: nnnn - Content-Type: application/atom+xml;type=feed;charset="utf-8" - - - - - - - - - - - - - - - The OpenSearch Description document contains the information needed - by a client to request a search. An example of an Open Search - description document is shown below: - - Example HTTP response that includes a "search" link: - - - - CSIRT search example - Cyber security information - sharing consortium search interface - example csirt indicator search - admin@example.org - - - - www.example.org CSIRT search - - en-us - UTF-8 - UTF-8 - - - The OpenSearch Description document shown above contains two - elements that contain parametrized URL templates. These templates - provide a representation of how the client should make search - requests. The exact format of the query string, including the - parametrization is specified by the feed provider - - This OpenSearch Description Document also contains an example of a - element. Each element describes a specific search - request that can be made by the client. Note that the parameters of - the element correspond to the URL template parameters. In - this way, a provider may fully describe the search interface - available to the clients. The search section, above, provides - specific NORMATIVE requirements for the use of Open Search. - -Appendix B. XACML Guidance - - ROLIE assumes that all authorization policy enforcement is provided - at the source server. The implementation details of the - authorization scheme chosen by a ROLIE-compliant provider are out of - scope for this specification. Implementers are free to choose any - suitable authorization mechanism that is capable of fulfilling the - policy enforcement requirements relevant to their consortium and/or - organization. - - It is well known that one of the major barriers to information - sharing is ensuring acceptable use of the information shared. In the - case of ROLIE, one way to lower that barrier may be to develop a - XACML profile. Use of XACML would allow a ROLIE-compliant provider - to express their information sharing authorization policies in a - standards-compliant, and machine-readable format. - - This improved interoperability may, in turn, enable more agile - interactions in the cyber security sharing community. For example, a - peer CSIRT, or another interested stakeholder such as an auditor, - would be able to review and compare CSIRT sharing policies using - appropriate tooling. - - The XACML 3.0 standard is based upon the notion that authorization - policies are defined in terms of predicate logic expressions written - against the attributes associated with one or more of the following - four entities: + may contain arbitrary non-required Atom elements as children. In + this case, the client will receive the more explicit information on + entries from within the Feed. The decision of whether to include + extra Entry elements inline or to include it as a link is a design + choice left to the Feed provider (e.g. based upon local environmental + factors such as the number of entries contained in a Feed, the + available network bandwidth, the available server compute cycles, the + expected client usage patterns, etc.). - o SUBJECT +Appendix C. Change History - o ACTION + Changes in draft-ietf-mile-rolie-04 since draft-ietf-mile-rolie-04 + version, July 8, 2016 to October 31, 2016 - o RESOURCE + o Further specification and clarification of requirements - o ENVIRONMENT + o IANA Considerations and extension system fleshed out and + described. - Thus, a suitable approach to a XACML 3.0 profile for ROLIE - authorization policies could begin by using the 3-tuple of [SUBJECT, - ACTION, RESOURCE] where: + o Examples and References updated. - o SUBJECT is the suitably authenticated identity of the requestor. + o Schema created. - o ACTION is the associated HTTP method, GET, PUT, POST, DELETE, - HEAD, (PATCH). + o Fixed both internal section and external document referencing. - o RESOURCE is an XPath expression that uniquely identifies the - instance or type of the ROLIE resource being requested. + o Removed XACML Guidance Appendix. This will be added to a future + draft on ROLIE Authentication and Access Control. - Implementers who have a need may also choose to evaluate based upon - the additional ENVIRONMENT factors, such as current threat level, and - so on. One could also write policy to consider the CVSS score - associated with the resource, or the lifecycle phase of the resource - (vulnerability unverified, confirmed, patch available, etc.), and so - on. + Changes made in draft-ietf-mile-rolie-03 since draft-ietf-mile- + rolie-02 version, May 27, 2016 to July 8, 2015 - Having these policies expressed in a standards-compliant and machine- - readable format could improve the agility and effectiveness of a - cyber security information sharing group or consortium, and enable - better cyber defenses. + o Atom Syndication and Atom Pub requirements split and greatly + expanded for increased justification and technical specification. -Appendix C. Relax NG Schema for ROLIE Extensions + o Reintroduction and reformatting of some use case examples in order + to provide some guidance on use. - TODO + o Established rough version of IANA table extension system along + with explanations of said system. -Appendix D. Change Tracking + o Re-organized document to put non-vital information in appendices. - Changes since draft-field-mile-rolie-01 version, December, 2015 to - May 27, 2016: + Changes made in draft-ietf-mile-rolie-02 since draft-field-mile- + rolie-01 version, December, 2015 to May 27, 2016: o All CSIRT and IODEF/RID material moved to companion CSIRT document TODO: add reference o Recast document into a more general use perspective. The implication of CSIRTs as the defacto end-user has been removed where ever possible. All of the original CSIRT based use cases remain completely supported by this document, it has been opened up to support many other use cases. @@ -1729,21 +1654,21 @@ o Removed any requirements from the Background section and, if not already stated, placed them in the requirements section o Re-formatted the requirements section to make it clearer that it contains the lions-share of the requirements of the specification Changes made in draft-ietf-mile-rolie-01 since draft-field-mile- rolie-02 version, August 15, 2013 to December 2, 2015: o Added section specifying the use of RFC5005 for Archive and Paging - of feeds. + of Feeds. o Added section describing use of atom categories that correspond to IODEF expectation class and impact classes. See: normative- expectation-impact o Dropped references to adoption of a MILE-specific HTTP media type parameter. o Updated IANA Considerations section to clarify that no IANA actions are required.