draft-ietf-mile-rolie-03.txt   draft-ietf-mile-rolie-04.txt 
MILE Working Group J. Field MILE Working Group J. Field
Internet-Draft Pivotal Internet-Draft Pivotal
Intended status: Informational S. Banghart Intended status: Informational S. Banghart
Expires: January 9, 2017 D. Waltermire Expires: April 27, 2017 D. Waltermire
NIST NIST
July 8, 2016 October 24, 2016
Resource-Oriented Lightweight Information Exchange Resource-Oriented Lightweight Information Exchange
draft-ietf-mile-rolie-03 draft-ietf-mile-rolie-04
Abstract Abstract
This document defines a resource-oriented approach for security This document defines a resource-oriented approach for security
automation information publication, discovery, and sharing. Using automation information publication, discovery, and sharing. Using
this approach, producers may publish, share and exchange this approach, producers may publish, share, and exchange
representations of security incidents, attack indicators, software representations of security incidents, attack indicators, software
vulnerabilities, configuration checklists, and other security vulnerabilities, configuration checklists, and other security
automation information as Web-addressable resources. Furthermore, automation information as Web-addressable resources. Furthermore,
consumers and other stakeholders may access and search this security consumers and other stakeholders may access and search this security
information as needed, establishing a rapid and on-demand information information as needed, establishing a rapid and on-demand information
exchange network for restricted internal use or public access exchange network for restricted internal use or public access
repositories. This specification extends the Atom Publishing repositories. This specification extends the Atom Publishing
Protocol and Atom Syndication Format to transport and share security Protocol and Atom Syndication Format to transport and share security
automation resource representations. automation resource representations.
Contributing to this document Contributing to this document
The source for this draft is being maintained in GitHub. Suggested The source for this draft is being maintained on GitHub. Suggested
changes should be submitted as pull requests at changes should be submitted as pull requests at
<https://github.com/CISecurity/ROLIE>. Instructions are on that page <https://github.com/CISecurity/ROLIE>. Instructions are on that page
as well. Editorial changes can be managed in GitHub, but any as well. Editorial changes can be managed in GitHub, but any
substantial issues need to be discussed on the MILE mailing list. substantial issues need to be discussed on the MILE mailing list.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 9, 2017. This Internet-Draft will expire on April 27, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 27 skipping to change at page 2, line 27
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. XML-related Conventions . . . . . . . . . . . . . . . . . . . 4 3. XML-related Conventions . . . . . . . . . . . . . . . . . . . 4
3.1. XML Namespaces . . . . . . . . . . . . . . . . . . . . . 4 3.1. XML Namespaces . . . . . . . . . . . . . . . . . . . . . 4
3.2. RELAX NG Schema . . . . . . . . . . . . . . . . . . . . . 5 3.2. RELAX NG Compact Schema . . . . . . . . . . . . . . . . . 5
4. Background and Motivation . . . . . . . . . . . . . . . . . . 5 4. Background and Motivation . . . . . . . . . . . . . . . . . . 5
4.1. Message-oriented versus Resource-oriented Architecture . 6 4.1. Proactive Sharing . . . . . . . . . . . . . . . . . . . . 5
4.1.1. Message-oriented Architecture . . . . . . . . . . . . 6 4.2. Knowledge Aggregation . . . . . . . . . . . . . . . . . . 6
4.1.2. Resource-Oriented Architecture . . . . . . . . . . . 7 4.3. Resource-oriented Architecture . . . . . . . . . . . . . 6
4.2. Use of the Atom Publishing Protocol . . . . . . . . . . . 8 5. ROLIE Requirements for the Atom Publishing Protocol . . . . . 7
5. ROLIE Requirements for the Atom Publishing Protocol . . . . . 9 5.1. AtomPub Service Documents . . . . . . . . . . . . . . . . 7
5.1. AtomPub Service Documents . . . . . . . . . . . . . . . . 9 5.1.1. Use of the "app:workspace" Element . . . . . . . . . 8
5.1.1. Use of the "app:workspace" Element . . . . . . . . . 9 5.1.2. Use of the "app:collection" Element . . . . . . . . . 8
5.1.2. Use of the "app:collection" Element . . . . . . . . . 10 5.2. Service Discovery . . . . . . . . . . . . . . . . . . . . 9
5.2. Service Discovery . . . . . . . . . . . . . . . . . . . . 11 5.3. Transport Layer Security . . . . . . . . . . . . . . . . 10
5.3. Transport Layer Security . . . . . . . . . . . . . . . . 11 5.4. User Authentication and Authorization . . . . . . . . . . 11
5.4. User Authentication . . . . . . . . . . . . . . . . . . . 11 5.5. / (forward slash) Resource URL . . . . . . . . . . . . . 11
5.5. User Authorization . . . . . . . . . . . . . . . . . . . 12 5.6. HTTP methods . . . . . . . . . . . . . . . . . . . . . . 11
5.6. / (forward slash) Resource URL . . . . . . . . . . . . . 12
5.7. HTTP methods . . . . . . . . . . . . . . . . . . . . . . 12
6. ROLIE Requirements for the Atom Syndication Format . . . . . 12 6. ROLIE Requirements for the Atom Syndication Format . . . . . 12
6.1. Use of the "atom:feed" element . . . . . . . . . . . . . 13 6.1. Use of the "atom:feed" element . . . . . . . . . . . . . 12
6.1.1. Use of the "atom:category" Element . . . . . . . . . 13 6.1.1. Use of the "atom:category" Element . . . . . . . . . 13
6.1.2. Use of the "atom:link" Element . . . . . . . . . . . 14 6.1.2. Use of the "atom:link" Element . . . . . . . . . . . 14
6.1.3. Use of the "atom:updated" Element . . . . . . . . . . 16 6.1.3. Use of the "atom:updated" Element . . . . . . . . . . 15
6.2. Use of the "atom:entry" Element . . . . . . . . . . . . 16 6.2. Use of the "atom:entry" Element . . . . . . . . . . . . 15
6.2.1. Use of the "atom:content" Element . . . . . . . . . . 16 6.2.1. Use of the "atom:content" Element . . . . . . . . . . 16
6.2.2. Use of the "atom:link" Element . . . . . . . . . . . 17 6.2.2. Use of the "atom:link" Element . . . . . . . . . . . 16
6.2.3. Use of the "rolie:format" Element . . . . . . . . . . 17 6.2.3. Use of the "rolie:format" Element . . . . . . . . . . 17
6.2.4. Requirements for a Standalone Entry . . . . . . . . . 18
6.3. Link Relations . . . . . . . . . . . . . . . . . . . . . 17 7. Available Extension Points Provided by ROLIE . . . . . . . . 18
7. Use of OpenSearch . . . . . . . . . . . . . . . . . . . . . . 17 7.1. The Category Extension Point . . . . . . . . . . . . . . 18
8. Characterizing ROLIE Collections and Resources . . . . . . . 18 7.1.1. General Use of the "atom:category" Element . . . . . 19
8.1. Identification of Security Automation Information Types . 18 7.1.2. Identification of Security Automation Information
8.2. General Use of the "atom:category" Element . . . . . . . 19 Types . . . . . . . . . . . . . . . . . . . . . . . . 19
8.3. Identification of Security Automation Information Formats 20 7.2. The "rolie:format" Extension Point . . . . . . . . . . . 21
9. Formal Syntax for the ROLIE Schema . . . . . . . . . . . . . 20 7.3. The Link Relation Extension Point . . . . . . . . . . . . 21
10. IANA Considerations TODO . . . . . . . . . . . . . . . . . . 20 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21
10.1. XML Namespaces and Schema URNs . . . . . . . . . . . . . 20 8.1. XML Namespaces and Schema URNs . . . . . . . . . . . . . 21
10.2. ROLIE Parameters . . . . . . . . . . . . . . . . . . . . 21 8.2. ROLIE URN Sub-namespace . . . . . . . . . . . . . . . . . 22
10.3. Security Resource Information Type Registry . . . . . . 21 8.3. ROLIE URN Parameters . . . . . . . . . . . . . . . . . . 22
11. Security Considerations TODO . . . . . . . . . . . . . . . . 22 8.4. ROLIE Security Resource Information Type Sub-Registry . . 23
