MILE Working Group                                              J. Field
Internet-Draft                                                   Pivotal
Intended status: Informational                               S. Banghart
Expires: December 5, 2016 January 9, 2017                                   D. Waltermire
                                                                    NIST
                                                            June 3,
                                                            July 8, 2016

           Resource-Oriented Lightweight Information Exchange
                        draft-ietf-mile-rolie-02
                        draft-ietf-mile-rolie-03

Abstract

   This document defines a resource-oriented approach to cyber for security
   automation information publication, discovery, and sharing.  Using
   this approach, operators producers may publish, share and exchange
   representations of cyber security incidents, attack indicators, software
   vulnerabilities, configuration checklists, and other related security
   automation information as Web-addressable resources.  Furthermore,
   consumers and other stakeholders may access and search this security content
   information as needed, establishing a rapid and on-demand information
   exchange network for restricted internal use or public access
   repositories.  This specification builds on and extends the Atom Publishing
   Protocol and Atom Syndication Format to transport and share cyber security
   automation resource representations.  This document leverages the existing
   representations IODEF and RID where appropriate, and supports related
   cyber security representation standards.

Contributing to this document

   The source for this draft is being maintained in GitHub.  Suggested
   changes should be submitted as pull requests at
   <https://github.com/CISecurity/ROLIE>.  Instructions are on that page
   as well.  Editorial changes can be managed in GitHub, but any
   substantial issues need to be discussed on the MILE mailing list.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."
   This Internet-Draft will expire on December 5, 2016. January 9, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Background and Motivation  XML-related Conventions . . . . . . . . . . . . . . . . . . .   4
     3.1.  Message-oriented versus Resource-oriented Architecture  .   5
       3.1.1.  Message-oriented Architecture  XML Namespaces  . . . . . . . . . . . .   5
       3.1.2.  Resource-Oriented Architecture . . . . . . . . .   4
     3.2.  RELAX NG Schema . .   6
   4.  Atom Publication Protocol and Atom Syndication Format TODO .   7
   5.  Normative Requirements TODO . . . . . . . . . . . . . . . . .   8
     5.1.  Atom Requirements .   5
   4.  Background and Motivation . . . . . . . . . . . . . . . . . .   5
     4.1.  Message-oriented versus Resource-oriented Architecture  .   8
     5.2.  Transport Layer Security   6
       4.1.1.  Message-oriented Architecture . . . . . . . . . . . .   6
       4.1.2.  Resource-Oriented Architecture  . . . .   8
     5.3.  Archiving and Paging . . . . . . .   7
     4.2.  Use of the Atom Publishing Protocol . . . . . . . . . . .   8
     5.4.  Expectation and Impact Classes  . .
   5.  ROLIE Requirements for the Atom Publishing Protocol . . . . .   9
     5.1.  AtomPub Service Documents . . . . . .   8
     5.5.  User Authentication . . . . . . . . . .   9
       5.1.1.  Use of the "app:workspace" Element  . . . . . . . . .   9
     5.6.  User Authorization  .
       5.1.2.  Use of the "app:collection" Element . . . . . . . . .  10
     5.2.  Service Discovery . . . . . . . . .   9
     5.7.  Content Model . . . . . . . . . . .  11
     5.3.  Transport Layer Security  . . . . . . . . . . .   9
     5.8.  HTTP methods . . . . .  11
     5.4.  User Authentication . . . . . . . . . . . . . . . . .  10
     5.9.  Service Discovery . .  11
     5.5.  User Authorization  . . . . . . . . . . . . . . . . . .  11
       5.9.1.  Workspaces .  12
     5.6.  / (forward slash) Resource URL  . . . . . . . . . . . . .  12
     5.7.  HTTP methods  . . . . . . .  11
       5.9.2.  Collections . . . . . . . . . . . . . . .  12
   6.  ROLIE Requirements for the Atom Syndication Format  . . . . .  12
     6.1.  Use of the "atom:feed" element  .  11
       5.9.3.  Service Document Security . . . . . . . . . . . .  13
       6.1.1.  Use of the "atom:category" Element  . .  11
     5.10. Category Mapping . . . . . . .  13
       6.1.2.  Use of the "atom:link" Element  . . . . . . . . . . .  14
       6.1.3.  Use of the "atom:updated" Element . .  11
       5.10.1.  Collection Category . . . . . . . .  16
     6.2.  Use of the  "atom:entry" Element  . . . . . . . .  12
       5.10.2.  Entry Category . . . .  16
       6.2.1.  Use of the "atom:content" Element . . . . . . . . . .  16
       6.2.2.  Use of the "atom:link" Element  . . . . .  12
     5.11. Entry ID . . . . . .  17
       6.2.3.  Use of the "rolie:format" Element . . . . . . . . . .  17

     6.3.  Link Relations  . . . . . . . .  12
     5.12. Entry Content . . . . . . . . . . . . .  17
   7.  Use of OpenSearch . . . . . . . . .  13
     5.13. Link Relations . . . . . . . . . . . . .  17
   8.  Characterizing ROLIE Collections and Resources  . . . . . . .  18
     8.1.  Identification of Security Automation Information Types .  13
       5.13.1.  Additional Link Relation Requirements  18
     8.2.  General Use of the "atom:category" Element  . . . . . . .  15
     5.14. Member Entry Forward  19
     8.3.  Identification of Security Automation Information Formats  20
   9.  Formal Syntax for the ROLIE Schema  . . . . . . . . . . . . .  20
   10. IANA Considerations TODO  .  15
     5.15. Date Mapping . . . . . . . . . . . . . . . . .  20
     10.1.  XML Namespaces and Schema URNs . . . . .  16
     5.16. Search . . . . . . . .  20
     10.2.  ROLIE Parameters . . . . . . . . . . . . . . . . .  16
     5.17. / (forward slash) . . .  21
     10.3.  Security Resource URL Information Type Registry  . . . . . .  21
   11. Security Considerations TODO  . . . . . . .  16
   6.  Security Considerations TODO . . . . . . . . .  22
   12. Acknowledgements  . . . . . . .  17
   7.  IANA Considerations TODO . . . . . . . . . . . . . . .  24
   13. References  . . .  19
   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . .  19
   9.  24
     13.1.  Normative References . . . . . . . . . . . . . . . . . .  25
     13.2.  Informative References . . . . . . .  19
     9.1.  Normative References . . . . . . . . . .  26
     13.3.  URIs . . . . . . . .  19
     9.2.  Informative References . . . . . . . . . . . . . . . . .  20
     9.3.  URIs .  27
   Appendix A.  Use Case Examples  . . . . . . . . . . . . . . . . .  27
     A.1.  Service Discovery . . . . . . . . .  21 . . . . . . . . . . .  27
     A.2.  Feed Retrieval  . . . . . . . . . . . . . . . . . . . . .  30
     A.3.  Entry Retrieval . . . . . . . . . . . . . . . . . . . . .  32
     A.4.  Use Case:  Search . . . . . . . . . . . . . . . . . . . .  34
   Appendix A. B.  XACML Guidance . . . . . . . . . . . . . . . . . . .  36
   Appendix C.  Relax NG Schema for ROLIE Extensions . . . . . . . .  38
   Appendix D.  Change Tracking  . . . . . . . . . . . . . . . . . .  21  38
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  22  39

1.  Introduction

   This document defines a resource-oriented approach to cyber security
   automation information sharing that follows the REST (Architectural Styles S
   tyles and t
   he the Design of Network-based Software Architectures)
   architectural style.  In this approach, cyber computer security resources
   are maintained in web-accessible repositories structured as Atom
   Syndication Format [RFC4287] feeds.  Representations of content specific
   types of security automation information are categorized and
   organized into indexed collections, which are may be requested by the
   consumer.  As the set of resource collections are forward facing, the
   consumer may search all available content for which they are
   authorized to view view, and request that the information resources which is are
   desired.  Granular  Through use of granular authentication and access controls permit controls,
   only authorized consumers may be permitted the ability to view, read, read or
   write to a given feed.  This approach is in contrast to, and meant to
   improve on, the traditional point-to-
   point point-to-point messaging system, in which
   consumers must request individual pieces of information from a server
   following a triggering event.
   This traditional  The point-to-point approach creates a
   closed system of information sharing that encourages duplication of efforts
   effort and hinders automated
   cyber security systems.

   The goal of this document is to define the a RESTful approach to cyber security
   information communication with the intent of two primary intents: 1) increasing
   communication and sharing of incident reports, vulnerability
   assessments, configuration checklists, and other security content automation
   information between producers, operators, providers and consumers. consumers; and 2) establishing a
   standardized communication system to support automated computer
   security systems.

   In order to exchange information as web-addressable resources, the
   resource representations leverage deal with the existing IODEF [RFC5070] great variety in security automation
   information types and
   RID [RFC6545] specifications associated resource representations, this
   specification defines extension points that can be used to add
   support for new information types and other representation standards as
   appropriate.  The transport protocol binding is specified as HTTP(S)
   with a media type associated resource
   representations by means of Atom+XML.  An appropriate set additional supplementary specification
   documents.  This primary document is resource representation
   agnostic, and defines the core requirements of link relation
   types specific all implementations.
   Those seeking to cyber provide support for specific security automation
   information sharing is defined.

   Coexistence with deployments that conform types should refer to existing specifications
   including RID [RFC6545] and Transport of Real-time Inter-network
   Defense (RID) Messages over HTTP/TLS [RFC6546] is supported via
   appropriate use of HTTP status codes. the specification for that format
   described by the IANA registry found in section 10.3.

2.  Terminology

   The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
   "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   Definitions for some of the common computer security-related
   terminology used in this document can be found in Section 2 of
   [RFC5070].

3.  XML-related Conventions

3.1.  XML Namespaces

   This specification uses XML Namespaces [W3C.REC-xml-names-20091208]
   to uniquely identify XML element names.  It uses the following
   namespace prefix mappings for the indicated namespace URI:

      "app" is used for the "http://www.w3.org/2007/app" namespace
      defined in [RFC5023].

      "atom" is used for the "http://www.w3.org/2005/Atom" namespace
      defined in [RFC4287].

      "rolie" is used for the "urn:ietf:params:xml:ns:rolie:1.0"
      namespace defined in section 10.1 of this specification.

3.2.  RELAX NG Schema

   Some sections of this specification are illustrated with fragments of
   a non-normative RELAX NG Compact schema [relax-NG].  However, the
   text of this specification provides the definition of conformance.
   Complete schemas appear for the "urn:ietf:params:xml:ns:rolie-1.0"
   namespace in appendix C.  Schema for the "http://www.w3.org/2007/app"
   and "http://www.w3.org/2005/Atom" namespaces appear in RFC5023
   appendix B [RFC5023] and RFC4287 appendix B [RFC4287] respectively.

