draft-ietf-mile-rolie-vuln-02.txt   draft-ietf-mile-rolie-vuln-03.txt 
MILE Working Group S. Banghart MILE Working Group S. Banghart
Internet-Draft NIST Internet-Draft NIST
Intended status: Standards Track September 5, 2019 Intended status: Standards Track October 28, 2019
Expires: March 8, 2020 Expires: April 30, 2020
Definition of the ROLIE Vulnerability Extension Definition of the ROLIE Vulnerability Extension
draft-ietf-mile-rolie-vuln-02 draft-ietf-mile-rolie-vuln-03
Abstract Abstract
This document extends the Resource-Oriented Lightweight Information This document extends the Resource-Oriented Lightweight Information
Exchange (ROLIE) core to add the information type categories and Exchange (ROLIE) core to add the information type categories and
related requirements needed to support Vulnerability use cases. related requirements needed to support Vulnerability use cases.
Additional categories, properties, and requirements based on content Additional categories, properties, and requirements based on content
type enables a higher level of interoperability between ROLIE type enables a higher level of interoperability between ROLIE
implementations, and richer metadata for ROLIE consumers. In implementations, and richer metadata for ROLIE consumers. In
particular, usage of the Common Vulnerability Enumeration (CVE) [cve] particular, usage of the Common Vulnerability Enumeration (CVE) [cve]
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 8, 2020. This Internet-Draft will expire on April 30, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 23
4. Common Vulnerability Enumeration (CVE) Format . . . . . . . . 4 4. Common Vulnerability Enumeration (CVE) Format . . . . . . . . 4
4.1. Description . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. Description . . . . . . . . . . . . . . . . . . . . . . . 4
4.2. Requirements . . . . . . . . . . . . . . . . . . . . . . 5 4.2. Requirements . . . . . . . . . . . . . . . . . . . . . . 5
5. Link relations for the 'vulnerability' 5. Link relations for the 'vulnerability'
information-type . . . . . . . . . . . . . . . . . . . . . . 5 information-type . . . . . . . . . . . . . . . . . . . . . . 5
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6.1. information-type registrations . . . . . . . . . . . . . 6 6.1. information-type registrations . . . . . . . . . . . . . 6
6.1.1. vulnerability information-type . . . . . . . . . . . 6 6.1.1. vulnerability information-type . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6
8. Normative References . . . . . . . . . . . . . . . . . . . . 7 8. Normative References . . . . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
As our software becomes more complex and interconnected, the number As our software becomes more complex and interconnected, the number
of software vulnerabilities exploitable by actors with mal-intent has of software vulnerabilities exploitable by actors with mal-intent has
skyrocketed. Huge amounts of resources have been poured into the skyrocketed. Huge amounts of resources have been poured into the
preemptive discovery, description, and remediation of these preemptive discovery, description, and remediation of these
vulnerabilities, but it is often a challenge to share and communicate vulnerabilities, but it is often a challenge to share and communicate
the results of these efforts. While bad-actors have vast the results of these efforts. While bad-actors have vast
collaboration networks that enable widespread knowledge of any collaboration networks that enable widespread knowledge of any
skipping to change at page 3, line 10 skipping to change at page 3, line 10
vulnerability to a vulnerability repository, where it is vulnerability to a vulnerability repository, where it is
automatically retrieved and consumed by enterprise systems. At this automatically retrieved and consumed by enterprise systems. At this
final stage, the enterprise can cross-reference against their final stage, the enterprise can cross-reference against their
enterprise wide software load to begin mitigating the issue. enterprise wide software load to begin mitigating the issue.
This extension to ROLIE introduces new requirements and IANA This extension to ROLIE introduces new requirements and IANA
registrations to allow ROLIE repositories to share vulnerability data registrations to allow ROLIE repositories to share vulnerability data
in a standardized and compatible way. in a standardized and compatible way.
This extension does not attempt to solve the vulnerability data This extension does not attempt to solve the vulnerability data
format issue, this work is being done across standards groups and format issue, as this work is being done across standards groups and
industry consortiums. Instead, this extension serves to address the industry consortiums. Instead, this extension serves to address the
problem of sharing these data formats to downstream consumers in a problem of sharing these data formats to downstream consumers in a
automated and efficient fashion. automated and efficient fashion.
2. Terminology 2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC8174].
As an extension of [RFC8322], this document refers to many terms As an extension of [RFC8322], this document refers to many terms
defined in that document. In particular, the use of "Entry" and defined in that document. In particular, the use of "Entry" and
"Feed" are aligned with the definitions presented there. "Feed" are aligned with the definitions presented there.
Several places in this document refer to the "information-type" of a Several places in this document refer to the "information-type" of a
Resource (Entry or Feed). This refers to the "term" attribute of an Resource (Entry or Feed). This refers to the "term" attribute of an
"atom:category" element whose scheme is "atom:category" element whose scheme is
"urn:ietf:params:rolie:category:information-type". For an Entry, "urn:ietf:params:rolie:category:information-type". For an Entry,
this value can be inherited from it's containing Feed as per this value can be inherited from it's containing Feed as per
[RFC8322]. [RFC8322].
This document uses the definition of "vulnerability" given by
[RFC4949].