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 9. Security Considerations . . . . . . . . . . . . . . . . . . . 24
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26
13.1. Normative References . . . . . . . . . . . . . . . . . . 25 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 26
13.2. Informative References . . . . . . . . . . . . . . . . . 26 11.1. Normative References . . . . . . . . . . . . . . . . . . 26
13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 27 11.2. Informative References . . . . . . . . . . . . . . . . . 28
Appendix A. Use Case Examples . . . . . . . . . . . . . . . . . 27 11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 29
A.1. Service Discovery . . . . . . . . . . . . . . . . . . . . 27 Appendix A. Relax NG Compact Schema for ROLIE . . . . . . . . . 29
A.2. Feed Retrieval . . . . . . . . . . . . . . . . . . . . . 30 Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 30
A.3. Entry Retrieval . . . . . . . . . . . . . . . . . . . . . 32 B.1. Service Discovery . . . . . . . . . . . . . . . . . . . . 30
A.4. Use Case: Search . . . . . . . . . . . . . . . . . . . . 34 B.2. Feed Retrieval . . . . . . . . . . . . . . . . . . . . . 33
Appendix B. XACML Guidance . . . . . . . . . . . . . . . . . . . 36 B.3. Entry Retrieval . . . . . . . . . . . . . . . . . . . . . 35
Appendix C. Relax NG Schema for ROLIE Extensions . . . . . . . . 38 Appendix C. Change History . . . . . . . . . . . . . . . . . . . 36
Appendix D. Change Tracking . . . . . . . . . . . . . . . . . . 38 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction 1. Introduction
This document defines a resource-oriented approach to security This document defines a resource-oriented approach to security
automation information sharing that follows the REST (Architectural S automation information sharing that follows the REST (Architectural S
tyles and the Design of Network-based Software Architectures) tyles and the Design of Network-based Software Architectures)
architectural style. In this approach, computer security resources architectural style. In this approach, computer security resources
are maintained in web-accessible repositories structured as Atom are maintained in web-accessible repositories structured as Atom
Syndication Format [RFC4287] feeds. Representations of specific Syndication Format [RFC4287] Feeds. Representations of specific
types of security automation information are categorized and types of security automation information are categorized and
organized into indexed collections, which may be requested by the organized into indexed Collections which may be requested by the
consumer. As the set of resource collections are forward facing, the consumer. As the set of resource Collections are forward facing, the
consumer may search all available content for which they are consumer may search all available content for which they are
authorized to view, and request the information resources which are authorized to view, and request the information resources which are
desired. Through use of granular authentication and access controls, desired. Through use of granular authentication and access controls,
only authorized consumers may be permitted the ability to read or only authorized consumers may be permitted the ability to read or
write to a given feed. This approach is in contrast to, and meant to write to a given Feed. This approach is in contrast to, and meant to
improve on, the traditional point-to-point messaging system, in which improve on, the traditional point-to-point messaging system, in which
consumers must request individual pieces of information from a server consumers must request individual pieces of information from a server
following a triggering event. The point-to-point approach creates a following a triggering event. The point-to-point approach creates a
closed system of information sharing that encourages duplication of closed system of information sharing that encourages duplication of
effort and hinders automated security systems. effort and hinders automated security systems.
The goal of this document is to define a RESTful approach to security The goal of this document is to define a RESTful approach to security
information communication with two primary intents: 1) increasing information communication with two primary intents: 1) increasing
communication and sharing of incident reports, vulnerability communication and sharing of incident reports, vulnerability
assessments, configuration checklists, and other security automation assessments, configuration checklists, and other security automation
skipping to change at page 4, line 20 skipping to change at page 4, line 20
standardized communication system to support automated computer standardized communication system to support automated computer
security systems. security systems.
In order to deal with the great variety in security automation In order to deal with the great variety in security automation
information types and associated resource representations, this information types and associated resource representations, this
specification defines extension points that can be used to add specification defines extension points that can be used to add
support for new information types and associated resource support for new information types and associated resource
representations by means of additional supplementary specification representations by means of additional supplementary specification
documents. This primary document is resource representation documents. This primary document is resource representation
agnostic, and defines the core requirements of all implementations. agnostic, and defines the core requirements of all implementations.
Those seeking to provide support for specific security automation An overview of the extension system is provided in Section 7.Those
information types should refer to the specification for that format seeking to provide support for specific security automation
described by the IANA registry found in section 10.3. information types should refer to the specification for that domain
described by the IANA registry found in section 8.4.
2. Terminology 2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Definitions for some of the common computer security-related Definitions for some of the common computer security-related
terminology used in this document can be found in Section 2 of terminology used in this document can be found in Section 2 of
[RFC5070]. [RFC5070].
skipping to change at page 4, line 49 skipping to change at page 4, line 50
to uniquely identify XML element names. It uses the following to uniquely identify XML element names. It uses the following
namespace prefix mappings for the indicated namespace URI: namespace prefix mappings for the indicated namespace URI:
"app" is used for the "http://www.w3.org/2007/app" namespace "app" is used for the "http://www.w3.org/2007/app" namespace
defined in [RFC5023]. defined in [RFC5023].
"atom" is used for the "http://www.w3.org/2005/Atom" namespace "atom" is used for the "http://www.w3.org/2005/Atom" namespace
defined in [RFC4287]. defined in [RFC4287].
"rolie" is used for the "urn:ietf:params:xml:ns:rolie:1.0" "rolie" is used for the "urn:ietf:params:xml:ns:rolie:1.0"
namespace defined in section 10.1 of this specification. namespace defined in section 8.1 of this specification.
3.2. RELAX NG Schema 3.2. RELAX NG Compact Schema
Some sections of this specification are illustrated with fragments of Some sections of this specification are illustrated with fragments of
a non-normative RELAX NG Compact schema [relax-NG]. However, the a non-normative RELAX NG Compact schema [relax-NG]. However, the
text of this specification provides the definition of conformance. text of this specification provides the definition of conformance.