4.  Background and Motivation

   It is well known that the field of threats thatthreats to computer security is are evolving ever
   more rapidly as time goes on.  As software increases in complexity,
   the number of vulnerabilities in our systems and networks can increase
   exponentially.  Threat actors looking to exploit these
   vulnerabilities are making more frequent and more widely distributed
   attacks across a large variety of systems.  The adoption of liberal
   information sharing amongst attackers creates a window of as little
   as a few hours between the discovery of a vulnerability and attacks
   on the a vulnerable system.  As the skills and knowledge required to
   identify and combat these attacks become more and more specialized,
   even a well established and secure system may find itself unable to
   quickly respond to an incident.  Effective identification of and
   response to a sophisticated attack requires open cooperation and
   collaboration between defending operators, software vendors, and even
   end-users. end-
   users.  To improve the timeliness of responses, automation must be
   used to acquire, contextualize, and put to use shared computer
   security information.

   Existing approaches to cyber computer security information sharing are based
   upon often
   use message exchange patterns that are point-to-point, and event-
   driven.  Sometimes, information that may be useful to, and sharable to share with
   multiple peers is only made available to peers after they have
   specifically requested it.  Unfortunately, a sharing peer may not
   know, a priori, what information to request from another peer.
   Sending unsolicited RID reports does  Some
   exsisting systems provide a mechanism for
   alerting, unsolicited information
   requests, however these reports are again sent point-to-point, and
   must be reviewed for relevance and then prioritized for action by the
   recipient.  Thus, distribution of some relevant incident and
   indicator information may exhibit significant
   recipient, introducing additional latency.

   In order to adequately combat the evolving threats, computer security
   information resource producers providers should be enabled to share selected
   information proactively as appropriate.  Proactive sharing greatly
   aids knowledge
   dissemination as well as improving on dissemination, and improves response times and
   usability.

   For example, a cyber security analyst would can benefit by having the ability to
   search a comprehensive collection of attack indicators that have been
   published by a government agency, or by another member of a sharing
   consortium.  The representation of each indicator may include links
   to the related resources, enabling an appropriately authenticated and
   authorized analyst to freely navigate the information space of
   indicators, incidents, vulnerabilities, and other cyber computer security
   domain concepts, concepts as needed.  In general, a more
   Web-centric sharing approach will enable a this way, an analyst can more dynamic and agile
   collaboration amongst
   effectively utilize the super set of information made publicly
   available.

   Consider also the case of an automated endpoint management system
   attempting to proactively prevent software flaws from compromising
   the security of the affected systems.  During its full network sweep,
   the endpoint monitoring system would check each endpoint for outdated
   or vulnerable software.  This system would benefit from having access
   to not only the software vendor's list of vulnerabilities, but also
   vulnerabilities discovered by other vulnerability researchers.  An
   advanced system could even give back to this sharing consortium by
   sharing any vulnerabilities that it discovers.  The natural
   conclusion of such a broader, sharing network is an automated security
   solution that can dynamically find and varying constituency. collect information from a
   globally distributed web of information repositories.

   The following sections discuss section discusses additional specific technical issues
   that motivate motivated the development of an this alternative approach.

3.1.

4.1.  Message-oriented versus Resource-oriented Architecture

   The existing approaches to cyber computer security information sharing are
   based upon message-oriented interactions.  The following paragraphs
   explore some of the architectural constraints associated with
   message-oriented interactions and consider the relative merits of an
   alternative model based on a Resource-oriented resource-oriented architecture for use
   in some use case scenarios.

   ROLIE specifies a resource-oriented architecture that attempts to
   address the issues present in a message-oriented architecture.

3.1.1.

4.1.1.  Message-oriented Architecture

   In general, message-based integration architectures may be based upon
   either an RPC-style or a document-style binding.  The message types
   defined by RID represent Real-time Inter-network Defense (RID) [RFC6545] represents
   an example of an RPC-style request.  This approach imposes implied
   requirements for conversational state management on both of the
   communicating RID endpoint(s).  Experience has shown that this state
   management frequently becomes the limiting factor with respect to the
   runtime scalability of an RPC-style architecture.

   In addition, the practical scalability of a peer-to-peer message-
   based approach will be limited by the administrative procedures
   required to manage O(N^2) trust relationships and at least O(N)
   policy groups.

   As long as the number of participating entities in an information
   sharing consortium is limited to a relatively small number of nodes
   (i.e., O(2^N), where N < 5), these scalability constraints may not
   represent a critical concern.  However, when there is a requirement
   to support a significantly larger number of participating peers, a
   different architectural approach will be required.  Towards the goal
   to create a large-scale network of entities sharing information, this
   traditional architecture only creates small and isolated groupings of
   sharing, encouraging effort duplication between these sharing
   islands.  One alternative to the message-based approach that has
   demonstrated scalability and a high degree of connectedness is the
   REST [REST] architectural style.

3.1.2.

4.1.2.  Resource-Oriented Architecture

   Applying the REST architectural style to the problem domain of cyber
   security information sharing would take the approach of involves exposing
   incidents, indicators, and information in any other
   relevant types type as simple Web-
   addressable Web-addressable resources.  Each provider
   maintains their own repository of data, with public and private
   sections as needed.  Any producer or consumer can then discover these
   repositories, search for relevant feeds, and pull information from
   them.  By using this approach, an organization can more quickly and
   easily share relevant incident and indicator
   information data representations with a much larger and
   potentially more diverse constituency.  A consumer may leverage
   virtually any available HTTP user agent in order to make requests of
   the service provider.  This improved ease of use could enable enables more rapid
   adoption and broader participation, thereby improving security for
   everyone.

   A key interoperability aspect of any RESTful Web service will be the
   choices regarding is the available ability provide
   multiple resource representations.  For example, clients may request
   that a given resource representation be returned as either XML XML, JSON, or JSON. in
   some other format.  In order to enable back-
   compatibility backwards-compatibility and
   interoperability with existing implementations,
   IODEF [RFC5070] is specified for this transport binding as a
   mandatory the RESTful approach
   allows the provider to implement (MTI) data representation for incident and
   indicator resources.  In addition make differing formats available proactively,
   allowing the consumer to simply select the REQUIRED representation, an
   implementation MAY support additional representations if and as
   needed such as IODEF extensions, the RID schema, or other schemas.
   For example, an implementation may choose to provide support for
   returning a JSON representation of an incident resource.

   Finally, version that best suits
   them.

   Finally, an important principle of the REST architectural style is
   the use of hypertext links focus on hypermedia as the embodiment engine of application state (HATEOAS).

   Rather than the server maintaining conversational state for each client context,
   client, the server will instead include a suitable set of hyperlinks
   in the resource representation that is returned to the client.  In this way, the server remains stateless with respect
   to a series of client requests.  The
   included hyperlinks provide the client with a specific set of
   permitted state transitions.  Using these links the client may
   perform an operation, such as updating or deleting the resource
   representation.  The client may also be provided with hypertext links
   that can be used to navigate to any related resource.  For example,
   the resource representation for an incident object may contain links
   to the related indicator resource(s).

   This document specifies  In this way, the use server
   remains stateless with respect to a series of Atom Syndication Format [RFC4287]
   and Atom Publishing Protocol [RFC5023] as the mechanism for
   representing the required hypertext links.

3.1.2.1. client requests.

4.1.2.1.  A Resource-Oriented Use Case: "Mashup"

   In this section we consider a non-normative an example use case scenario for creating a cyber
   computer security "mashup".

   Any operator can authorize any or all members

   A producer creates and maintains a feed of the sharing
   community to quickly information on threat
   actors, whilst another creates and easily navigate through any maintains a feed of attack
   indicators.  Each has authorized a large consortium of the cyber security information that that provider is willing
   analysts to share.  An
   analyst may access these feeds as they see fit.  Any one of these
   analysts can then make HTTP(S) HTTP(s) requests to the servers to collect vulnerability
   sets of information known at one producer and threat actor data being made
   available from another producer. each provider.  The resulting correlations
   may yield new insights that enable a more timely and effective
   defensive response.  Of course, this report may, in turn, be made
   available to others as a new Web-addressable resource, reachable via
   another URL.  By employing exposing information using the RESTful Web service approach in
   this way, the effectiveness of the collaboration amongst a consortium
   of cyber security stakeholders can be greatly improved.

4.

4.2.  Use of the Atom Publication Publishing Protocol and Atom Syndication Format TODO

   As described in

   This specification defines a profile of the Atom Publishing Protocol [RFC5023], an
   (AtomPub) [RFC5023] and Atom Service
   Document is an XML-based Syndication Format [RFC4287] providing
   implementation requirements for a security information sharing
   solution as a RESTful Web service.

   This document format assumes that allows a client to
   dynamically discover the collections provided by a publisher.

   As described in reader has an understanding of both
   the AtomPub and Atom Syndication Format [RFC4287], Atom is an XML-
   based specifications.

   The following two sections of this document format that describes lists of related information
   items known provide requirements for
   using the Atom Syndication Format and AtomPub as collections, or "feeds".  Each feed document contains a collection of zero or more related RESTful binding
   for security automation information items called "member
   entries" or "entries".

   When applied sharing.

5.  ROLIE Requirements for the Atom Publishing Protocol

   This section describes a number of restrictions of and extensions to
   the problem domain Atom Publishing Protocol (AtomPub) [RFC5023] that define the use
   of cyber security information
   sharing, that protocol in the context of a ROLIE-based solution.

5.1.  AtomPub Service Documents

   As described in RFC5023 section 8 [RFC5023], a Service Document is an Atom feed may be used
   XML-based document format that allows a client to represent any meaningful
   collection dynamically
   discover the collections provided by a publisher.  A Service Document
   consists of information resources such one or more app:workspace elements that may each contain
   a number of app:collection elements.

   The general structure of a service document is as follows (from
   RFC5023 section 4.2 [RFC5023]):

        Service
           o- Workspace
           |    |
           |    o- Collection
           |         |
           |         o- IRI, categories, media types
           |
           o- Workspace
                |
                o- Collection
                     |
                     o- IRI, categories, media types

5.1.1.  Use of the "app:workspace" Element

   In AtomPub, a set Workspace, represented by the "app:workspace" element,
   describes a group of incidents, one or
   indicators.  Each entry more Collections.  Building on the
   AtomPub concept of a Workspace, in ROLIE a feed could then represent Workspace represents an individual
   incident, or indicator, or some other resource, as appropriate.
   Additional feeds could be used to represent other meaningful and
   useful collections
   aggregation of cyber Collections pertaining to security automation
   information resources.  A feed may be
   categorized, and  This specification does not impose any feed
   restrictions on the number of Workspaces that may contain information from zero be in a Service
   Document or more
   categories. the specific Collections to be provided within a given
   Workspace.

   The naming scheme and following restrictions are imposed on the semantic meaning use of the terms
   used to identify an Atom category are application-defined.

