idnits 2.17.1 

draft-banghart-mile-rolie-vuln-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document date (March 26, 2019) is 1848 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  == Unused Reference: 'RFC4287' is defined on line 211, but no explicit
     reference was found in the text

  == Unused Reference: 'RFC5023' is defined on line 219, but no explicit
     reference was found in the text

  == Unused Reference: 'RFC8322' is defined on line 223, but no explicit
     reference was found in the text


     Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	MILE Working Group                                           S. Banghart
3	Internet-Draft                                                      NIST
4	Intended status: Informational                            March 26, 2019
5	Expires: September 27, 2019

7	              Definition of ROLIE Vulnerability Extension
8	                   draft-banghart-mile-rolie-vuln-00

10	Abstract

12	   This document extends the Resource-Oriented Lightweight Information
13	   Exchange (ROLIE) core to add the information type categories and
14	   related requirements needed to support Vulnerability use cases.  The
15	   vulnerability information type is defined as a ROLIE extensions.
16	   Additional supporting requirements are also defined that describe the
17	   use of specific formats and link relations pertaining to the new
18	   information type.

20	Status of This Memo

22	   This Internet-Draft is submitted in full conformance with the
23	   provisions of BCP 78 and BCP 79.

25	   Internet-Drafts are working documents of the Internet Engineering
26	   Task Force (IETF).  Note that other groups may also distribute
27	   working documents as Internet-Drafts.  The list of current Internet-
28	   Drafts is at https://datatracker.ietf.org/drafts/current/.

30	   Internet-Drafts are draft documents valid for a maximum of six months
31	   and may be updated, replaced, or obsoleted by other documents at any
32	   time.  It is inappropriate to use Internet-Drafts as reference
33	   material or to cite them other than as "work in progress."

35	   This Internet-Draft will expire on September 27, 2019.

37	Copyright Notice

39	   Copyright (c) 2019 IETF Trust and the persons identified as the
40	   document authors.  All rights reserved.

42	   This document is subject to BCP 78 and the IETF Trust's Legal
43	   Provisions Relating to IETF Documents
44	   (https://trustee.ietf.org/license-info) in effect on the date of
45	   publication of this document.  Please review these documents
46	   carefully, as they describe your rights and restrictions with respect
47	   to this document.  Code Components extracted from this document must
48	   include Simplified BSD License text as described in Section 4.e of
49	   the Trust Legal Provisions and are provided without warranty as
50	   described in the Simplified BSD License.

52	Table of Contents

54	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
55	   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   2
56	   3.  Information-type Extensions . . . . . . . . . . . . . . . . .   2
57	     3.1.  The "vulnerability" information type  . . . . . . . . . .   3
58	   4.  Use of the rolie:format element . . . . . . . . . . . . . . .   3
59	     4.1.  CVE Format  . . . . . . . . . . . . . . . . . . . . . . .   3
60	     4.2.  VDO Format  . . . . . . . . . . . . . . . . . . . . . . .   3
61	   5.  rolie:property Extensions . . . . . . . . . . . . . . . . . .   3
62	     5.1.  urn:ietf:params:rolie:property:vuln:ID  . . . . . . . . .   3
63	   6.  Use of the atom:link element  . . . . . . . . . . . . . . . .   3
64	     6.1.  Link relations for the 'vulnerability'
65	           information-type  . . . . . . . . . . . . . . . . . . . .   4
66	   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
67	     7.1.  information-type registrations  . . . . . . . . . . . . .   4
68	       7.1.1.  vulnerability information-type  . . . . . . . . . . .   4
69	     7.2.  rolie:property name registrations . . . . . . . . . . . .   4
70	       7.2.1.  property:vulnerability:id . . . . . . . . . . . . . .   4
71	   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
72	   9.  Normative References  . . . . . . . . . . . . . . . . . . . .   5
73	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

75	1.  Introduction

77	   Vulnerability information sharing is one of the main use cases listed
78	   in RFC8322.  This document provides additional format specific
79	   requirements to support interoperability and rich metadata of
80	   vulnerability information shared using ROLIE.

82	2.  Terminology

84	   The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
85	   "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
86	   document are to be interpreted as described in [RFC2119].

88	   Definitions for some of the common computer security-related
89	   terminology used in this document can be found in [RFC4949].

91	3.  Information-type Extensions
92	3.1.  The "vulnerability" information type

94	   The "vulnerability" information type represents any information
95	   describing or pertaining to a computer security vulnerability.  This
96	   document uses the definition of vulnerability provided by [RFC4949].
97	   Provided below is a non-exhaustive list of information that may be
98	   considered to be of a vulnerability information type.