Complete schemas appear for the "urn:ietf:params:xml:ns:rolie-1.0" Schema for the "http://www.w3.org/2007/app" and
namespace in appendix C. Schema for the "http://www.w3.org/2007/app" "http://www.w3.org/2005/Atom" namespaces appear in RFC5023 appendix B
and "http://www.w3.org/2005/Atom" namespaces appear in RFC5023 [RFC5023] and RFC4287 appendix B [RFC4287] respectively.
appendix B [RFC5023] and RFC4287 appendix B [RFC4287] respectively.
4. Background and Motivation 4. Background and Motivation
It is well known thatthreats to computer security are evolving ever Information sharing is one of the core components of automating
more rapidly as time goes on. As software increases in complexity, security processes. Vulnerabilities, configurations, software
the number of vulnerabilities in systems and networks can increase identification, security incidents, and patching data are just a few
exponentially. Threat actors looking to exploit these of the classes of information that are shared today to enable
vulnerabilities are making more frequent and more widely distributed effective security on a wide scale. However, as the scale of defense
attacks across a large variety of systems. The adoption of liberal broadens to sometimes global networks, and the inherent scaling
information sharing amongst attackers creates a window of as little issues of human-in-the-loop sharing become apparent, the need for
as a few hours between the discovery of a vulnerability and attacks automation and machine-to-machine communication becomes apparent.
on a vulnerable system. As the skills and knowledge required to
identify and combat these attacks become more and more specialized, 4.1. Proactive Sharing
even a well established and secure system may find itself unable to
quickly respond to an incident. Effective identification of and
response to a sophisticated attack requires open cooperation and
collaboration between defending operators, software vendors, and end-
users. To improve the timeliness of responses, automation must be
used to acquire, contextualize, and put to use shared computer
security information.
Existing approaches to computer security information sharing often Existing approaches to computer security information sharing often
use message exchange patterns that are point-to-point, and event- use message exchange patterns that are point-to-point. Sometimes,
driven. Sometimes, information that may be useful to share with information that may be useful to share with multiple peers is only
multiple peers is only made available to peers after they have made available to peers after they have specifically requested it.
specifically requested it. Unfortunately, a sharing peer may not Unfortunately, a sharing peer may not know, a priori, what
know, a priori, what information to request from another peer. Some information to request from another peer. Some existing systems
exsisting systems provide a mechanism for unsolicited information provide a mechanism for unsolicited information requests, however,
requests, however these reports are again sent point-to-point, and these reports are again sent point-to-point, and must be reviewed for
must be reviewed for relevance and then prioritized for action by the relevance and then prioritized for action by the recipient,
recipient, introducing additional latency. introducing additional latency.
In order to adequately combat evolving threats, computer security In order to adequately combat evolving threats, computer security
information resource providers should be enabled to share selected information resource providers should be able to share selected
information proactively as appropriate. Proactive sharing greatly information proactively. Proactive sharing greatly aids knowledge
aids knowledge dissemination, and improves response times and dissemination, and improves response times and usability by allowing
usability. the consumer to choose which information is relevant to its needs.
For example, a security analyst can benefit by having the ability to For example, a security analyst can benefit by having the ability to
search a comprehensive collection of attack indicators that have been search a comprehensive collection of attack indicators that have been
published by a government agency, or by another member of a sharing published by a government agency, or by another member of a sharing
consortium. The representation of each indicator may include links consortium. The representation of each indicator may include links
to the related resources, enabling an appropriately authenticated and to the related resources, enabling an appropriately authenticated and
authorized analyst to freely navigate the information space of authorized analyst to freely navigate the information space of
indicators, incidents, vulnerabilities, and other computer security indicators, incidents, vulnerabilities, and other computer security
domain concepts as needed. In this way, an analyst can more domain concepts as needed. In this way, an analyst can more
effectively utilize the super set of information made publicly effectively utilize the super set of information made publicly
available. available.
Consider also the case of an automated endpoint management system 4.2. Knowledge Aggregation
attempting to proactively prevent software flaws from compromising
the security of the affected systems. During its full network sweep,
the endpoint monitoring system would check each endpoint for outdated
or vulnerable software. This system would benefit from having access
to not only the software vendor's list of vulnerabilities, but also
vulnerabilities discovered by other vulnerability researchers. An
advanced system could even give back to this sharing consortium by
sharing any vulnerabilities that it discovers. The natural
conclusion of such a sharing network is an automated security
solution that can dynamically find and collect information from a
globally distributed web of information repositories.
The following section discusses additional specific technical issues
that motivated the development of this alternative approach.
4.1. Message-oriented versus Resource-oriented Architecture
The existing approaches to computer security information sharing are
based upon message-oriented interactions. The following paragraphs
explore some of the architectural constraints associated with
message-oriented interactions and consider the relative merits of an
alternative model based on a resource-oriented architecture for use
in some use case scenarios.
ROLIE specifies a resource-oriented architecture that attempts to
address the issues present in a message-oriented architecture.
4.1.1. Message-oriented Architecture
In general, message-based integration architectures may be based upon Additionally, there is value in maintaining a repository of knowledge
either an RPC-style or a document-style binding. The message types that can be queried by a new consumer, allowing this consumer to
defined by Real-time Inter-network Defense (RID) [RFC6545] represents identify and retrieve any information that is relevant to its needs.
an example of an RPC-style request. This approach imposes implied In this way, the consumer can gain access to meaningful current and
requirements for conversational state management on both of the historic information, catching up to the knowledge level of its
communicating RID endpoint(s). Experience has shown that this state peers.
management frequently becomes the limiting factor with respect to the
runtime scalability of an RPC-style architecture.
In addition, the practical scalability of a peer-to-peer message- Consider the case of an automated endpoint management system
based approach will be limited by the administrative procedures attempting to proactively prevent software flaws and mis-configured
required to manage O(N^2) trust relationships and at least O(N) software from compromising the security of the affected systems.
policy groups. During its full network sweep, the endpoint monitoring system would
check each endpoint for outdated, vulnerable, and mis-configured
software. This system would benefit from having access to not only
the software vendor's list of vulnerabilities and configuration
baselines, but also similar information discovered by other security
researchers. An advanced system could even give back to this sharing
consortium by sharing any relevant information discovered.
As long as the number of participating entities in an information These capabilities support a federated collection of information
sharing consortium is limited to a relatively small number of nodes repositories that can be queried and contributed to by an
(i.e., O(2^N), where N < 5), these scalability constraints may not organization, further supporting automated security solutions.
represent a critical concern. However, when there is a requirement
to support a significantly larger number of participating peers, a
different architectural approach will be required. Towards the goal
to create a large-scale network of entities sharing information, this
traditional architecture only creates small and isolated groupings of
sharing, encouraging effort duplication between these sharing
islands. One alternative to the message-based approach that has
demonstrated scalability and a high degree of connectedness is the
REST [REST] architectural style.