   This document assumes that the reader has an understanding of
   app:workspace element in ROLIE:

   o  A ROLE repository can host Collections containing both
   Atom documents.  Further discussion of Atom's application public and
      private information entries.  It is RECOMMENDED that public and
      private collections be segregated into different Workspaces.  By
      doing this, Workspaces that contain private information can be
      ignored by clients.

   o  Appropriate descriptions and naming conventions SHOULD be used to this
   domain a well of examples of its use are provided in
      indicate the BCG
   document.

5.  Normative Requirements TODO intended audience of each workspace.  This section provides helps to
      facilitate the NORMATIVE requirements for using Atom
   format and Atom Pub as a RESTful binding for cyber security
   information sharing.

5.1.  Atom Requirements

   Implementations selection of this specification MUST implement all requirements
   specified in Atom Publishing Protocol and the Atom Syndication
   Format.  (TODO: work on a more normative and perhaps constrained
   requirement.)

5.2.  Transport Layer Security

   Implementations MUST support server-authenticated TLS.

   Implementations MAY support mutually authenticated TLS.

5.3.  Archiving and Paging

   A feed appropriate Workspaces by clients.

   o  An implementation can contain an arbitrary provide any number of entries.  In some cases,
   the complete response to Collections within a
      given query may consist of a logical
   result set Workspace.  It is RECOMMENDED that contains each collection appear in
      only a large single Workspace.  This helps to reduce the number of entries.  As a practical
   matter, the full result set will likely
      duplicate collections that need to be divided into more
   manageable portions.  For example, a query may produce a full result
   set examined to discover
      information that may need is relevant to be grouped into logical pages, for purposes a given client.

5.1.2.  Use of
   rendering on the "app:collection" Element

   In AtomPub, a user interface.

   An historical feed may need to Collection in a Service Document, represented by the
   "app:collection" element, provides metadata that can be stable, and/or divided into some
   defined epochs.  Implementations SHOULD support the mechanisms
   described in Feed Paging and Archiving [RFC5005] used to provide
   capabilities for paging and archiving of feeds.

5.4.  Expectation and Impact Classes

   It is frequently the case point
   to a specific Atom Feed that an organization will need contains information Entries that may be
   of interest to triage
   their investigation a client.  The association between a Collection and response activities based upon, e.g., a
   Feed is provided by the
   state "href" attribute of the current threat environment, or simply as a result app:collection
   element.  Building on the AtomPub concept of
   having limited resources.

   In order a Collection, in ROLIE a
   Collection represents a pointer to enable operators a group of security automation
   information resources pertaining to effectively prioritize their response
   activity, it is RECOMMENDED that feed implementers provide a given type of security
   automation information.  Collections are represented as Atom
   categories that correspond to feeds as
   per RFC 5023.  Feed specific requirements are defined in section 6.1.

   The following restrictions are imposed on the IODEF Expectation and Impact
   classes. use of the
   app:collection element for ROLIE:

   o  The availability atom:category elements contained in the app:categories element
      MUST be the same set of these feed categories will enable
   clients atom:categories used in the Atom Feed
      indicated by the app:collection "href" attribute value.  This
      ensures that the category metadata associated with the Feed is
      discoverable in the corresponding Collection in the Service
      Document.

   o  An app:collection pertaining to more easily retrieve and prioritize cyber a security automation information
      resource Feed MUST contain an app:categories element that has already been identified
      minimally contains a single atom:category element with the
      "scheme" attribute value of "urn:ietf:params:rolie:information-
      type".  This category MUST have an appropriate "term" attribute
      value as having defined in section 8.2.  This ensures that a specific
   potential impact, or having given
      Collection corresponds to a specific expectation.

   Support for these categories may also enable efficiencies for
   organizations type of security automation
      information.

   o  Any app:collection element that already have established (or plan to establish)
   operational processes and workflows does not contain a descendant
      atom:category element with the "scheme" attribute value of
      "urn:ietf:params:rolie:information-type" MUST be considered a non-
      ROLIE Collection.  This allows Collections pertaining to security
      automation information to co-exist alongside Collections of other
      non-ROLIE information within the same AtomPub instance.

   o  The app:categories element in an app:collection may include
      additional atom:category elements using a scheme other than
      "urn:ietf:params:rolie:information-type".  This allows other
      category metadata to be included.

5.2.  Service Discovery

   This specification requires that an implementation MUST publish an
   Atom Service Document that describes the set of security information
   sharing collections that are provided by the repository.

   The service document SHOULD be discoverable via the organization's
   Web home page or another well-known public resource.  An example of
   this can be found in appendix A.1.

   The service document SHOULD (TODO: MUST?) be located at the
   standardized location "https://{host:port}/rolie/servicedocument",
   where {host:port} is the authority portion of the URI.  Dereferencing
   this URI MAY result in a redirect based on these IODEF
   classes.

5.5. a HTTP 3xx status code to
   direct the client to the actual service document.  This allows
   clients to have a well-known location to find a ROLIE service
   document, while giving implmentations flexibility over how the
   service is deployed.

   When deploying a service document for use by a closed consortium, the
   service document MAY also be digitally signed and/or encrypted.

5.3.  Transport Layer Security

   Implementations MUST support server-authenticated TLS.

   Implementations MAY support mutually authenticated TLS.

   Implementations MAY support client authenticated TLS.

5.4.  User Authentication

   Implementations MUST support user authentication.  User
   authentication MAY be enabled for specific feeds.

   Implementations MAY support more than one client authentication
   method.

   Servers participating in an information sharing consortium and
   supporting interactive user logins by members of the consortium
   SHOULD support client authentication via a federated identity scheme
   as per SAML 2.0.

   Implementations MAY support client authenticated TLS.

5.6.

5.5.  User Authorization

   This document does not mandate the use of any specific user
   authorization mechanisms.  However, service implementers SHOULD
   provide appropriate authorization checking for all resource accesses,
   including individual Atom Entries, Atom Feeds, and Atom Service
   Documents.

   Authorization for a resource MAY be adjudicated based on the value(s)
   of the associated Atom <category> element(s).

   When the content model

5.6.  / (forward slash) Resource URL

   The "/" resource MAY be provided for the Atom <content> element compatibility with existing
   deployments that are using Transport of Real-time Inter-network
   Defense (RID) Messages over HTTP/TLS [RFC6546].  Consistent with
   RFC6546 errata, a client requesting a GET on "/" MUST receive an Atom
   Entry contains an <IODEF-Document>, then authorization MUST be
   adjudicated based upon the Atom <category> element(s), whose values
   have been mapped as per Section 5.10.

   Any use of the <category> element(s) as an input HTTP
   status code 405 Method Not Allowed.  An implementation MAY provide
   full support for RFC6546 such that a POST to "/" containing a
   recognized RID message type just works.  Alternatively, a client
   requesting a POST to "/" MAY receive an authorization
   policy decision MUST include both HTTP status code 307
   Temporary Redirect.  In this case, the "scheme" and "term" attributes
   contained therein.  As described location header in Section 5.10 below, the namespace HTTP
   response will provide the URL of the "term" attribute is scoped by appropriate RID endpoint, and
   the associated "scheme"
   attribute.

5.7.  Content Model

   Member entry resources providing a representation of an incident client may repeat the POST method at the indicated location.
   This resource (e.g., as specified in could also leverage the link relation type) new draft by reschke that
   proposes HTTP status code 308 (cf: draft-reschke-http-status-
   308-07.txt).  TODO

5.7.  HTTP methods

   Clients MUST use the
   IODEF schema be capable of recognizing and processing any standard
   HTTP status code, as the content model defined in [RFC5023] Section 5

6.  ROLIE Requirements for the Atom Entry <content>
   element.

   Member Entry resources providing Syndication Format

   This section describes a representation number of an indicator
   resource (e.g., as specified in restrictions of and extensions to
   the link relation type) MUST use Atom Syndication Format [RFC4287] that define the
   IODEF schema as use of that
   format in the content model for context of a ROLIE-based solution.

6.1.  Use of the "atom:feed" element

   As described in RFC4287 section 4.1.1 [RFC4287], an Atom Entry <content>
   element.

   The resource representation MAY include Feed is an appropriate indicator
   schema type within
   XML-based document format that describes a list of related
   information items, also known as a collection.  Each Feed document,
   represented using the <AdditionalData> element atom:feed element, contains a collection of
   zero or more related information items individually called a "member
   entry" or "entry".

   When applied to the IODEF Incident
   class.  Supported indicator schema types SHALL be registered via problem domain of security automation information
   sharing, an
   IANA table (todo: IANA registration/review).

   Member Entry Atom Feed may be used to represent any meaningful
   collection of security automation information resources providing including a representation
   set of a RID report
   resource (e.g., as specified configuration checklists or software vulnerabilities.  Each
   entry in the link relation type) MUST use the
   RID schema an atom:feed represents an individual resource, such as the content model for the Atom Entry <content> element.

   Member Entry resources providing representation a
   specific checklist or software vulnerability record.  Additional
   Feeds can be used to represent collections of other types,
   SHOULD use the schema appropriate for their data category as the
   content model for meaningful and
   useful security automation resources.

   This Atom feed definition represents a stricter definition of the
   Atom Entry <content> entry element.  These data
   categories SHALL be registered via an IANA table.

   The <content>  Any element not specified here inherits its
   definition and requirements from RFC 4287.

      atomFeed =
         element atom:feed {
            atomCommonAttributes,
            (atomAuthor*
             & atomCategory+
             & atomContributor*
             & atomGenerator?
             & atomIcon?
             & atomId
             & atomLink*
             & atomLogo?
             & atomRights?
             & atomSubtitle?
             & atomTitle
             & atomUpdated
             & extensionElement*),
            atomEntry*
         }

6.1.1.  Use of the Atom entry MUST "atom:category" Element

   An atom:feed may be categorized and may contain an appropriate
   XML namespace declaration.

5.8.  HTTP methods

   The following table defines information from zero
   or more categories.  In Atom the HTTP [RFC7235] uniform interface
   methods supported by this specification:

   +--------+----------------------------------------------------------+
   | HTTP   | Description                                              |
   | method |                                                          |
   +--------+----------------------------------------------------------+
   | GET    | Returns a representation naming scheme and the semantic
   meaning of the terms used to identify an individual member entry   |
   |        | resource, or a feed collection.                          |
   | PUT    | Replaces Atom category are
   application-defined.

