draft-ietf-mile-rolie-vuln-01.txt   draft-ietf-mile-rolie-vuln-02.txt 
MILE Working Group S. Banghart MILE Working Group S. Banghart
Internet-Draft NIST Internet-Draft NIST
Intended status: Informational July 20, 2019 Intended status: Standards Track September 5, 2019
Expires: January 21, 2020 Expires: March 8, 2020
Definition of the ROLIE Vulnerability Extension Definition of the ROLIE Vulnerability Extension
draft-ietf-mile-rolie-vuln-01 draft-ietf-mile-rolie-vuln-02
Abstract Abstract
This document extends the Resource-Oriented Lightweight Information This document extends the Resource-Oriented Lightweight Information
Exchange (ROLIE) core to add the information type categories and Exchange (ROLIE) core to add the information type categories and
related requirements needed to support Vulnerability use cases. related requirements needed to support Vulnerability use cases.
Additional categories, properties, and requirements based on content Additional categories, properties, and requirements based on content
type enables a higher level of interoperability between ROLIE type enables a higher level of interoperability between ROLIE
implementations, and richer metadata for ROLIE consumers. In implementations, and richer metadata for ROLIE consumers. In
particular, usage of the Common Vulnerability Enumeration (CVE) [cve] particular, usage of the Common Vulnerability Enumeration (CVE) [cve]
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 21, 2020. This Internet-Draft will expire on March 8, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 7, line 7 skipping to change at page 7, line 7
vulnerabilities posted to a ROLIE repository. In this case, a vulnerabilities posted to a ROLIE repository. In this case, a
compromised server could serve up false vulnerability information to compromised server could serve up false vulnerability information to
trigger dangerous activity in automated consumers. Automatic trigger dangerous activity in automated consumers. Automatic
remediation solutions that consume shared vulnerability information remediation solutions that consume shared vulnerability information
in high risk use cases should take care to verify data before taking in high risk use cases should take care to verify data before taking
action. If some global ID, such as a CVE-ID, is included, this action. If some global ID, such as a CVE-ID, is included, this
verification should be trivial. verification should be trivial.
8. Normative References 8. Normative References
[cve] "Common Vulnerability Enumeration", <cve.mitre.org>. [cve] "Common Vulnerability Enumeration",
<https://cve.mitre.org/about/index.html>.
[cvexml] The MITRE Corporation, ,
<https://cve.mitre.org/schema/cve/cve_1.0.xsd>.
[nvdcvejson] [nvdcvejson]
"NVD CVE Entry JSON Schema", National Institute of Standards and Technology, "NVD CVE
Entry JSON Schema",
<https://csrc.nist.gov/schema/nvd/feed/1.0/ <https://csrc.nist.gov/schema/nvd/feed/1.0/
nvd_cve_feed_json_1.0.schema>. nvd_cve_feed_json_1.0.schema>.
[nvdcvexml] [nvdcvexml]
"NVD CVE Entry XML Schema", National Institute of Standards and Technology, "NVD CVE
Entry XML Schema",
<https://csrc.nist.gov/schema/nvd/nvdcve.xsdf>. <https://csrc.nist.gov/schema/nvd/nvdcve.xsdf>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4287] Nottingham, M., Ed. and R. Sayre, Ed., "The Atom [RFC4287] Nottingham, M., Ed. and R. Sayre, Ed., "The Atom
Syndication Format", RFC 4287, DOI 10.17487/RFC4287, Syndication Format", RFC 4287, DOI 10.17487/RFC4287,
December 2005, <https://www.rfc-editor.org/info/rfc4287>. December 2005, <https://www.rfc-editor.org/info/rfc4287>.
skipping to change at page 7, line 40 skipping to change at page 7, line 46
[RFC5023] Gregorio, J., Ed. and B. de hOra, Ed., "The Atom [RFC5023] Gregorio, J., Ed. and B. de hOra, Ed., "The Atom
Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023, Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023,
October 2007, <https://www.rfc-editor.org/info/rfc5023>. October 2007, <https://www.rfc-editor.org/info/rfc5023>.
[RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource- [RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource-
Oriented Lightweight Information Exchange (ROLIE)", Oriented Lightweight Information Exchange (ROLIE)",
RFC 8322, DOI 10.17487/RFC8322, February 2018, RFC 8322, DOI 10.17487/RFC8322, February 2018,
<https://www.rfc-editor.org/info/rfc8322>. <https://www.rfc-editor.org/info/rfc8322>.
[vdo] "Vulnerability Description Ontology", <https://csrc.nist.g
ov/CSRC/media/Publications/nistir/8138/draft/documents/
nistir_8138_draft.pdf>.
Author's Address Author's Address
Stephen A. Banghart Stephen A. Banghart
National Institute of Standards and Technology National Institute of Standards and Technology
100 Bureau Drive 100 Bureau Drive
Gaithersburg, Maryland Gaithersburg, Maryland
USA USA
Phone: (301)975-4288 Phone: (301)975-4288
Email: stephen.banghart@nist.gov Email: stephen.banghart@nist.gov
 End of changes. 7 change blocks. 
11 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/