4.1.2. Resource-Oriented Architecture 4.3. Resource-oriented Architecture
Applying the REST architectural style to the problem domain of Applying the REST architectural style to the problem domain of
security information sharing involves exposing information in any security information sharing involves exposing information of any
relevant type as simple Web-addressable resources. Each provider relevant type as simple Web-addressable resources. Each provider
maintains their own repository of data, with public and private maintains their own repository of data, with public and private
sections as needed. Any producer or consumer can then discover these sections as needed. Any producer or consumer can then discover these
repositories, search for relevant feeds, and pull information from repositories, search for relevant Feeds, and pull information from
them. By using this approach, an organization can more quickly and them. By using this approach, an organization can more quickly and
easily share relevant data representations with a much larger and easily share relevant data representations with a much larger and
potentially more diverse constituency. A consumer may leverage potentially more diverse constituency. A consumer may leverage
virtually any available HTTP user agent in order to make requests of virtually any available HTTP user agent in order to make requests of
the service provider. This improved ease of use enables more rapid the service provider. This improved ease of use enables more rapid
adoption and broader participation, thereby improving security for adoption and broader participation, thereby improving security for
everyone. everyone.
A key aspect of any RESTful Web service is the ability provide A key aspect of any RESTful Web service is the ability to provide
multiple resource representations. For example, clients may request multiple resource representations. For example, clients may request
that a given resource representation be returned as XML, JSON, or in that a given resource representation be returned as XML, JSON, or in
some other format. In order to enable backwards-compatibility and some other format. In order to enable backwards-compatibility and
interoperability with existing implementations, the RESTful approach interoperability with existing implementations, the RESTful approach
allows the provider to make differing formats available proactively, allows the provider to make differing formats available proactively,
allowing the consumer to simply select the version that best suits allowing the consumer to simply select the version that best suits
them. them.
Finally, an important principle of the REST architectural style is Finally, an important principle of the REST architectural style is
the focus on hypermedia as the engine of application state (HATEOAS). the focus on hypermedia as the engine of application state (HATEOAS).
skipping to change at page 8, line 4 skipping to change at page 7, line 10
multiple resource representations. For example, clients may request multiple resource representations. For example, clients may request
that a given resource representation be returned as XML, JSON, or in that a given resource representation be returned as XML, JSON, or in
some other format. In order to enable backwards-compatibility and some other format. In order to enable backwards-compatibility and
interoperability with existing implementations, the RESTful approach interoperability with existing implementations, the RESTful approach
allows the provider to make differing formats available proactively, allows the provider to make differing formats available proactively,
allowing the consumer to simply select the version that best suits allowing the consumer to simply select the version that best suits
them. them.
Finally, an important principle of the REST architectural style is Finally, an important principle of the REST architectural style is
the focus on hypermedia as the engine of application state (HATEOAS). the focus on hypermedia as the engine of application state (HATEOAS).
Rather than the server maintaining conversational state for each Rather than the server maintaining conversational state for each
client, the server will instead include a suitable set of hyperlinks client, the server will instead include a suitable set of hyperlinks
in the resource representation that is returned to the client. The in the resource representation that is returned to the client. The
included hyperlinks provide the client with a specific set of included hyperlinks provide the client with a specific set of
permitted state transitions. Using these links the client may permitted state transitions. Using these links the client may
perform an operation, such as updating or deleting the resource perform an operation, such as updating or deleting the resource
representation. The client may also be provided with hypertext links representation. The client may also be provided with hypertext links
that can be used to navigate to any related resource. For example, that can be used to navigate to any related resource. For example,
the resource representation for an incident object may contain links the resource representation for an object may contain links to the
to the related indicator resource(s). In this way, the server related resource(s). In this way, the server remains stateless with
remains stateless with respect to a series of client requests. respect to a series of client requests.
4.1.2.1. A Resource-Oriented Use Case: "Mashup"
In this section we consider an example scenario for creating a
computer security "mashup".
A producer creates and maintains a feed of information on threat
actors, whilst another creates and maintains a feed of attack
indicators. Each has authorized a large consortium of security
analysts to access these feeds as they see fit. Any one of these
analysts can then make HTTP(s) requests to the servers to collect
sets of information from each provider. The resulting correlations
may yield new insights that enable a more timely and effective
defensive response. Of course, this report may, in turn, be made
available to others as a new Web-addressable resource, reachable via
another URL. By exposing information using the RESTful approach in
this way, the effectiveness of the collaboration amongst a consortium
of cyber security stakeholders can be greatly improved.
4.2. Use of the Atom Publishing Protocol
This specification defines a profile of the Atom Publishing Protocol
(AtomPub) [RFC5023] and Atom Syndication Format [RFC4287] providing
implementation requirements for a security information sharing
solution as a RESTful Web service.
This document assumes that the reader has an understanding of both
the AtomPub and Atom Syndication Format specifications.
The following two sections of this document provide requirements for
using the Atom Syndication Format and AtomPub as a RESTful binding
for security automation information sharing.
5. ROLIE Requirements for the Atom Publishing Protocol 5. ROLIE Requirements for the Atom Publishing Protocol
This section describes a number of restrictions of and extensions to This section describes a number of restrictions of and extensions to
the Atom Publishing Protocol (AtomPub) [RFC5023] that define the use the Atom Publishing Protocol (AtomPub) [RFC5023] that define the use
of that protocol in the context of a ROLIE-based solution. of that protocol in the context of a ROLIE-based solution.
This document assumes that the reader has an understanding of the
Atom Publishing Protocol specification.
5.1. AtomPub Service Documents 5.1. AtomPub Service Documents
As described in RFC5023 section 8 [RFC5023], a Service Document is an As described in RFC5023 section 8 [RFC5023], a Service Document is an
XML-based document format that allows a client to dynamically XML-based document format that allows a client to dynamically
discover the collections provided by a publisher. A Service Document discover the Collections provided by a publisher. A Service Document
consists of one or more app:workspace elements that may each contain consists of one or more app:workspace elements that may each contain
a number of app:collection elements. a number of app:collection elements.
The general structure of a service document is as follows (from The general structure of a service document is as follows (from
RFC5023 section 4.2 [RFC5023]): RFC5023 section 4.2 [RFC5023]):
Service Service
o- Workspace o- Workspace
| | | |
| o- Collection | o- Collection
skipping to change at page 9, line 49 skipping to change at page 8, line 32
AtomPub concept of a Workspace, in ROLIE a Workspace represents an AtomPub concept of a Workspace, in ROLIE a Workspace represents an
aggregation of Collections pertaining to security automation aggregation of Collections pertaining to security automation
information resources. This specification does not impose any information resources. This specification does not impose any
restrictions on the number of Workspaces that may be in a Service restrictions on the number of Workspaces that may be in a Service
Document or the specific Collections to be provided within a given Document or the specific Collections to be provided within a given
Workspace. Workspace.