   The following restrictions are imposed on the current representation use of the specified     |
   |        | member entry resource with the representation provided   |
   |        |
   atom:category element when used in the HTTP request body.                                |
   | POST   | Creates a new instance of ROLIE atom:feed:

   o  An atom:feed element MUST minimally contain a member entry resource. The   |
   |        | representation of the new resource is provided in the    |
   |        | HTTP request body.                                       |
   | DELETE | Removes the indicated member entry resource, or feed     |
   |        | collection.                                              |
   | HEAD   | Returns metadata about single atom:category
      element with the member entry resource, or     |
   |        | feed collection, contained in HTTP response headers.     |
   | PATCH  | Support TBD.                                             |
   +--------+----------------------------------------------------------+

       Table 1: Uniform Interface for Resource-Oriented Lightweight
                            Indicator Exchange

   Clients MUST be capable "scheme" attribute value of recognizing and prepared to process any
   standard HTTP status code,
      "urn:ietf:params:rolie:information-type".  This category MUST have
      an appropriate "term" attribute value as defined in [RFC7235]

5.9.  Service Discovery section 8.2.
      This specification requires ensures that a implementation given Collection corresponds to a specific
      type of security automation information.  All member entries in
      the collection MUST publish an
   Atom Service Document represent security automation information
      records of this information type.

   o  Any atom:feed element that describes does not contain a child atom:category
      element with the set "scheme" attribute value of cyber
      "urn:ietf:params:rolie:information-type" MUST NOT be considered a
      ROLIE Collection.  This allows Feeds pertaining to security
      automation information sharing feeds that to co-exist alongside Feeds of other non-
      ROLIE information within the same AtomPub instance.

   o  An atom:feed may include additional atom:category elements using a
      scheme other than "urn:ietf:params:rolie:information-type".  This
      allows other category metadata to be included.

6.1.2.  Use of the "atom:link" Element

   Link relations defined by the atom:link element are provided.

   The service document SHOULD used to represent
   state transitions using a stateless approach.  In Atom a type of link
   relationship can be discoverable via defined using the organization's
   Web home page or another well-known public resource.

5.9.1.  Workspaces "rel" attribute.  The service document MAY include multiple workspaces.  Any producer
   providing both public feeds and private consortium feeds MUST place
   these different classes of feeds into different workspaces, and following
   are link relations that provide appropriate descriptions and naming conventions state transitions related to indicate
   the intended audience of each workspace.

5.9.2.  Collections

   An implementation MAY provide any number of collections within a
   given Workspace.  It is RECOMMENDED that each collection appear in
   only a single Workspace.  It is RECOMMENDED that at least one
   collection be provided ROLIE
   Atom feed.

   o  "service" - Indicates that accepts new incident reports from users.
   At least one collection MUST provide a feed of incident information
   for which the content model for the entries uses the IODEF schema.
   The title href value of this collection SHOULD be "Incidents".

5.9.3.  Service Document Security

   Access to the service document MUST be protected via server-
   authenticated TLS and a server-side certificate.

   When deploying a service document for use by link identifies a closed consortium, the
   service document MAY also
      resource IRI that can be digitally signed and/or encrypted, using
   XML DigSig and/or XML Encryption, respectively.

5.10.  Category Mapping

   This section defines normative requirements for mapping IODEF
   metadata used to corresponding Atom category elements. (todo: decide
   between IANA registration of scheme, or use a full URI).

5.10.1.  Collection Category

   An retrieve an Atom collection MAY hold entries from Service Document
      associated with the feed.  A feed MUST include one or more categories. links
      with rel="service" to point to the service document(s) that are
      associated with the feed.  The
   collection category set MUST contain at least "service" link relationship type is
      defined in the IANA Link Relations Registry [1].

   o  "search" - Indicates that the union href value of all the
   member entry categories.  A collection MAY have additional category
   metadata link identifies a
      resource IRI that are unique can be used to search through the collection, containing
      feed and not applicable to any
   individual member entry. related resources.  A collection containing IODEF incident
   content MUST contain at least two <category> elements.  One category
   MUST be specified feed MAY include one or more links
      with rel="search" to point TBD.  The "search" link relationship
      type is defined in the value of IANA Link Relations Registry [2].

   An atom:feed MAY include additional link relationships not specified
   in this document.  If a client encounters an unknown link
   relationship type, the "scheme" attribute as
   "restriction".  One category client MUST be specified with ignore the value of unrecognized link and
   continue processing the
   "scheme" attribute remaining resource representation as "purpose". if the
   unrecognized link element did not appear.

   The value Feed Paging and Archiving [RFC5005] Atom extension provides
   capabilities for paging and archiving of feeds.

   A atom:feed can contain an arbitrary number of entries.  In some
   cases, a complete feed may consist of a large number of entries.
   Additionally, as new and updated entries are ordered at the "fixed" attribute
   for both beginning
   of these category elements MUST a feed, a client may only be "yes".  When interested in retriving the category
   scheme="restriction", first X
   entries in a feed to process only the allowable values for entries that have changed since
   the "term" attribute
   are constrained as per last access to a ROLIE repository feed.  As a practical matter,
   the full result set will likely need to be divided into more
   manageable portions.  Based on RFC5005 section 3.2 of IODEF, e.g. public, need-to-
   know, private, default.  When 3 [RFC5005], the category scheme="purpose", links
   SHOULD be included in all feeds to support paging using the
   allowable values following
   link relation types:

   o  "first" - Indicates that the href value of the link identifies a
      resource IRI for the "term" attribute are constrained as per
   section 3.2 furthest preceding page of IODEF, e.g. traceback, mitigation, reporting, other.

5.10.2.  Entry Category

   An Atom entry containing IODEF content MUST contain at least two
   <category> elements.  One category MUST be specified with the feed.

   o  "last" - Indicates that the href value of the "scheme" attribute as "restriction".  One category MUST be
   specified with link identifies a
      resource IRI for the value furthest following page of the "scheme" attribute as "purpose".
   When the category scheme="restriction", feed.

   o  "previous" - Indicates that the href value of the "term"
   attribute must be exactly one link identifies
      a resource IRI for the immediately preceeding page of ( public, need-to-know, private,
   default).  When the category scheme="purpose", feed.

   o  "next" - Indicates that the href value of the
   "term" attribute must be exactly one link identifies a
      resource IRI for the immediately following page of (traceback, mitigation,
   reporting, other).  When the purpose is "other"....

   Any member entry MAY have any number feed.

   For example:

     <?xml version="1.0" encoding="UTF-8"?>
     <feed xmlns="http://www.w3.org/2005/Atom">
         <title>Paged Feed</title>
         <link rel="self" href="http://example.org/feedA?page=5"/>
         <link rel="first" href="http://example.org/feedA?page=1"/>
         <link rel="prev" href="http://example.org/feedA?page=4"/>
         <link rel="next" href="http://example.org/feedA?page=6"/>
         <link rel="last" href="http://example.org/feedA?page=10"/>
         <updated>2012-05-04T18:13:51.0Z</updated>

         <!-- remainder of additional categories.

5.11.  Entry ID

   The ID element for an Atom entry SHOULD feed elements -->
     </feed>

                            Example Paged Feed

   An historical feed may need to be established via stable, and/or divided into some
   defined epochs.  Implementations SHOULD support the
   concatenation mechanisms
   described in RFC5005 section 4 [RFC5005] to provide capabilities for
   maintaining archiving of the value feeds.

6.1.3.  Use of the name attribute from the IODEF
   <IncidentID> "atom:updated" Element

   The atom:updated element and MUST be populated with the corresponding value current time at
   the instant the feed representation was last updated by adding,
   updating, or deleting an entry; or changing any metadata for the
   feed.

6.2.  Use of the <IncidentID>
   element.  This requirement ensures a simple and direct one-to-one
   relationship between "atom:entry" Element

   Each entry in an IODEF incident ID and Atom feed, represented by the atom:entry element,
   describes a corresponding Feed
   entry ID single information record, format, and avoids type combination.
   The following atom:entry schema definition represents a stricter
   representation of the need atom:entry element defined in RFC 4287 for any system to maintain use
   in a persistent
   store ROLE-based Atom Feed.

     atomEntry =
       element atom:entry {
         atomCommonAttributes,
         (atomAuthor*
         & atomCategory*
         & atomContent
         & atomContributor*
         & atomId
         & atomLink*
         & atomPublished?
         & atomRights?
         & atomSource?
         & atomSummary?
         & atomTitle
         & atomUpdated
         & rolieFormat
         & extensionElement*)
     }

6.2.1.  Use of these identity mappings.

   (todo: Note that the "atom:content" Element

   There MUST be exactly one atomContent element in the entry.  The
   content element MUST adhere to this implies a constraint on definition:

     atomContent =
       element atom:content {
         atomCommonAttributes,
         attribute type { atomMediaType },
         attribute src { atomUri },
         empty
     }

   The type attribute MUST be the IODEF document that serialization type of the content, for
   example, XML or JSON.  The src attribute is more restrictive than a link to the current IODEF schema.  IODEF section 3.3
   requires only that payload.

6.2.2.  Use of the name "atom:link" Element

   There MAY be a STRING type.  Here we are stating
   that name must be an IRI.  Possible request to update IODEF to
   constrain, or to support a new element zero or attribute).

5.12.  Entry Content more atom:link elements in the entry.  The <content>
   content element of an Atom <entry> SHOULD include an IODEF
   document. MUST adhere to this definition:

   The <entry> link element SHOULD include an appropriate XML
   namespace declaration for follows the IODEF schema. definition laid out in the Atom
   Syndication Document.

   If there entries with the content model same format and category but a different
   type, it MUST be linked to using the "alternate" link relation.

6.2.3.  Use of the <entry> "rolie:format" Element

   There MUST be exactly one rolie:format element does not follow in the IODEF schema, then Entry.  This
   format SHOULD be one of the
   <entry> element MUST include an appropriate XML namespace
   declaration.

   A client MAY ignore content that formats listed under the category of this
   entry as discussed in the and Content Model section.  The format is not using
   contained in the IODEF schema.

5.13. content of this tag.

6.3.  Link Relations

   In addition to the standard Link Relations defined by the Atom
   specification, this specification defines the following additional
   Link Relation terms, which are introduced specifically in support of
   the Resource-Oriented Lightweight Information Exchange protocol.

   +-----------------------+-----------------------------+-------------+
   | Name                  | Description                 | Conformance |
   +-----------------------+-----------------------------+-------------+
   | service               | Provides a link

   TODO: This section needs to an atom  | be expanded.

7.  Use of OpenSearch

   Implementers MUST        |
   |                       | service document associated |             |
   |                       | with support OpenSearch 1.1 [opensearch] as the collection feed.   |             |
   |
   mechanism for describing how clients may form search                | Provides requests.

   Implementers MUST provide a link to with a relationship type of
   "search".  This link SHALL return an       | MUST        |
   |                       | associated Open Search      |             |
   |                       | document that describes a   |             |
   |                       | Description Document
   as defined in OpenSearch 1.1.

   Implementers MUST fully qualify all OpenSearch URL template for search     |             |
   |                       | queries.                    |             |
   | history               | Provides parameter
   names using the defined XML namespaces, as appropriate.

