idnits 2.17.1 draft-ietf-mile-rolie-vuln-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (March 28, 2019) is 1856 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'RFC4287' is defined on line 316, but no explicit reference was found in the text == Unused Reference: 'RFC5023' is defined on line 324, but no explicit reference was found in the text Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE Working Group S. Banghart 3 Internet-Draft NIST 4 Intended status: Informational March 28, 2019 5 Expires: September 29, 2019 7 Definition of the ROLIE Vulnerability Extension 8 draft-ietf-mile-rolie-vuln-00 10 Abstract 12 This document extends the Resource-Oriented Lightweight Information 13 Exchange (ROLIE) core to add the information type categories and 14 related requirements needed to support Vulnerability use cases. 15 Additional categories, properties, and requirements based on content 16 type enables a higher level of interoperability between ROLIE 17 implementations, and richer metadata for ROLIE consumers. In 18 particular, usage of the Common Vulnerability Enumeration (CVE) [cve] 19 format and the draft Vulnerability Description Ontology (VDO) [vdo] 20 are discussed. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 29, 2019. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 58 3. The "vulnerability" information type . . . . . . . . . . . . 3 59 4. Data Format Requirements . . . . . . . . . . . . . . . . . . 3 60 4.1. CVE Format . . . . . . . . . . . . . . . . . . . . . . . 4 61 4.1.1. Description . . . . . . . . . . . . . . . . . . . . . 4 62 4.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 4 63 4.2. VDO Format . . . . . . . . . . . . . . . . . . . . . . . 5 64 4.2.1. Description . . . . . . . . . . . . . . . . . . . . . 5 65 4.2.2. Usage . . . . . . . . . . . . . . . . . . . . . . . . 5 66 5. Use of the atom:link element . . . . . . . . . . . . . . . . 5 67 5.1. Link relations for the 'vulnerability' 68 information-type . . . . . . . . . . . . . . . . . . . . 6 69 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 70 6.1. information-type registrations . . . . . . . . . . . . . 6 71 6.1.1. vulnerability information-type . . . . . . . . . . . 6 72 6.2. rolie:property name registrations . . . . . . . . . . . . 6 73 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 74 8. Normative References . . . . . . . . . . . . . . . . . . . . 7 75 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 77 1. Introduction 79 Vulnerability data is used in a wide variety of security use cases. 80 Researchers, CSIRTs, enterprises, software vendors, and consumers all 81 have a need to communicate about computer vulnerabilities. Today, a 82 number of formats are used to describe these vulnerabilities, some of 83 them are standardized, some of them are proprietary, and some of them 84 are as rudimentary as a vaguely descriptive email message. 86 This extension does not attempt to solve the vulnerability data 87 format issue, this work is being done across standards groups and 88 industry consortiums. Instead, this extension serves to address the 89 problem of sharing these data formats to downstream consumers in a 90 automated and efficient fashion. 92 2. Terminology 94 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," 95 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this 96 document are to be interpreted as described in [RFC2119]. 98 3. The "vulnerability" information type 100 When an "atom:category" element has a "scheme" attribute equal to 101 "urn:ietf:params:rolie:category:information-type", the "term" 102 attribute defines the information type of the associated resource. A 103 new valid value for this attribute: "vulnerability", is described in 104 this section, and registered in Section 6.1.1. When this value is 105 used, the resource in question is considered to have an information- 106 type of "vulnerability" as per [RFC8322] Section 7.1.2. 108 The "vulnerability" information-type represents any information 109 describing or pertaining to a computer security vulnerability. This 110 document uses the definition of vulnerability provided by [RFC4949]. 111 Provided below is a non-exhaustive list of information that may be 112 considered to be of a vulnerability information type. 114 o Fundamental identifying information, such as a global ID or 115 number, that identifies a given vulnerability. 117 o Descriptive information, including but not limited to: 119 * Severity scoring - using some standardized scoring algorithm or 120 otherwise, 122 * Execution details - how the vulnerability is exploited 124 * Impact - what the consequences are of this vulnerability 126 * History and provenance data - when was the vulnerability 127 discovered, when was it reported and to whom, 129 * Plain text description of any of the above 131 o Metadata attached to a vulnerability, such as information about 132 the entity that discovered or described the vulnerability. 134 Note again that this list is not exhaustive, any information that in 135 is the abstract realm of an vulnerability should be classified under 136 this information-type. 138 4. Data Format Requirements 140 This section defines usage guidance and additional requirements 141 related to data formats above and beyond those specified in 142 [RFC8322]. The following formats are expected to be commonly used to 143 express software descriptor information. For this reason, this 144 document specifies additional requirements to ensure 145 interoperability. 147 4.1. CVE Format 149 4.1.1. Description 151 The Common Vulnerability Enumeration (CVE) provides a globally unique 152 identifier for vulnerabilities. Each CVE provides a CVE-ID, by which 153 a vulnerability can be referred to in any context, as well as 154 descriptive information about that vulnerability. 156 For more information and in-depth specifications, please see [cve]. 158 CVE provides a valuable set of information fields, but itself does 159 not provide a standardized data format. This extension is 160 standardized around the NIST NVD CVE Entry format [nvdcvexml]. There 161 is a second format using the CVE information fields, defined in JSON 162 Schema 1.0 [nvdcvejson]. These two representations of a CVE are 163 equivalent, so either are valid when used in a ROLIE CVE Entry. 