The following restrictions are imposed on the use of the The following restrictions are imposed on the use of the
app:workspace element in ROLIE: app:workspace element in ROLIE:
o A ROLE repository can host Collections containing both public and o A ROLIE repository can host Collections containing both public and
private information entries. It is RECOMMENDED that public and private information entries. It is RECOMMENDED that public and
private collections be segregated into different Workspaces. By private Collections be segregated into different Workspaces. By
doing this, Workspaces that contain private information can be doing this, Workspaces that contain private information can be
ignored by clients. ignored by clients or can be omitted from the Service Document
provided to a client that lacks the appropriate privilege to
access the set of Collections associated with the Workspace.
o Appropriate descriptions and naming conventions SHOULD be used to o Appropriate descriptions and naming conventions SHOULD be used to
indicate the intended audience of each workspace. This helps to indicate the intended audience of each workspace. This helps to
facilitate the selection of appropriate Workspaces by clients. facilitate the selection of appropriate Workspaces by users.
o An implementation can provide any number of Collections within a
given Workspace. It is RECOMMENDED that each collection appear in
only a single Workspace. This helps to reduce the number of
duplicate collections that need to be examined to discover
information that is relevant to a given client.
5.1.2. Use of the "app:collection" Element 5.1.2. Use of the "app:collection" Element
In AtomPub, a Collection in a Service Document, represented by the In AtomPub, a Collection in a Service Document, represented by the
"app:collection" element, provides metadata that can be used to point "app:collection" element, provides metadata that can be used to point
to a specific Atom Feed that contains information Entries that may be to a specific Atom Feed that contains information Entries that may be
of interest to a client. The association between a Collection and a of interest to a client. The association between a Collection and a
Feed is provided by the "href" attribute of the app:collection Feed is provided by the "href" attribute of the app:collection
element. Building on the AtomPub concept of a Collection, in ROLIE a element. Building on the AtomPub concept of a Collection, in ROLIE a
Collection represents a pointer to a group of security automation Collection represents a pointer to a group of security automation
information resources pertaining to a given type of security information resources pertaining to a given type of security
automation information. Collections are represented as Atom feeds as automation information. Collections are represented as Atom Feeds as
per RFC 5023. Feed specific requirements are defined in section 6.1. per RFC 5023. Feed specific requirements are defined in section 6.1.
The following restrictions are imposed on the use of the The following restrictions are imposed on the use of the
app:collection element for ROLIE: app:collection element for ROLIE:
o The atom:category elements contained in the app:categories element o The atom:category elements contained in the app:categories element
MUST be the same set of atom:categories used in the Atom Feed MUST be the same set of atom:categories used in the Atom Feed
indicated by the app:collection "href" attribute value. This resource indicated by the app:collection "href" attribute value.
ensures that the category metadata associated with the Feed is This ensures that the category metadata associated with the
discoverable in the corresponding Collection in the Service Collection is discoverable in both the Feed and the corresponding
Document. Collection in the Service Document.
o An app:collection pertaining to a security automation information o An app:collection pertaining to a security automation information
resource Feed MUST contain an app:categories element that resource Feed MUST contain an app:categories element that
minimally contains a single atom:category element with the minimally contains a single atom:category element with the
"scheme" attribute value of "urn:ietf:params:rolie:information- "scheme" attribute value of
type". This category MUST have an appropriate "term" attribute "urn:ietf:params:rolie:category:information-type". This category
value as defined in section 8.2. This ensures that a given MUST have an appropriate "term" attribute value as defined in
Collection corresponds to a specific type of security automation section 7.1.1. This ensures that a given Collection corresponds
information. to a specific type of security automation information.
o Any app:collection element that does not contain a descendant o Any app:collection element that does not contain a descendant
atom:category element with the "scheme" attribute value of atom:category element with the "scheme" attribute value of
"urn:ietf:params:rolie:information-type" MUST be considered a non- "urn:ietf:params:rolie:category:information-type" MUST be
ROLIE Collection. This allows Collections pertaining to security considered a non-ROLIE Collection. This allows Collections
automation information to co-exist alongside Collections of other pertaining to security automation information to co-exist
non-ROLIE information within the same AtomPub instance. alongside Collections of other non-ROLIE information within the
same AtomPub instance.
o The app:categories element in an app:collection may include o The app:categories element in an app:collection MAY include
additional atom:category elements using a scheme other than additional atom:category elements using a scheme other than
"urn:ietf:params:rolie:information-type". This allows other "urn:ietf:params:rolie:category:information-type". This allows
category metadata to be included. other category metadata to be included.
5.2. Service Discovery 5.2. Service Discovery
This specification requires that an implementation MUST publish an This specification requires that an implementation MUST publish an
Atom Service Document that describes the set of security information Atom Service Document that describes the set of security information
sharing collections that are provided by the repository. sharing Collections that are provided by the repository.
The service document SHOULD be discoverable via the organization's The service document SHOULD be discoverable via the organization's
Web home page or another well-known public resource. An example of Web home page or another well-known public resource. An example of
this can be found in appendix A.1. this can be found in appendix B.1.
The service document SHOULD (TODO: MUST?) be located at the The service document SHOULD be located at the standardized location
standardized location "https://{host:port}/rolie/servicedocument", "https://{host:port}/rolie/servicedocument", where {host:port} is the
where {host:port} is the authority portion of the URI. Dereferencing authority portion of the URI. Dereferencing this URI MAY result in a
this URI MAY result in a redirect based on a HTTP 3xx status code to redirect based on a HTTP 3xx status code to direct the client to the
direct the client to the actual service document. This allows actual service document. This allows clients to have a well-known
clients to have a well-known location to find a ROLIE service location to find a ROLIE service document, while giving
document, while giving implmentations flexibility over how the implementations flexibility over how the service is deployed.
service is deployed.
When deploying a service document for use by a closed consortium, the When deploying a service document for use by a closed consortium, the
service document MAY also be digitally signed and/or encrypted. service document MAY also be digitally signed and/or encrypted. For
example, consider XML Signature Syntax and Processing [xmldsig] and
XML Encryption Syntax and Processing [xmlenc]
5.3. Transport Layer Security 5.3. Transport Layer Security
Implementations MUST support server-authenticated TLS. ROLIE is intended to be handled with TLS. The following requirements
have been derived from [RFC7589].
Implementations MAY support mutually authenticated TLS. The most recent published version of TLS MUST be supported, and any
mandatory-to-implement (MTI) cipher suites in that version MUST be
supported as well.
Implementations MAY support client authenticated TLS. The server MUST support certificate-based client authentication. The
implementation MAY use any TLS cipher suite that supports mutual
authentication.
5.4. User Authentication During the TLS negotiation, the client MUST carefully examine the
certificate presented by the server to determine if it meets the
client's expectations. Particularly, the client MUST check its
understanding of the server hostname against the server's identity as
presented in the server Certificate message, in order to prevent man-
in-the-middle attacks. Matching is performed according to the rules
laid out in the Security Considerations section of [RFC4642].