3. The "vulnerability" information type 3. The "vulnerability" information type
When an "atom:category" element has a "scheme" attribute equal to When an "atom:category" element has a "scheme" attribute equal to
"urn:ietf:params:rolie:category:information-type", the "term" "urn:ietf:params:rolie:category:information-type", the "term"
attribute defines the information type of the associated resource. A attribute defines the information type of the associated resource. A
new valid value for this attribute: "vulnerability", is described in new valid value for this attribute: "vulnerability", is described in
this section, and registered in Section 6.1.1. When this value is this section, and registered in Section 6.1.1. When this value is
used, the resource in question is considered to have an information- used, the resource in question is considered to have an information-
type of "vulnerability" as per [RFC8322] Section 7.1.2. type of "vulnerability" as per [RFC8322] Section 7.1.2.
skipping to change at page 4, line 20 skipping to change at page 4, line 22
* Impact - what the consequences are of this vulnerability * Impact - what the consequences are of this vulnerability
* History and provenance data - when was the vulnerability * History and provenance data - when was the vulnerability
discovered, when was it reported and to whom, discovered, when was it reported and to whom,
* Plain text description of any of the above * Plain text description of any of the above
o Metadata attached to a vulnerability, such as information about o Metadata attached to a vulnerability, such as information about
the entity that discovered or described the vulnerability. the entity that discovered or described the vulnerability.
Note again that this list is not exhaustive, any information that in Note again that this list is not exhaustive: any information that is
is the abstract realm of a vulnerability should be classified under in the abstract realm of a vulnerability should be classified under
this information-type. The final decision as to the information type this information-type. The final decision as to the information type
of an Entry is up to the provider and author of the Entry. of an Entry is up to the provider and author of the Entry.
4. Common Vulnerability Enumeration (CVE) Format 4. Common Vulnerability Enumeration (CVE) Format
4.1. Description 4.1. Description
The Common Vulnerability Enumeration (CVE) provides a globally unique The Common Vulnerability Enumeration (CVE) provides a globally unique
identifier for vulnerabilities. Each CVE provides a CVE-ID, by which identifier for vulnerabilities. Each CVE provides a CVE-ID, by which
a vulnerability can be referred to in any context, as well as a vulnerability can be referred to in any context, as well as
skipping to change at page 4, line 43 skipping to change at page 4, line 45
For more information and in-depth specifications, please see [cve]. For more information and in-depth specifications, please see [cve].
CVE provides a valuable set of information fields, but itself does CVE provides a valuable set of information fields, but itself does
not provide a standardized data format. This extension provides not provide a standardized data format. This extension provides
standardization around two common serializations of the CVE standard, standardization around two common serializations of the CVE standard,
both used by the National Institute of Standards and Technology both used by the National Institute of Standards and Technology
(NIST) National Vulnerability Database (NVD). The NVD provides a (NIST) National Vulnerability Database (NVD). The NVD provides a
repository of "CVE Entries" available in either serialization format. repository of "CVE Entries" available in either serialization format.
The first format is XML-based: the NIST NVD CVE Entry format The first format is XML-based: the NIST NVD CVE Entry format
[nvdcvexml], and the second is JSON based: NIST NVD JSON CVE Entry [nvdcvexml], and the second is JSON-based: NIST NVD JSON CVE Entry
Format [nvdcvejson]. These two representations of a CVE are Format [nvdcvejson]. These two representations of a CVE are
equivalent, and can be losslessly converted. equivalent, and can be losslessly converted.
This section defines usage guidance and additional requirements above This section defines usage guidance and additional requirements above
and beyond those specified in [RFC8322] that apply when CVE data and beyond those specified in [RFC8322] that apply when CVE data
formats are in use. formats are in use.
4.2. Requirements 4.2. Requirements
For an Entry to be considered a "CVE Entry", it MUST fulfill the For an Entry to be considered a "CVE Entry", it MUST fulfill the
skipping to change at page 7, line 41 skipping to change at page 7, line 41
December 2005, <https://www.rfc-editor.org/info/rfc4287>. December 2005, <https://www.rfc-editor.org/info/rfc4287>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>. <https://www.rfc-editor.org/info/rfc4949>.
[RFC5023] Gregorio, J., Ed. and B. de hOra, Ed., "The Atom [RFC5023] Gregorio, J., Ed. and B. de hOra, Ed., "The Atom
Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023, Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023,
October 2007, <https://www.rfc-editor.org/info/rfc5023>. October 2007, <https://www.rfc-editor.org/info/rfc5023>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource- [RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource-
Oriented Lightweight Information Exchange (ROLIE)", Oriented Lightweight Information Exchange (ROLIE)",
RFC 8322, DOI 10.17487/RFC8322, February 2018, RFC 8322, DOI 10.17487/RFC8322, February 2018,
<https://www.rfc-editor.org/info/rfc8322>. <https://www.rfc-editor.org/info/rfc8322>.
Author's Address Author's Address
Stephen A. Banghart Stephen A. Banghart
National Institute of Standards and Technology National Institute of Standards and Technology
100 Bureau Drive 100 Bureau Drive
Gaithersburg, Maryland Gaithersburg, Maryland
USA USA
Phone: (301)975-4288 Phone: (301)975-4288
Email: stephen.banghart@nist.gov Email: stephen.banghart@nist.gov
 End of changes. 11 change blocks. 
10 lines changed or deleted 18 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/