8.  Characterizing ROLIE Collections and Resources

   This specification does not require a link to a        | MUST        |
   |                       | collection of zero particular security automation
   information type or more  |             |
   |                       | historical entries that are |             |
   |                       | associated with the         |             |
   |                       | resource.                   |             |
   | incidents             | Provides a link content format; rather, it provides extension
   points using IANA tables to a        | MUST        |
   |                       | collection of zero or more  |             |
   |                       | instances allow for future extensions of incident       |             |
   |                       | representations associated  |             |
   |                       | with supported
   information types and formats.

   A given security automation information type is respresented using
   the resource.          |             |
   | indicators            | Provides "atom:category" element.  In this way, an "atom:category" element
   can be used to:

   1.  identify that an "app:collection" element in a link Service Document
       points to an Atom feed that contains entries pertaining to a        | MUST        |
   |                       | collection
       specific type of zero security automation information (see section
       5.1.2), or more  |             |
   |                       | instances

   2.  identify that an "atom:feed" element in an Atom feed contains
       entries pertaining to a specific type of cyber security |             |
   |                       | indicators that are         |             |
   |                       | associated with the         |             |
   |                       | resource.                   |             |
   | automation
       information           | Provides (see section 6.1.1).

   As mentioned earlier, a link key goal of this specification is to allow a        | MUST        |
   |                       | collection of zero or more  |             |
   |                       | instances of cyber
   consumer to identify security |             |
   |                       | automation information that is         |             |
   |                       | associated with the         |             |
   |                       | resource.                   |             |
   | evidence              | Provides resources of
   interest, and then choose a link suitable format of the information to
   retrieve.  For a        | SHOULD      |
   |                       | collection given type of zero or more  |             |
   |                       | resources security automation information, it is
   expected that provides     |             |
   |                       | some proof a number of attribution   |             |
   |                       | for an incident. The        |             |
   |                       | evidence may or different formats may not     |             |
   |                       | have any identified chain   |             |
   |                       | of custody.                 |             |
   | campaign              | Provides a link be used to a        | SHOULD      |
   |                       | collection of zero or more  |             |
   |                       | resources represent
   this information.  To support this use case, both the serialization
   format and the specific data model expressed in that provides format must be
   known by the consumer.

   The following sections describe how information types are defined and
   used, and how specific content formats are declared in ROLIE.

8.1.  Identification of Security Automation Information Types

   A security automation information type represents a   |             |
   |                       | representation class of
   information that represents the       |             |
   |                       | associated cyber attack     |             |
   |                       | campaign.                   |             |
   | attacker              | Provides a link to a        | SHOULD      |
   |                       | collection same or similar information model
   [RFC3444].  Notional examples of zero information types include:

   indicator:  Computing device- or more  |             |
   |                       | resources network-related "observable features
       and phenomenon that provides a   |             |
   |                       | representation of aid in the       |             |
   |                       | attacker.                   |             |
   | vector                | Provides a link forensic or proactive detection of
       malicious activity; and associated meta-data" (from
       [I-D.ietf-mile-rfc5070-bis]).

   incident:  Information pertaining to and "derived analysis from
       security incidents" (from [I-D.ietf-mile-rfc5070-bis]).

   vulnerability reports:  Information identifying and describing a        | SHOULD      |
   |                       | collection of zero
       vulnerability in hardware or more  |             |
   |                       | resources software.

   configuration checklists:  Content that provides a   |             |
   |                       | representation of the       |             |
   |                       | method can be used by to assess the          |             |
   |                       | attacker.                   |             |
   | assessments           | Provides a link
       configuration settings related to installed software.

   software tags:  Metadata used to identify and characterize
       installable software.

   This is a        | SHOULD      |
   |                       | collection of zero or more  |             |
   |                       | resources that represent    |             |
   |                       | the results of executing a  |             |
   |                       | benchmark.                  |             |
   | reports               | Provides a link short list to a        | SHOULD      |
   |                       | collection of zero or more  |             |
   |                       | resources that represent    |             |
   |                       | RID reports.                |             |
   | traceRequests         | Provides a link inspire thought on possible information
   types, which will also include other information used to a        | SHOULD      |
   |                       | collection of zero automate
   security processes.

   This document does not specific any information types.  Instead,
   information types in ROLIE are expected to be defined in extension
   documents that describe one or more  |             |
   |                       | resources that represent    |             |
   |                       | RID traceRequests.          |             |
   | investigationRequests | Provides a new information types.  This
   allows the information types used by ROLIE implementations to grow
   over time to support new security automation use cases.  These
   extension documents may also enhance ROLIE resource representations
   by defining link relations, categories, and other AtomPub and Atom
   Syndication Format data model extensions to a        | SHOULD      |
   |                       | collection address the
   representational needs of zero or more  |             |
   |                       | resources that represent    |             |
   |                       | RID investigationRequests.  |             |
   +-----------------------+-----------------------------+-------------+
    Table 2: Link Relations for Resource-Oriented Lightweight Indicator
                                 Exchange

   Unless specifically registered with specific information types.  New
   information types are added to ROLIE through registrations to the
   IANA these short names MUST be
   fully qualified via concatenation with a base-uri.  An appropriate
   base-uri could Security Resource Information Type registry defined in section
   10.3.

8.2.  General Use of the "atom:category" Element

   The core extension point within this specification is the ability to
   define different security automation information types, which can be established via agreement amongst
   used to characterize the members type of an information sharing consortium.  For example, the rel="indicators"
   relationship would become
   rel="http://www.example.org/rolie/incidents/relationships/
   indicators."

5.13.1.  Additional Link Relation Requirements

   An IODEF document that is carried contained in an Atom Entry SHOULD NOT contain a <relatedActivity> element.  Instead, the related activity SHOULD be
   available via ROLIE
   resource collection.  The information type of a link rel=related.

   An IODEF document that resource collection
   is carried in characterized using an Atom Entry SHOULD NOT contain
   a <history> element.  Instead, the related history SHOULD be
   available via "atom:category" element with a link rel="history" (todo: or "scheme"
   attribute value of "urn:ietf:params:rolie:information-type", and a fully qualified link
   rek name).  The associated href MAY leverage OpenSearch to specify
   "term" attribute value identifying the required query.

   An Atom Entry MAY include additional link relationships not specified
   here.  If a client encounters a link relationship of an unknown specific information type
   declared.

   For example, the client MUST ignore the offending link and continue processing the
   remaining resource representation security automation information type "incident"
   would be identified as follows:

      <atom:category scheme="urn:ietf:params:rolie:information-type"
      term="incident"/>

   The Uniform Resource Name (URN) [RFC2141]
   "urn:ietf:params:rolie:information-type" is registered with IANA as if the offending link element
   did not appear.

5.14.  Member Entry Forward Security

   As
   described in Authorization Policy Enforcement a RESTful model for
   cyber section 10.2.

   Registered security automation information sharing requires that all type values are defined in
   the IANA table described in section 10.3.

8.3.  Identification of Security Automation Information Formats

   A given information type may have a number of supported formats.
   Each format is expected to have a specification that defines the required
   security enforcement data
   model for feeds and entries MUST be enforced at the
   source system, at format.  As described in section 6.2.3, the point
   "rolie:format" element is used to describe the representation of specific data model
   used to represent the resource referenced by a given
   resource(s) is created.  A provider SHALL NOT return any feed content "atom:entry".
   By declaring the data model used in this way, a consumer can choose
   to download or member entry content ignore the resource, or look for which alternate formats.
   This saves the client identity has not been
   specifically authenticated, authorized, consumer from downloading and audited.

   Sharing communities that have a requirement for forward message
   security (such parsing resources that
   the consumer is not interested in or resources expressed in formats
   that client systems are required not understandable by the consumer.

   TODO: Need to participate in
   providing message level security and/or distributed authorization
   policy enforcement), MUST describe the structure and use of the RID rolie:format
   element.

9.  Formal Syntax for the ROLIE Schema

   TODO: define a schema for the "rolie:format" element.

10.  IANA Considerations TODO

   This document defines a resource-oriented approach to security
   information sharing, where such information may include a variety of
   security resource categories, such as software identifiers (e.g.
   tags), incident reports, configuration assessment guidance,
   vulnerability assessment guidance, and so on.

   TODO: Complete registration request specifics.

10.1.  XML Namespaces and Schema URNs

   This document uses URNs to describe XML namespaces and XML schemas
   conforming to a registry mechanism described in [RFC3688].

   ROLIE XML Namespace  The ROLIE namespace (rolie-1.0) has been
       registered in the content model for "ns" registry.

       URI: urn:ietf:params:xml:ns:rolie-1.0

       Registrant Contact: IESG

       XML: None.  Namespace URIs do not represent an XML specification.

   ROLIE XML Schema  The ROLIE schema (rolie-1.0) has been registered in
       the member "schema" registry.

       URI: urn:ietf:params:xml:schema:rolie-1.0

       Registrant Contact: IESG

       XML: See section 9 of this document.

10.2.  ROLIE Parameters

   ROLIE uses URNs to represent category schemes.  This section creates
   and registers an IETF URN sub-namespace for use in ROLIE
   specifications and future extensions.

   TODO: Add entry <content> element.

5.15.  Date Mapping for: "urn:ietf:params:rolie:category:information-
   type"

10.3.  Security Resource Information Type Registry

   This document creates the following registry for IANA to manage:

      Name of Registry: "Security Resource Information Type"

      Location of Registry: https://www.iana.org/assignments/security-
      resource-information-type

      Fields to record in the registry:

         Full Name: The Atom feed <updated> element MUST be populated with full name of the current
   time at security resource information
         type as a string from the instant printable ASCII character set RFC0020
         with individual embedded spaces allowed.  The ABNF RFC5234
         syntax for this field is:

            1*VCHAR *(SP 1*VCHAR)

         Security Resource Index: This is an IANA-assigned positive
         integer that identifies the feed representation was generated. registration.  The Atom first entry <published> element MUST be populated with
         added to this registry uses the same time value
   as 1, and this value is
         incremented for each subsequent entry added to the <reportTime> element from registry.

         Description: A complete description of the IODEF document.

5.16.  Search

   Implementers MUST support OpenSearch 1.1 [opensearch] security resource
         information type as the
   mechanism for describing how clients may form search requests.

   Implementers MUST provide a link string from the printable ASCII character
         set RFC0020 with a relationship type individual embedded spaces allowed.  The ABNF
         RFC5324 syntax for this field is:

            1*VCHAR *(SP 1*VCHAR)

         Specification URI/Reference: A list of
   "search".  This link SHALL return an Open Search Description Document
   as defined in OpenSearch 1.1.