Implementations MUST support user authentication. User If the match fails, the client MUST either ask for explicit user
authentication MAY be enabled for specific feeds. confirmation or terminate the connection and indicate the server's
identity is suspect. Additionally, clients MUST verify the binding
between the identity of the servers to which they connect and the
public keys presented by those servers. Clients SHOULD implement the
algorithm in Section 6 of [RFC5280] for general certificate
validation, but MAY supplement that algorithm with other validation
methods that achieve equivalent levels of verification (such as
comparing the server certificate against a local store of already-
verified certificates and identity bindings). If the client has
external information as to the expected identity of the server, the
hostname check MAY be omitted.
Implementations MAY support more than one client authentication The server MUST be capable of verifying the identity of the client
method. with certificate-based authentication according to local policy to
ensure that the incoming client request is legitimate before any
configuration or state data is sent to or received from the client.
5.4. User Authentication and Authorization
Implementations MUST support user authentication. User
authentication MAY be enabled for specific Feeds.
Servers participating in an information sharing consortium and Servers participating in an information sharing consortium and
supporting interactive user logins by members of the consortium supporting interactive user logins by members of the consortium
SHOULD support client authentication via a federated identity scheme SHOULD support client authentication via a federated identity scheme
as per SAML 2.0. (e.g., SAML 2.0).
5.5. User Authorization
This document does not mandate the use of any specific user This document does not mandate the use of any specific user
authorization mechanisms. However, service implementers SHOULD authorization mechanisms. However, service implementers SHOULD
provide appropriate authorization checking for all resource accesses, provide appropriate authorization checking for all resource accesses,
including individual Atom Entries, Atom Feeds, and Atom Service including individual Atom Entries, Atom Feeds, and Atom Service
Documents. Documents.
Authorization for a resource MAY be adjudicated based on the value(s) 5.5. / (forward slash) Resource URL
of the associated Atom <category> element(s).
5.6. / (forward slash) Resource URL
The "/" resource MAY be provided for compatibility with existing The "/" resource MAY be provided for compatibility with existing
deployments that are using Transport of Real-time Inter-network deployments that are using Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS [RFC6546]. Consistent with Defense (RID) Messages over HTTP/TLS [RFC6546]. If the "/" resource
RFC6546 errata, a client requesting a GET on "/" MUST receive an HTTP is supported the following behavior MUST be also supported:
status code 405 Method Not Allowed. An implementation MAY provide
full support for RFC6546 such that a POST to "/" containing a
recognized RID message type just works. Alternatively, a client
requesting a POST to "/" MAY receive an HTTP status code 307
Temporary Redirect. In this case, the location header in the HTTP
response will provide the URL of the appropriate RID endpoint, and
the client may repeat the POST method at the indicated location.
This resource could also leverage the new draft by reschke that
proposes HTTP status code 308 (cf: draft-reschke-http-status-
308-07.txt). TODO
5.7. HTTP methods o Consistent with RFC6546 errata, a client requesting a GET on "/"
SHOULD receive an HTTP status code 405 Method Not Allowed.
o An implementation MAY provide full support for [RFC6546] such that
a POST to "/" containing a recognized RID message is handled
correctly as a RID request. Alternatively, a client requesting a
POST to "/" MAY receive an HTTP status code 307 Temporary
Redirect. In this case, the location header in the HTTP response
will provide the URL of the appropriate RID endpoint, and the
client may repeat the POST method at the indicated location.
If the "/" resource is unsupported, then a request for this resource
MUST provide a 404 HTTP status code.
5.6. HTTP methods
Clients MUST be capable of recognizing and processing any standard Clients MUST be capable of recognizing and processing any standard
HTTP status code, as defined in [RFC5023] Section 5 HTTP status code, as defined in [RFC5023] Section 5.
6. ROLIE Requirements for the Atom Syndication Format 6. ROLIE Requirements for the Atom Syndication Format
This section describes a number of restrictions of and extensions to This section describes a number of restrictions of and extensions to
the Atom Syndication Format [RFC4287] that define the use of that the Atom Syndication Format [RFC4287] that define the use of that
format in the context of a ROLIE-based solution. format in the context of a ROLIE-based solution.
This document assumes that the reader has an understanding of the
Atom Syndication Format specification.
6.1. Use of the "atom:feed" element 6.1. Use of the "atom:feed" element
As described in RFC4287 section 4.1.1 [RFC4287], an Atom Feed is an As described in RFC4287 section 4.1.1 [RFC4287], an Atom Feed is an
XML-based document format that describes a list of related XML-based document format that describes a list of related
information items, also known as a collection. Each Feed document, information items, also known as a Collection. Each Feed document,
represented using the atom:feed element, contains a collection of represented using the atom:feed element, contains a Collection of
zero or more related information items individually called a "member zero or more related information items individually called a "member
entry" or "entry". Entry" or "Entry".
When applied to the problem domain of security automation information When applied to the problem domain of security automation information
sharing, an Atom Feed may be used to represent any meaningful sharing, an Atom Feed may be used to represent any meaningful
collection of security automation information resources including a Collection of security automation information resources. Each Entry
set of configuration checklists or software vulnerabilities. Each in an atom:feed represents an individual resource (e.g., a specific
entry in an atom:feed represents an individual resource, such as a checklist , a software vulnerability record). Additional Feeds can
specific checklist or software vulnerability record. Additional be used to represent other Collections of security automation
Feeds can be used to represent collections of other meaningful and resources.
useful security automation resources.
This Atom feed definition represents a stricter definition of the This Atom Feed definition represents a stricter definition of the
Atom entry element. Any element not specified here inherits its atom:feed element defined in RFC 4287 for use in a ROLIE Any element
definition and requirements from RFC 4287. not specified here inherits its definition and requirements from
[RFC4287].
atomFeed = atomFeed =
element atom:feed { element atom:feed {
atomCommonAttributes, atomCommonAttributes,
(atomAuthor* (atomAuthor*
& atomCategory+ & atomCategory+
& atomContributor* & atomContributor*
& atomGenerator? & atomGenerator?
& atomIcon? & atomIcon?
& atomId & atomId
& atomLink* & atomLink+
& atomLogo? & atomLogo?
& atomRights? & atomRights?
& atomSubtitle? & atomSubtitle?
& atomTitle & atomTitle
& atomUpdated & atomUpdated
& extensionElement*), & extensionElement*),
atomEntry* atomEntry*
} }
6.1.1. Use of the "atom:category" Element 6.1.1. Use of the "atom:category" Element
An atom:feed may be categorized and may contain information from zero An atom:feed can be categorized and can contain information from zero
or more categories. In Atom the naming scheme and the semantic or more categories. In Atom the naming scheme and the semantic
meaning of the terms used to identify an Atom category are meaning of the terms used to identify an Atom category are
application-defined. application-defined.