100	   o  TODO

102	   Note again that this list is not exhaustive, any information that in
103	   is the abstract realm of an vulnerability should be classified under
104	   this information-type.

106	4.  Use of the rolie:format element

108	4.1.  CVE Format

110	   Todo

112	4.2.  VDO Format

114	   Todo

116	5.  rolie:property Extensions

118	   This document provides new registrations for valid rolie:property
119	   names.  These properties provide optional exposure point for valuable
120	   information in the linked content document.  Exposing this
121	   information in a rolie:property element means that clients do not
122	   need to download the linked document to determine if it contains the
123	   information they are looking for.

125	5.1.  urn:ietf:params:rolie:property:vuln:ID

127	   Provides an XML element that can be populated with an identifier from
128	   the vulnerability document linked to by an atom:content element.
129	   This value SHOULD be a uniquely identifying value for the document
130	   linked to in this entry's atom:content element.

132	6.  Use of the atom:link element

134	   These sections define requirements for atom:link elements in Entries.
135	   Note that the requirements are determined by the information type
136	   that appears in either the Entry or in the parent Feed.

138	6.1.  Link relations for the 'vulnerability' information-type

140	   If the category of an Entry is the vulnerability information type,
141	   then the following requirements MUST be followed for support of
142	   atom:link elements.

144	                   +------+-------------+-------------+
145	                   | Name | Description | Conformance |
146	                   +------+-------------+-------------+
147	                   | todo | todo        | todo        |
148	                   +------+-------------+-------------+

150	    Table 1: Link Relations for Resource-Oriented Lightweight Indicator
151	                                 Exchange

153	7.  IANA Considerations

155	7.1.  information-type registrations

157	   IANA has added the following entries to the "ROLIE Security Resource
158	   Information Type Sub-Registry" registry located at
159	   <https://www.iana.org/assignments/rolie/category/information-type> .

161	7.1.1.  vulnerability information-type

163	   The entry is as follows:

165	      name: vulnerability

167	      index: TBD

169	      reference: This document, Section 3.1

171	7.2.  rolie:property name registrations

173	   IANA has added the following entries to the "ROLIE URN Parameters"
174	   registry located in <https://www.iana.org/assignments/rolie/>.

176	7.2.1.  property:vulnerability:id

178	   The entry is as follows:

180	      name: property:vulnerability:id

182	      Extension IRI: urn:ietf:params:rolie:property:vulnerability:id

184	      Reference: This document, section 6.3.1
185	      Subregistry: None

187	8.  Security Considerations

189	   This document implies the use of ROLIE in high-security use cases, as
190	   such, added care should be taken to fortify and secure ROLIE
191	   repositories and clients using this extension.  The guidance in the
192	   ROLIE core specification is strongly recommended, and implementers
193	   should consider adding additional security measures as they see fit.

195	   When providing a private workspace for closed sharing, it is
196	   recommended that the ROLIE repository checks user authorization when
197	   the user sends a GET request to the service document.  If the user is
198	   not authorized to send any requests to a given workspace or
199	   collection, that workspace or collection should be truncated from the
200	   service document in the response.  In this way the existence of
201	   unauthorized content remains unknown to potential attackers,
202	   hopefully reducing attack surface.

204	9.  Normative References

206	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
207	              Requirement Levels", BCP 14, RFC 2119,
208	              DOI 10.17487/RFC2119, March 1997,
209	              <https://www.rfc-editor.org/info/rfc2119>.

211	   [RFC4287]  Nottingham, M., Ed. and R. Sayre, Ed., "The Atom
212	              Syndication Format", RFC 4287, DOI 10.17487/RFC4287,
213	              December 2005, <https://www.rfc-editor.org/info/rfc4287>.

215	   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
216	              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
217	              <https://www.rfc-editor.org/info/rfc4949>.

219	   [RFC5023]  Gregorio, J., Ed. and B. de hOra, Ed., "The Atom
220	              Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023,
221	              October 2007, <https://www.rfc-editor.org/info/rfc5023>.

223	   [RFC8322]  Field, J., Banghart, S., and D. Waltermire, "Resource-
224	              Oriented Lightweight Information Exchange (ROLIE)",
225	              RFC 8322, DOI 10.17487/RFC8322, February 2018,
226	              <https://www.rfc-editor.org/info/rfc8322>.

228	Author's Address
229	   Stephen A. Banghart
230	   National Institute of Standards and Technology
231	   100 Bureau Drive
232	   Gaithersburg, Maryland
233	   USA

235	   Phone: (301)975-4288
236	   Email: sab3@nist.gov