   Implementers MUST support an OpenSearch 1.1 compliant search URL
   template that enables a search query via Atom Category, including one or more URIs
         [RFC3986] from which the
   scheme attribute registered specification can be
         obtained.  The registered specification MUST be readily and terms attribute as search parameters.

   Implementers
         publicly available from that URI.  The URI SHOULD support search based upon the IODEF AlternativeID
   class as be a search parameter.

   Implementers SHOULD support search based upon the four timestamp
   elements of stable
         reference.

      Initial registry contents: None.

      Allocation Policy: Specification required RFC5226 (which implies
      expert review RFC5226).

   The Designated Expert is expected to consult with the IODEF MILE (Managed
   Incident class: <startTime>, <EndTime>,
   <DetectTime>, and <ReportTime>.

   Implementers MAY support additional search capabilities based upon Lightweight Exchange) working group or is successor if any of
   such WG exists (e.g., via email to the remaining elements of working group's mailing list).
   The Designated Expert is expected to review the IODEF Incident class, including request and validate
   the <Description> element.

   Collections that support use appropriateness of the RID schema as a content model in name, description, and associated
   specifications for the security resource category.

11.  Security Considerations TODO

   This document defines a resource-oriented approach to lightweight
   information exchange using HTTP, TLS, Atom member entry <content> element (e.g. Syndicate Format, and Atom
   Publishing Protocol.  As such, implementers must understand the
   security considerations described in those specifications.

   In addition, there are a report resource
   representation reachable via the "report" link relationship) MUST
   support search operations number of additional security considerations
   that include the RID MessageType as a
   search parameter, in addition are unique to the aforementioned IODEF schema
   elements, as contained within the <ReportSchema> element.

   Implementers MUST fully qualify this specification.

   The approach described herein is based upon all OpenSearch URL template parameter
   names using the defined IODEF or RID XML namespaces, as appropriate.

5.17.  / (forward slash) Resource URL

   The "/" resource MAY be provided for compatibility with existing
   deployments that are using Transport of Real-time Inter-network
   Defense (RID) Messages over HTTP/TLS [RFC6546].  Consistent with
   RFC6546 errata, a client requesting a GET on "/" MUST receive an HTTP
   status code 405 Method Not Allowed.  An implementation MAY provide
   full support for RFC6546 such that a POST to "/" containing a
   recognized RID message type just works.  Alternatively, a client
   requesting a POST to "/" MAY receive an HTTP status code 307
   Temporary Redirect.  In this case, the location header in the HTTP
   response will provide the URL of the appropriate RID endpoint, and
   the client may repeat the POST method at the indicated location.
   This resource could also leverage the new draft by reschke that
   proposes HTTP status code 308 (cf: draft-reschke-http-status-
   308-07.txt).

6.  Security Considerations TODO

   This document defines a resource-oriented approach to lightweight
   information exchange using HTTP, TLS, Atom Syndicate Format, and Atom
   Publishing Protocol.  As such, implementers must understand the
   security considerations described in those specifications.

   In addition, there are a number of additional security considerations
   that are unique to this specification.

   The approach described herein is based upon all policy enforcements
   being implemented at policy enforcements
   being implemented at the point when a resource representation is
   created.  As such, producers sharing cyber security information using
   this specification must take care to authenticate their HTTP clients
   using a suitably strong user authentication mechanism.  Sharing
   communities that are exchanging information on well-known indicators
   and incidents for purposes of public education may choose to rely
   upon, e.g.  HTTP Authentication, or similar.  However, sharing
   communities that are engaged in sensitive collaborative analysis and/
   or operational response for indicators and incidents targeting high
   value information systems should adopt a suitably stronger user
   authentication solution, such as TLS client certificates, or a risk-
   based or multi-factor approach.  In general, trust in the sharing
   consortium will depend upon the members maintaining adequate user
   authentication mechanisms.

   Collaborating consortiums may benefit from the adoption of a
   federated identity solution, such as those based upon SAML-core

   [SAML-core] and SAML-bind [SAML-bind] and SAML-prof [SAML-prof] for
   Web-based authentication and cross-organizational single sign-on.
   Dependency on a trusted third party identity provider implies that
   appropriate care must be exercised to sufficiently secure the
   Identity provider.  Any attacks on the federated identity system
   would present a risk to the CISRT, CSIRT, as a relying party.  Potential
   mitigations include deployment of a federation-aware identity
   provider that is under the control of the information sharing
   consortium, with suitably stringent technical and management
   controls.

   Authorization of resource representations is the responsibility of
   the source system, i.e. based on the authenticated user identity
   associated with an HTTP(S) request.  The required authorization
   policies that are to

   All security measures MUST be enforced must therefore be managed by the
   security administrators of at the source system.  Various authorization
   architectures source, that is, a
   provider SHALL NOT return any feed content or member entry content
   for which the client identity has not been specifically
   authenticated, authorized, and audited.

   Sharing communities that have a requirement for forward message
   security (such that client systems are required to participate in
   providing message level security and/or distributed authorization
   policy enforcement), MUST use TODO.

   The implementation details of the authorization scheme chosen by a
   ROLIE-compliant provider are out of scope for this specification.
   Implementers are free to choose any suitable authorization mechanism
   that is capable of fulfilling the policy enforcement requirements
   relevant to their consortium and/or organization.

   Authorization of resource representations is the responsibility of
   the source system, i.e. based on the authenticated user identity
   associated with an HTTP(S) request.  The required authorization
   policies that are to be enforced must therefore be managed by the
   security administrators of the source system.  Various authorization
   architectures would be suitable for this purpose, such as RBAC [1] [3]
   and/or ABAC, as embodied in XACML [XACML].  In particular,
   implementers adopting XACML may benefit from the capability to
   represent their authorization policies in a standardized,
   interoperable format.

   Additional security requirements such as enforcing message-level
   security at the destination system could supplement the security
   enforcements performed at the source system, however these
   destination-provided policy enforcements are out of scope for this
   specification.  Implementers requiring this capability should
   consider leveraging, e.g. the <RIDPolicy> element in the RID schema.
   Refer to RFC6545 section 9 for more information.

   When security policies relevant to the source system are to be
   enforced at both the source and destination systems, implementers
   must take care to avoid unintended interactions of the separately
   enforced policies.  Potential risks will include unintended denial of
   service and/or unintended information leakage.  These problems may be
   mitigated by avoiding any dependence upon enforcements performed at
   the destination system.  When distributed enforcement is unavoidable,
   the usage of a standard language (e.g.  XACML) for the expression of
   authorization policies will enable the source and destination systems
   to better coordinate and align their respective policy expressions.

   Adoption of the information sharing approach described in this
   document will enable users to more easily perform correlations across
   separate, and potentially unrelated, cyber security information
   providers.  A client may succeed in assembling a data set that would
   not have been permitted within the context of the authorization
   policies of either provider when considered individually.  Thus,
   providers may face a risk of an attacker obtaining an access that
   constitutes an undetected separation of duties (SOD) violation.  It
   is important to note that this risk is not unique to this
   specification, and a similar potential for abuse exists with any
   other cyber security information sharing protocol.  However, the wide
   availability of tools for HTTP clients and Atom feed handling implies
   that the resources and technical skills required for a successful
   exploit may be less than it was previously.  This risk can be best
   mitigated through appropriate vetting of the client at account
   provisioning time.  In addition, any increase in the risk of this
   type of abuse should be offset by the corresponding increase in
   effectiveness that this specification affords to the defenders.

   While it is a goal of this specification to enable more agile cyber
   security information sharing across a broader and varying
   constituency, there is nothing in this specification that necessarily
   requires this type of deployment.  A cyber security information
   sharing consortium may chose to adopt this specification while
   continuing to operate as a gated community with strictly limited
   membership.

7.  IANA Considerations TODO

   TODO.

8.

12.  Acknowledgements

   The author gratefully acknowledges the valuable contributions of Tom
   Maguire, Kathleen Moriarty, and Vijayanand Bharadwaj.  These
   individuals provided detailed review comments on earlier drafts, and
   many suggestions that have helped to improve this document .

9.

13.  References

9.1.
13.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC7235]

   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
              DOI 10.17487/RFC3688, January 2004,
              <http://www.rfc-editor.org/info/rfc3688>.

   [RFC3986]  Berners-Lee, T., Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Authentication", L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 7235, 3986, DOI 10.17487/RFC7235, June 2014,
              <http://www.rfc-editor.org/info/rfc7235>. 10.17487/RFC3986, January 2005,
              <http://www.rfc-editor.org/info/rfc3986>.

   [RFC4287]  Nottingham, M., Ed. and R. Sayre, Ed., "The Atom
              Syndication Format", RFC 4287, DOI 10.17487/RFC4287,
              December 2005, <http://www.rfc-editor.org/info/rfc4287>.

   [RFC5005]  Nottingham, M., "Feed Paging and Archiving", RFC 5005,
              DOI 10.17487/RFC5005, September 2007,
              <http://www.rfc-editor.org/info/rfc5005>.

   [RFC5023]  Gregorio, J., Ed. and B. de hOra, Ed., "The Atom
              Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023,
              October 2007, <http://www.rfc-editor.org/info/rfc5023>.

   [RFC5070]  Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident
              Object Description Exchange Format", RFC 5070,
              DOI 10.17487/RFC5070, December 2007,
              <http://www.rfc-editor.org/info/rfc5070>.

   [RFC6545]  Moriarty, K., "Real-time

   [RFC6546]  Trammell, B., "Transport of Real-time Inter-network
              Defense (RID)", (RID) Messages over HTTP/TLS", RFC 6545, 6546,
              DOI 10.17487/RFC6545, 10.17487/RFC6546, April 2012,
              <http://www.rfc-editor.org/info/rfc6545>.
              <http://www.rfc-editor.org/info/rfc6546>.

   [W3C.REC-xml-names-20091208]
              Bray, T., Hollander, D., Layman, A., Tobin, R., and H.
              Thompson, "Namespaces in XML 1.0 (Third Edition)", World
              Wide Web Consortium Recommendation REC-xml-names-20091208,
              December 2009,
              <http://www.w3.org/TR/2009/REC-xml-names-20091208>.

   [relax-NG]
              Clark, J., Ed., "RELAX NG Compact Syntax", 11 2002,
              <https://www.oasis-open.org/committees/relax-ng/compact-
              20021121.html>.

   [opensearch]
              Clinton, D., "OpenSearch 1.1 draft 5 specification", OASIS
              Committee Specification saml-core-2.0-os, 2011,
              <http://www.opensearch.org/Specifications/OpenSearch/1.1>.

   [SAML-core]
              Cantor, S., Kemp, J., Philpott, R., and E. Mahler, Maler,
              "Assertions and Protocols Protocol for the OASIS Security Assertion
              Markup Language (SAML) V2.0", OASIS Standard saml-core-
              2.0-os, March 2005, <http://docs.oasis-
              open.org/security/saml/v2.0/saml-core-2.0-os.pdf>.