The following restrictions are imposed on the use of the The following restrictions are imposed on the use of the
atom:category element when used in a ROLIE atom:feed: atom:category element when used in an atom:feed:
o An atom:feed element MUST minimally contain a single atom:category o An atom:feed element MUST minimally contain a single atom:category
element with the "scheme" attribute value of element with the "scheme" attribute value of
"urn:ietf:params:rolie:information-type". This category MUST have "urn:ietf:params:rolie:category:information-type". This category
an appropriate "term" attribute value as defined in section 8.2. MUST have an appropriate "term" attribute value as defined in
This ensures that a given Collection corresponds to a specific section 7.1.1. This ensures that a given Collection corresponds
type of security automation information. All member entries in to a specific type of security automation information. All member
the collection MUST represent security automation information entries in the Collection MUST represent security automation
records of this information type. information records of this information type.
o Any atom:feed element that does not contain a child atom:category o Any atom:feed element that does not contain a child atom:category
element with the "scheme" attribute value of element with the "scheme" attribute value of
"urn:ietf:params:rolie:information-type" MUST NOT be considered a "urn:ietf:params:rolie:category:information-type" MUST NOT be
ROLIE Collection. This allows Feeds pertaining to security considered a ROLIE Collection. This allows Feeds pertaining to
automation information to co-exist alongside Feeds of other non- security automation information to co-exist alongside Feeds of
ROLIE information within the same AtomPub instance. other non-ROLIE information within the same AtomPub instance.
o An atom:feed may include additional atom:category elements using a o An atom:feed may include additional atom:category elements using a
scheme other than "urn:ietf:params:rolie:information-type". This scheme other than "urn:ietf:params:rolie:category:information-
allows other category metadata to be included. type". This allows other category metadata to be included.
6.1.2. Use of the "atom:link" Element 6.1.2. Use of the "atom:link" Element
Link relations defined by the atom:link element are used to represent Link relations defined by the atom:link element are used to represent
state transitions using a stateless approach. In Atom a type of link state transitions using a stateless approach. In Atom a type of link
relationship can be defined using the "rel" attribute. The following relationship can be defined using the "rel" attribute.
are link relations that provide state transitions related to a ROLIE
Atom feed.
o "service" - Indicates that the href value of the link identifies a
resource IRI that can be used to retrieve an Atom Service Document
associated with the feed. A feed MUST include one or more links
with rel="service" to point to the service document(s) that are
associated with the feed. The "service" link relationship type is
defined in the IANA Link Relations Registry [1].
o "search" - Indicates that the href value of the link identifies a
resource IRI that can be used to search through the containing
feed and related resources. A feed MAY include one or more links
with rel="search" to point TBD. The "search" link relationship
type is defined in the IANA Link Relations Registry [2].
An atom:feed MAY include additional link relationships not specified
in this document. If a client encounters an unknown link
relationship type, the client MUST ignore the unrecognized link and
continue processing the remaining resource representation as if the
unrecognized link element did not appear.
The Feed Paging and Archiving [RFC5005] Atom extension provides A ROLIE atom:feed MUST contain one or more atom:link elements with
capabilities for paging and archiving of feeds. rel="service" and href attribute whose value is a IRI that points to
an Atom Service Document associated with the atom:feed. When a
client is presented with a Feed as its initial view into a
repository, a link with the service relationship provides a means to
discover additional security automation information. The "service"
link relationship is defined in the IANA Link Relations Registry [1].
A atom:feed can contain an arbitrary number of entries. In some An atom:feed can contain an arbitrary number of Entries. In some
cases, a complete feed may consist of a large number of entries. cases, a complete Feed may consist of a large number of Entries.
Additionally, as new and updated entries are ordered at the beginning Additionally, as new and updated Entries are ordered at the beginning
of a feed, a client may only be interested in retriving the first X of a Feed, a client may only be interested in retrieving the first N
entries in a feed to process only the entries that have changed since entries in a Feed to process only the Entries that have changed since
the last access to a ROLIE repository feed. As a practical matter, the last retrieval of the Feed. As a practical matter, a large set
the full result set will likely need to be divided into more of Entries will likely need to be divided into more manageable
manageable portions. Based on RFC5005 section 3 [RFC5005], the links portions. Based on RFC5005 section 3 [RFC5005], link elements SHOULD
SHOULD be included in all feeds to support paging using the following be included in all Feeds to support paging using the following link
link relation types: relation types:
o "first" - Indicates that the href value of the link identifies a o "first" - Indicates that the href attribute value of the link
resource IRI for the furthest preceding page of the feed. identifies a resource IRI for the furthest preceding page of the
Feed.
o "last" - Indicates that the href value of the link identifies a o "last" - Indicates that the href attribute value of the link
resource IRI for the furthest following page of the feed. identifies a resource IRI for the furthest following page of the
Feed.
o "previous" - Indicates that the href value of the link identifies o "previous" - Indicates that the href attribute value of the link
a resource IRI for the immediately preceeding page of the feed. identifies a resource IRI for the immediately preceding page of
the Feed.
o "next" - Indicates that the href value of the link identifies a o "next" - Indicates that the href attribute value of the link
resource IRI for the immediately following page of the feed. identifies a resource IRI for the immediately following page of
the Feed.
For example: For example:
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"> <feed xmlns="http://www.w3.org/2005/Atom">
<id>b7f65304-b63b-4246-88e2-c104049c5fd7</id>
<title>Paged Feed</title> <title>Paged Feed</title>
<link rel="self" href="http://example.org/feedA?page=5"/> <link rel="self" href="http://example.org/feedA?page=5"/>
<link rel="first" href="http://example.org/feedA?page=1"/> <link rel="first" href="http://example.org/feedA?page=1"/>
<link rel="prev" href="http://example.org/feedA?page=4"/> <link rel="prev" href="http://example.org/feedA?page=4"/>
<link rel="next" href="http://example.org/feedA?page=6"/> <link rel="next" href="http://example.org/feedA?page=6"/>
<link rel="last" href="http://example.org/feedA?page=10"/> <link rel="last" href="http://example.org/feedA?page=10"/>
<updated>2012-05-04T18:13:51.0Z</updated> <updated>2012-05-04T18:13:51.0Z</updated>
<!-- remainder of feed elements --> <!-- remainder of feed elements -->
</feed> </feed>
Example Paged Feed Example Paged Feed
An historical feed may need to be stable, and/or divided into some A reference to a historical Feed may need to be stable, and/or a Feed
defined epochs. Implementations SHOULD support the mechanisms may need to be divided into a series of defined epochs.
described in RFC5005 section 4 [RFC5005] to provide capabilities for Implementations SHOULD support the mechanisms described in RFC5005
maintaining archiving of feeds. section 4 [RFC5005] to provide link-based state transitions for
maintaining archiving of Feeds.
An atom:feed MAY include additional link relationships not specified
in this document. If a client encounters an unknown link
relationship type, the client MUST ignore the unrecognized link and
continue processing as if the unrecognized link element did not
appear. The definition of new Link relations that provide additional
state transition extensions is discussed in section 7.3.
6.1.3. Use of the "atom:updated" Element 6.1.3. Use of the "atom:updated" Element
The atom:updated element MUST be populated with the current time at The atom:updated element MUST be populated with the current time at
the instant the feed representation was last updated by adding, the instant the Feed representation was last updated by adding,
updating, or deleting an entry; or changing any metadata for the updating, or deleting an Entry; or changing any metadata for the
feed. Feed.