165 4.1.2. Requirements 167 For an Entry to be considered as a "CVE Entry", it MUST fulfill the 168 following conditions: 170 o The information-type of the Entry is "vulnerability". For a 171 typical Entry, this is derived from the information type of the 172 Feed it is contained in. For a standalone Entry, this is provided 173 by an "atom:category" element. 175 o The document linked to by the "ref" attribute of the 176 "atom:content" element is a CVE Entry as defined by either 177 [nvdcvexml] or [nvdcvejson]. 179 The XML and JSON formats follow different requirements. From here on 180 out we will refer to "CVE Entry" which is defined above, and is in 181 the XML or JSON formats, "XML CVE Entry", which is defined in the XML 182 format, and "JSON CVE Entry", which is defined in the JSON format. 184 A "XML CVE Entry" MUST conform to the following requirements: 186 o The value of the "type" attribute of the "atom:content" element 187 MUST be "application/xml". 189 o There MUST be one "rolie:property" with the "name" attribute equal 190 to "urn:ietf:params:rolie:property:content-id" and the "value" 191 attribute exactly equal to the "" element in the attached 192 CVE Entry. This allows for ROLIE consumers to more easily search 193 for CVE Entries without needing to download the entry itself. 195 A "JSON CVE Entry" MUST conform to the following requirements: 197 o The value of the "type" attribute of the "atom:content" element 198 MUST be "application/json". 200 o There MUST be one "rolie:property" with the "name" attribute equal 201 to "urn:ietf:params:rolie:property:content-id" and the "value" 202 attribute exactly equal to the "cve:{cve_data_meta":{ID}}" element 203 in the attached CVE Entry. This allows for ROLIE consumers to 204 more easily search for CVE Entries without needing to download the 205 entry itself. 207 4.2. VDO Format 209 4.2.1. Description 211 The Vulnerability Description Ontology (VDO) provides a dictionary 212 and ontology for standardizing human language descriptions of 213 vulnerabilities. CVEs expose a decent amount of information, but one 214 of those fields is a plain text description. The VDO provides a 215 means of completing this description in a way that makes it machine 216 parsable and universally understandable across organizations. 218 The VDO is currently defined in a draft National Institute of 219 Standards and Technology (NIST) internal report. As this draft is 220 not yet fully stable, this document will provide only guidance on 221 using the VDO inside a ROLIE repository. 223 For more in depth information please find the draft at [vdo] 225 4.2.2. Usage 227 There is currently no standardized data format for the VDO, as such, 228 there can be no ROLIE "VDO Entry". Instead, the VDO can be utilized 229 in plain text fields in an Entry. ROLIE properties can contain long 230 strings of text, exposing human language information. In the 231 vulnerability context, these human language fields can be filled in 232 using the VDO. 234 It is not recommended that the content element be populated with some 235 plain text format using the VDO. 237 5. Use of the atom:link element 239 These sections define requirements for atom:link elements in Entries. 240 Note that the requirements are determined by the information type 241 that appears in either the Entry or in the parent Feed. 243 5.1. Link relations for the 'vulnerability' information-type 245 If the category of an Entry is the vulnerability information type, 246 then the following requirements MUST be followed for support of 247 atom:link elements. 249 +----------+--------------------------------------------------------+ 250 | Name | Description | 251 +----------+--------------------------------------------------------+ 252 | severity | Links to a document describing or scoring the severity | 253 | | of this vulnerability. | 254 +----------+--------------------------------------------------------+ 256 Table 1: Link Relations for Resource-Oriented Lightweight Indicator 257 Exchange 259 6. IANA Considerations 261 6.1. information-type registrations 263 IANA has added the following entries to the "ROLIE Security Resource 264 Information Type Sub-Registry" registry located at 265 . 267 6.1.1. vulnerability information-type 269 The entry is as follows: 271 name: vulnerability 273 index: TBD 275 reference: This document, Section 3 277 6.2. rolie:property name registrations 279 IANA has added the following entries to the "ROLIE URN Parameters" 280 registry located in . 282 7. Security Considerations 284 All security considerations of the core ROLIE document apply to use 285 of this extension. 287 The use of this particular extension implies the use of ROLIE in 288 sharing vulnerability information. In automated use cases, 289 downstream consumers may be dynamically acquiring and acting on 290 vulnerabilities posted to a ROLIE repository. In this case, a 291 compromised server could serve up false vulnerability information to 292 trigger dangerous activity in automated consumers. Automatic 293 remediation solutions that consume shared vulnerability information 294 in high risk use cases should take care to verify data before taking 295 action. If some global ID, such as a CVE-ID, is included, this 296 verification should be trivial. 298 8. Normative References 300 [cve] "Common Vulnerability Enumeration", . 302 [nvdcvejson] 303 "NVD CVE Entry JSON Schema", 304 . 307 [nvdcvexml] 308 "NVD CVE Entry XML Schema", 309 . 311 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 312 Requirement Levels", BCP 14, RFC 2119, 313 DOI 10.17487/RFC2119, March 1997, 314 . 316 [RFC4287] Nottingham, M., Ed. and R. Sayre, Ed., "The Atom 317 Syndication Format", RFC 4287, DOI 10.17487/RFC4287, 318 December 2005, . 320 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 321 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 322 . 324 [RFC5023] Gregorio, J., Ed. and B. de hOra, Ed., "The Atom 325 Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023, 326 October 2007, . 328 [RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource- 329 Oriented Lightweight Information Exchange (ROLIE)", 330 RFC 8322, DOI 10.17487/RFC8322, February 2018, 331 . 333 [vdo] "Vulnerability Description Ontology", . 337 Author's Address 339 Stephen A. Banghart 340 National Institute of Standards and Technology 341 100 Bureau Drive 342 Gaithersburg, Maryland 343 USA 345 Phone: (301)975-4288 346 Email: stephen.banghart@nist.gov