   [SAML-prof]
              Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra,
              P., Philpott, R., and E. Maler, "Profiles for the OASIS
              Security Assertion Markup Language (SAML) V2.0", OASIS
              Standard OASIS.saml-profiles-2.0-os, March 2005,
              <http://docs.oasis-open.org/security/saml/v2.0/
              saml-profiles-2.0-os.pdf>.

   [SAML-bind]
              Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E.
              Maler, "Bindings for the OASIS Security Assertion
              Markup Language (SAML) V2.0", OASIS Standard , March 2005,
              <http://docs.oasis-open.org/security/saml/v2.0/
              saml-core-2.0-os.pdf>.

   [SAML-prof]
              Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra,
              P., Philpott, R., and E. Mahler, "Profiles OASIS Security Assertion Markup
              Language (SAML) V2.0", OASIS Standard saml-bindings-
              2.0-os, March 2005, <http://docs.oasis-
              open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf>.

13.2.  Informative References

   [RFC2141]  Moats, R., "URN Syntax", RFC 2141, DOI 10.17487/RFC2141,
              May 1997, <http://www.rfc-editor.org/info/rfc2141>.

   [RFC3444]  Pras, A. and J. Schoenwaelder, "On the Difference between
              Information Models and Data Models", RFC 3444,
              DOI 10.17487/RFC3444, January 2003,
              <http://www.rfc-editor.org/info/rfc3444>.

   [RFC6545]  Moriarty, K., "Real-time Inter-network Defense (RID)",
              RFC 6545, DOI 10.17487/RFC6545, April 2012,
              <http://www.rfc-editor.org/info/rfc6545>.

   [I-D.ietf-mile-rfc5070-bis]
              Danyliw, R., "The Incident Object Description Exchange
              Format v2", draft-ietf-mile-rfc5070-bis-25 (work in
              progress), June 2016.

   [XACML]    Rissanen, E., "eXtensible Access Control Markup Language
              (XACML) Version 3.0", August 2010, <http://docs.oasis-
              open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf>.

   [REST]     Fielding, R., "Architectural Styles and the Design of
              Network-based Software Architectures", 2000,
              <http://www.ics.uci.edu/~fielding/pubs/dissertation/
              top.htm>.

13.3.  URIs

   [1] https://www.iana.org/assignments/link-relations/link-
       relations.xhtml

   [2] https://www.iana.org/assignments/link-relations/link-
       relations.xhtml

   [3] http://csrc.nist.gov/groups/SNS/rbac/

Appendix A.  Use Case Examples

A.1.  Service Discovery

   This section provides a non-normative example of a client doing
   service discovery.  TODO: Standardize location of doc?

   An Atom service document enables a client to dynamically discover
   what feeds a particular publisher makes available.  Thus, a provider
   uses an Atom service document to enable clients or other authorized
   parties to determine what specific information the provider makes
   available to the community.  The service document could be made
   available at any well known location, such as via a link from the
   CSIRT's home page.  One common technique is to include a link in the
   <HEAD> section of the organization's home page, as shown below:

   Example of bootstrapping Service Document discovery:

     <link rel="introspection"
       type="application/atomsvc+xml"
       title="Atom Publishing Protocol Service Document"
       href="/csirt/svcdoc.xml" />

   A client may then format an HTTP GET request to retrieve the service
   document:

     GET /provider/svcdoc.xml
     Host: www.example.org
     Accept: application/atomsvc+xml

   Notice the use of the HTTP Accept: request header, indicating the
   MIME type for Atom service discovery.  The response to this GET
   request will be an XML document that contains information on the
   specific feed collections that are provided by the CSIRT.

   Example HTTP GET response:

     HTTP/1.1 200 OK
     Date: Fri, 24 Aug 2012 17:09:11 GMT
     Content-Length: 570
     Content-Type: application/atomsvc+xml;charset="utf-8"

     <?xml version="1.0" encoding="UTF-8"?>
     <service xmlns="http://www.w3.org/2007/app"
         xmlns:atom="http://www.w3.org/2005/Atom"
         xmlns:xml="http://www.w3.org/XML/1998/namespace"
         xml:lang="en-US">
       <workspace>
         <atom:title type="text">Incidents</atom:title>
         <collection href="http://example.org/provider/incidents">
           <atom:title type="text">Incidents Feed</atom:title>
           <categories fixed="yes">
             <atom:category
                 scheme="urn:ietf:params:rolie:information-type"
                 term="vulnerability"/>
           </categories>
           <accept>application/atom+xml; type=entry</accept>
         </collection>
       </workspace>
     </service>

   This simple Service Document example shows that this server provides
   one workspace, named "Incidents".  Within that workspace, the
   producer makes one feed collection available.  When attempting to GET
   or POST entries to that feed collection, the client must indicate a
   content type of application/atom+xml.

   A server may also offer a number of different feeds, each containing
   different types of security automation information.  In the following
   example, the feeds have been categorized.  This categorization will
   help the clients to decide which feeds will meet their needs.

     HTTP/1.1 200 OK
     Date: Fri, 24 Aug 2012 17:10:11 GMT
     Content-Length: 1912
     Content-Type: application/atomsvc+xml;charset="utf-8"

     <?xml version="1.0" encoding='utf-8'?>
     <service xmlns="http://www.w3.org/2007/app"
         xmlns:atom="http://www.w3.org/2005/Atom">
       <workspace>
         <atom:title>Public Security Information Sharing</atom:title>
         <collection
             href="http://example.org/provider/public/vulnerabilties">
           <atom:title>Public Vulnerabilities</atom:title>
           <accept>application/atom+xml; type=entry</accept>
           <categories fixed="yes">
             <atom:category
                 scheme="urn:ietf:params:rolie:information-type"
                 term="vulnerability"/>
           </categories>
         </collection>
         <collection
             href="http://example.org/provider/public/incidents">
           <atom:title>Public Incidents</atom:title>
           <accept>application/atom+xml; type=entry</accept>
           <categories fixed="yes">
             <atom:category
                 scheme="urn:ietf:params:rolie:information-type"
                 term="incident"/>
           </categories>
         </collection>
       </workspace>
       <workspace>
         <atom:title>Private Consortium Sharing</atom:title>
         <collection
             href="http://example.org/provider/private/incidents" >
           <atom:title>Incidents</atom:title>
           <accept>application/atom+xml;type=entry</accept>
           <categories fixed="yes">
             <atom:category
                 scheme="urn:ietf:params:rolie:information-type"
                 term="incident"/>
           </categories>
         </collection>
       </workspace>
     </service>

   In this example, the CSIRT is providing a total of three feed
   collections, organized into two different workspaces.  The first
   workspace contains two feeds, consisting of publicly available
   software vulnerabilities and publicly available incidents,
   respectively.  The second workspace provides one additional feed, for
   use by a sharing consortium.  The feed contains incident information
   containing entries related to three purposes: traceback, mitigation,
   and reporting.  The entries in this feed are categorized with a
   restriction of either "Need-to-Know" or "private".  An appropriately
   authenticated and authorized client may then proceed to make GET
   requests for one or more of these feeds.  The publicly provided
   incident information may be accessible with or without
   authentication.  However, users accessing the feed targeted to the
   private sharing consortium would be expected to authenticate, and
   appropriate authorization policies would subsequently be enforced by
   the feed provider.

A.2.  Feed Retrieval

   This section provides a non-normative example of a client retrieving
   an incident feed.  TODO

   Having discovered the available security information sharing feeds,
   an authenticated and authorized client who is a member of the private
   sharing consortium may be interested in receiving the feed of known
   incidents.  The client may retrieve this feed by performing an HTTP
   GET operation on the indicated URL.

   Example HTTP GET request for a Feed:

     GET /provider/private/incidents
     Host: www.example.org
     Accept: application/atom+xml

   The corresponding HTTP response would be an XML document containing
   the incidents feed:

   Example HTTP GET response for a Feed:

  HTTP/1.1 200 OK
  Date: Fri, 24 Aug 2012 17:20:11 GMT
  Content-Length: 2882
  Content-Type: application/atom+xml;type=feed;charset="utf-8"

  <?xml version="1.0" encoding="UTF-8"?>
  <feed xmlns="http://www.w3.org/2005/Atom"
      xml:lang="en-US">

    <generator version="1.0">
        Example Provider ROLIE Feed Generator

    </generator>
    <id>http://www.example.org/provider/private/incidents</id>
    <title type="text">
        Atom formatted representation of
        a feed of XML incident documents
    </title>

    <!-- The category is taken from the related IANA table -->
    <atom:category
        scheme="urn:ietf:params:rolie:information-type"
        term="incident"/>
    <updated>2012-05-04T18:13:51.0Z</updated>
    <author>
      <email>provider@example.org</email>
      <name>Example Provider</name>
    </author>

    <!-- By convention there is usually a self link for the feed -->
    <link href="http://www.example.org/provider/private/incidents"
        rel="self" type="application/atom+xml"/>

    <entry>
      <id>
          http://www.example.org/provider/private/incidents/123456
      </id>
      <title>Sample Incident</title>

      <!-- by convention -->
      <link
          href="http://www.example.org/provider/private/incidents/12345"
          rel="self" type="application/atom+xml"/>

      <!-- required by Atom spec -->
      <link
          href="http://www.example.org/provider/private/incidents/12345"
          rel="alternate" type="xml"/>

      <published>2014-08-04T18:13:51.0Z</published>
      <updated>2014-08-05T18:13:51.0Z</updated>
      <summary>A short description of this resource</summary>
    </entry>

    <entry>
        <!-- ...another entry... -->
    </entry>

  </feed>
   This feed document has two atom entries, one of which has been
   elided.  The completed entry illustrates an Atom <entry> element that
   provides a summary of essential details about one particular
   incident.  Based upon this summary information and the provided
   category information, a client may choose to do an HTTP GET operation
   to retrieve the full details of the incident.  This example
   exemplifies the benefits a RESTful alternative has to traditional
   point-to-point messaging systems.

A.3.  Entry Retrieval

   This section provides a non-normative example of a client retrieving
   an incident as an Atom entry.  TODO

   Having retrieved the feed of interest, the client may then decide
   based on the description and/or category information that one of the
   entries in the feed is of further interest.  The client may retrieve
   this incident Entry by performing an HTTP GET operation on the
   indicated URL.

   Example HTTP GET request for an Entry:

     GET /provider/private/incidents/123456
     Host: www.example.org
     Accept: application/atom+xml

   The corresponding HTTP response would be an XML document containing
   the incident:

   Example HTTP GET response for an Entry:

    HTTP/1.1 200 OK
    Date: Fri, 24 Aug 2012 17:30:11 GMT
    Content-Length: 4965
    Content-Type: application/atom+xml;type=entry;charset="utf-8"

    <?xml version="1.0" encoding="UTF-8"?>
    <entry>
      <id>http://www.example.org/provider/private/incidents/123456</id>
      <title>Sample Incident</title>
      <!-- by convention -->
      <link href="http://www.example.org/csirt/private/incidents/123456"
        rel="self" type="application/atom+xml"/>
      <!-- required by Atom spec -->
      <link href="http://www.example.org/csirt/private/incidents/123456"
        rel="alternate" type="IODEF"/>
      <published>2012-08-04T18:13:51.0Z</published>
      <updated>2012-08-05T18:13:51.0Z</updated>
      <!-- The category is taken from the related IANA table -->
      <atom:category
          scheme="urn:ietf:params:rolie:information-type"
          term="incident"/>
      <summary>A short description of this incident resource</summary>

      <!-- Typical operations that can be
        performed on this entry include edit -->
      <link href="http://www.example.org/csirt/private/incidents/123456"
        rel="edit"/>

      <!-- the next and previous are just sequential access,
        may not map to anything related to this resource -->
      <link href="http://www.example.org/csirt/private/incidents/123457"
        rel="next"/>
      <link href="http://www.example.org/csirt/private/incidents/123455"
        rel="previous"/>

      <!-- navigate up to the full collection.
        Might also be rel="collection" as per IANA registry -->
      <link href="http://www.example.org/csirt/private/incidents"
        rel="up"/>

      <content type="application/xml">
        <xml>
          <tag>
            <data> Example </data>
          </tag>
        </xml>
      </content>
    </entry>

   As can be seen in the example response, above, an XML document is
   contained within the Atom <content> element.  The client may now
   process the XML document as needed.

   Note also that, as described previously, the content of the Atom
   <category> element is application-defined.  The Atom categories have
   been assigned based on the IANA table content model.

   Finally, it should be noted that in order to optimize the client
   experience, and avoid an additional round trip, a feed provider may
   choose to include the entry content inline, as part of the feed
   document.  That is, an Atom <entry> element within a Feed document
   may contain an Atom <content> element as a child.  In this case, the
   client will receive the full content of the entries within the feed.
   The decision of whether to include the entry content inline or to
   include it as a link is a design choice left to the feed provider
   (e.g. based upon local environmental factors such as the number of
   entries contained in a feed, the available network bandwidth, the
   available server compute cycles, the expected client usage patterns,
   etc.).

A.4.  Use Case: Search

   This section provides a non-normative example of a search use case.

   The following example provides a RESTful solution to handling search
   results.  Note that in the RESTful approach described herein there is
   no requirement to define a query language.  Instead, implementations
   may provide support for search operations via existing search
   facilities, and advertise these capabilities via an appropriate URL
   template.  Clients dynamically retrieve the search description
   document, and invoke specific searches via an instantiated URL
   template.

   An HTTP response body may include a link relationship of type
   "search."  This link provides a reference to an OpenSearch
   description document.

   Example HTTP response that includes a "search" link:

   HTTP/1.1 200 OK
   Date: Fri, 24 Aug 2012 17:20:11 GMT
   Content-Length: nnnn
   Content-Type: application/atom+xml;type=feed;charset="utf-8"

   <?xml version="1.0" encoding="UTF-8"?>
   <feed xmlns="http://www.w3.org/2005/Atom"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.w3.org/2005/Atom file:/
                                                     C:/schemas/atom.xsd
       urn:ietf:params:xml:ns:iodef-1.0
       file:/C:/schemas/iodef-1.0.xsd"
       xml:lang="en-US">

       <link href="http://www.example.org/opensearchdescription.xml"
               rel="search"
               type="application/opensearchdescription+xml"
               title="CSIRT search facility" />

       <!-- ...other links... -->

       <entry>
           <!-- ...zero or more entries... -->
       </entry>

   </feed>

   The OpenSearch Description document contains the information needed
   by a client to request a search.  An example of an Open Search
   description document is shown below:

   Example HTTP response that includes a "search" link:

  <?xml version="1.0" encoding="UTF-8"?>
  <OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/">
    <ShortName>CSIRT search example</ShortName>
    <Description>Cyber security information
                      sharing consortium search interface</Description>
    <Tags>example csirt indicator search</Tags>
    <Contact>admin@example.org</Contact>
    <!-- optionally, other elements, as per OpenSearch specification -->
    <Url type="application/opensearchdescription+xml" rel="self"
     template="http://www.example.com/csirt/opensearchdescription.xml"/>
    <Url type="application/atom+xml" rel="results"
     template="http://www.example.org/csirt?q={searchTerms}&amp;
                        format=Atom+xml"/>
    <LongName>www.example.org CSIRT search</LongName>
    <Query role="example" searchTerms="incident" />
    <Language>en-us</Language>
    <OutputEncoding>UTF-8</OutputEncoding>
    <InputEncoding>UTF-8</InputEncoding>
  </OpenSearchDescription>

   The OpenSearch Description document shown above contains two <Url>
   elements that contain parametrized URL templates.  These templates
   provide a representation of how the client should make search
   requests.  The exact format of the query string, including the
   parametrization is specified by the feed provider

   This OpenSearch Description Document also contains an example of a
   <Query> element.  Each <Query> element describes a specific search
   request that can be made by the client.  Note that the parameters of
   the <Query> element correspond to the URL template parameters.  In
   this way, a provider may fully describe the search interface
   available to the clients.  The search section, above, provides
   specific NORMATIVE requirements for the use of Open Search.

Appendix B.  XACML Guidance

   ROLIE assumes that all authorization policy enforcement is provided
   at the source server.  The implementation details of the
   authorization scheme chosen by a ROLIE-compliant provider are out of
   scope for this specification.  Implementers are free to choose any
   suitable authorization mechanism that is capable of fulfilling the
   policy enforcement requirements relevant to their consortium and/or
   organization.

   It is well known that one of the major barriers to information
   sharing is ensuring acceptable use of the information shared.  In the
   case of ROLIE, one way to lower that barrier may be to develop a
   XACML profile.  Use of XACML would allow a ROLIE-compliant provider
   to express their information sharing authorization policies in a
   standards-compliant, and machine-readable format.

   This improved interoperability may, in turn, enable more agile
   interactions in the cyber security sharing community.  For example, a
   peer CSIRT, or another interested stakeholder such as an auditor,
   would be able to review and compare CSIRT sharing policies using
   appropriate tooling.

   The XACML 3.0 standard is based upon the notion that authorization
   policies are defined in terms of predicate logic expressions written
   against the attributes associated with one or more of the following
   four entities:

   o  SUBJECT

   o  ACTION

   o  RESOURCE

   o  ENVIRONMENT

   Thus, a suitable approach to a XACML 3.0 profile for ROLIE
   authorization policies could begin by using the OASIS
              Security Assertion Markup Language (SAML) V2.0", OASIS
              Standard , March 2005, <http://docs.oasis-
              open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf>.

   [SAML-bind]
              Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E.
              Mahler, "Bindings for 3-tuple of [SUBJECT,
   ACTION, RESOURCE] where:

   o  SUBJECT is the OASIS Security Assertion Markup
              Language (SAML) V2.0", OASIS Standard , March 2005,
              <http://docs.oasis-open.org/security/saml/v2.0/
              saml-bindings-2.0-os.pdf>.

9.2.  Informative References

   [XACML]    Rissanen, E., "eXtensible Access Control Markup Language
              (XACML) Version 3.0", August 2010, <http://docs.oasis-
              open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf>.

   [REST]     Fielding, R., "Architectural Styles suitably authenticated identity of the requestor.

   o  ACTION is the associated HTTP method, GET, PUT, POST, DELETE,
      HEAD, (PATCH).

   o  RESOURCE is an XPath expression that uniquely identifies the
      instance or type of the ROLIE resource being requested.

   Implementers who have a need may also choose to evaluate based upon
   the additional ENVIRONMENT factors, such as current threat level, and
   so on.  One could also write policy to consider the Design CVSS score
   associated with the resource, or the lifecycle phase of
              Network-based Software Architectures", 2000,
              <http://www.ics.uci.edu/~fielding/pubs/dissertation/
              top.htm>.

   [RFC6546]  Trammell, B., "Transport the resource
   (vulnerability unverified, confirmed, patch available, etc.), and so
   on.

   Having these policies expressed in a standards-compliant and machine-
   readable format could improve the agility and effectiveness of Real-time Inter-network
              Defense (RID) Messages over HTTP/TLS", RFC 6546,
              DOI 10.17487/RFC6546, April 2012,
              <http://www.rfc-editor.org/info/rfc6546>.

9.3.  URIs

   [1] http://csrc.nist.gov/groups/SNS/rbac/ a
   cyber security information sharing group or consortium, and enable
   better cyber defenses.

Appendix A. C.  Relax NG Schema for ROLIE Extensions

   TODO

Appendix D.  Change Tracking

   Changes since draft-field-mile-rolie-01 version, December, 2015 to
   May 27, 2016:

   o  Spun section 4  All CSIRT and some related contextual information into its
      own IODEF/RID material moved to companion CSIRT document see TODO:Add
      TODO: add reference

   o  Recast document into a more general use perspective.  The
      implication of CSIRTs as the defacto end-user has been removed
      where ever possible.  All of the original CSIRT based use cases
      remain completely supported by this document, it has been opened
      up to supported support many other use cases.

   o  Changed the content model to broaden support of representation

   o  Edited and rewrote much of sections 1,2 and 3 in order to
      accomplish a broader scope and greater readability

   o  Removed any requirements from the Background section and, if not
      already stated, placed them in the requirements section

   o  Re-formatted the requirements section to make it clearer that it
      contains the lions-share of the requirements of the specification

   Changes made in draft-ietf-mile-rolie-01 since draft-field-mile-
   rolie-02 version, August 15, 2013 to December 2, 2015:

   o  Added section specifying the use of RFC5005 for Archive and Paging
      of feeds.  See: Section 5.3

   o  Added section describing use of atom categories that correspond to
      IODEF expectation class and impact classes.  See: Section 5.4 normative-
      expectation-impact

   o  Dropped references to adoption of a MILE-specific HTTP media type
      parameter.

   o  Updated IANA Considerations section to clarify that no IANA
      actions are required.

Authors' Addresses

   John P. Field
   Pivotal Software, Inc.
   625 Avenue of the Americas
   New York, New York
   USA

   Phone: (646)792-5770
   Email: jfield@pivotal.io

   Stephen A. Banghart
   National Institute of Standards and Technology
   100 Bureau Drive
   Gaithersburg, Maryland
   USA

   Phone: (301)975-4288
   Email: sab3@nist.gov

   David Waltermire
   National Institute of Standards and Technology
   100 Bureau Drive
   Gaithersburg, Maryland  20877
   USA

   Email: david.waltermire@nist.gov