6.2. Use of the "atom:entry" Element 6.2. Use of the "atom:entry" Element
Each entry in an Atom feed, represented by the atom:entry element, Each Entry in an Atom Feed, represented by the atom:entry element,
describes a single information record, format, and type combination. describes a single information record, format, and type combination.
The following atom:entry schema definition represents a stricter The following atom:entry schema definition represents a stricter
representation of the atom:entry element defined in RFC 4287 for use representation of the atom:entry element defined in [RFC4287] for use
in a ROLE-based Atom Feed. in a ROLIE-based Atom Feed.
atomEntry = atomEntry =
element atom:entry { element atom:entry {
atomCommonAttributes, atomCommonAttributes,
(atomAuthor* (atomAuthor*
& atomCategory* & atomCategory*
& atomContent & atomContent
& atomContributor* & atomContributor*
& atomId & atomId
& atomLink* & atomLink*
skipping to change at page 16, line 43 skipping to change at page 16, line 26
& atomSource? & atomSource?
& atomSummary? & atomSummary?
& atomTitle & atomTitle
& atomUpdated & atomUpdated
& rolieFormat & rolieFormat
& extensionElement*) & extensionElement*)
} }
6.2.1. Use of the "atom:content" Element 6.2.1. Use of the "atom:content" Element
There MUST be exactly one atomContent element in the entry. The There MUST be exactly one atomContent element in the Entry. The
content element MUST adhere to this definition: content element MUST adhere to this definition, which is a stricter
representation of the atom:content element defined in [RFC4287]:
atomContent = atomContent =
element atom:content { element atom:content {
atomCommonAttributes, atomCommonAttributes,
attribute type { atomMediaType }, attribute type { atomMediaType },
attribute src { atomUri }, attribute src { atomUri },
empty empty
} }
The type attribute MUST be the serialization type of the content, for The type attribute MUST identify the serialization type of the
example, XML or JSON. The src attribute is a link to the payload. content, for example, application/xml or application/json. A
prefixed media type MAY be used to reflect a specific model used with
a given serialization approach (e.g., application/rdf+xml). The src
attribute MUST be an IRI that can be dereferenced to retrieve the
related content data.
6.2.2. Use of the "atom:link" Element 6.2.2. Use of the "atom:link" Element
There MAY be zero or more atom:link elements in the entry. The Link relations can be included in an atom:entry to represent state
content element MUST adhere to this definition: transitions for the Entry.
The link element follows the definition laid out in the Atom If there is a need to provide the same information in different data
Syndication Document. models and/or serialization formats, separate Entry instances can be
included in the same or a different Feed. Such an alternate content
representation can be indicated using an atom:link having a rel
attribute with the value "alternate".
If there entries with the same format and category but a different An atom:feed MAY include additional link relationships not specified
type, it MUST be linked to using the "alternate" link relation. in this document. If a client encounters an unknown link
relationship type, the client MUST ignore the unrecognized link and
continue processing as if the unrecognized link element did not
appear. The definition of new Link relations that provide additional
state transition extensions is discussed in section 7.3.
6.2.3. Use of the "rolie:format" Element 6.2.3. Use of the "rolie:format" Element
There MUST be exactly one rolie:format element in the Entry. This As mentioned earlier, a key goal of this specification is to allow a
format SHOULD be one of the formats listed under the category of this consumer to review a set of published security automation information
entry as discussed in the and Content Model section. The format is resources, and then identify and retrieve any resources of interest.
contained in the content of this tag. The format of the data is a key criteria to consider when deciding
what information to retrieve. For a given type of security
automation information, it is expected that a number of different
formats may be used to represent this information. To support this
use case, both the serialization format and the specific data model
expressed in that format must be known by the consumer.
6.3. Link Relations The rolie:format element is used to describe the data model used to
express the information referenced in the atom:content element of an
atom:entry. It also allows a schema to be identified that can be
used when parsing the content to verify or better understand the
structure of the content.
In addition to the standard Link Relations defined by the Atom There MUST be exactly one rolie:format element in an atom:entry. The
specification, this specification defines the following additional element MUST adhere to this definition:
Link Relation terms, which are introduced specifically in support of
the Resource-Oriented Lightweight Information Exchange protocol.
TODO: This section needs to be expanded. rolieFormat =
element rolie:format {
atomCommonAttributes,
attribute ns { atomURI },
attribute version { text } ?,
attribute schema-location { atomURI } ?,
attribute schema-type { atomMediaType } ?,
empty
}
7. Use of OpenSearch The rolie:format element MUST provide a "ns" attribute that
identifies the data model of the resource referenced by the
atom:content element. For example, the namespace used may be an XML
namespace URI, or an identifier that represents a serialized JSON
model. The URI used for the "ns" attribute value MUST be an absolute
or opaque URI. The resource identified by the URI need not be
resolvable.
Implementers MUST support OpenSearch 1.1 [opensearch] as the The rolie:format element MAY provide a "version" attribute that
mechanism for describing how clients may form search requests. identifies the version of the format used for the related
atom:content.
Implementers MUST provide a link with a relationship type of The rolie:format element MAY provide a "schema-location" element that
"search". This link SHALL return an Open Search Description Document is a URI that identifies a schema resource that can be used to
as defined in OpenSearch 1.1. validate the related atom:content.
Implementers MUST fully qualify all OpenSearch URL template parameter The rolie:format element MAY provide a "schema-type" element, which
names using the defined XML namespaces, as appropriate. is a mime type identifying the format of the schema resource
identified by the "schema-location" attribute.
8. Characterizing ROLIE Collections and Resources 6.2.4. Requirements for a Standalone Entry
This specification does not require a particular security automation If an Entry is ever shared as a standalone resource, separate from
information type or content format; rather, it provides extension its containing Feed, then the following additional requirements
points using IANA tables to allow for future extensions of supported apply:
information types and formats.
A given security automation information type is respresented using o The Entry MUST have a atom:link element with rel="collection" and
the "atom:category" element. In this way, an "atom:category" element href="[IRI of the containing Collection]". This allows the Feed
can be used to: or Feeds for which the Entry is a member to be discovered, along
with the related information the Feed may contain. In the case of
the Entry have multiple containing Feeds, the Entry MUST have one
atom:link for each related Feed.
o The Entry MUST declare the information-type of the content
resource referenced by the Entry (see Section 7.1.2).
7. Available Extension Points Provided by ROLIE
This specification does not require particular information types or
data formats, rather, ROLIE is intended to be extended by additional
specifications that add new categories and link relations. The
primary point of extension is through the information-type category,
which is used to enumerate the set of all types of information
supported by ROLIE. Additional specifications can register new
information-type records with IANA that serve as the main
characterizing feature of a ROLIE Collection or Resource. These
additional specifications defining new information-type values, can
describe requirements for including specific categories, link
relations, as well as, use of specific data formats supporting a
given information-type.
7.1. The Category Extension Point
The atom:category element, defined in RFC 4287 section 4.2.2
[RFC4287], provides a mechanism to provide additional categorization
information for a content resource in ROLIE. The ability to define
new categories is one of the core extension points provided by Atom.
A Category Document, defined in RFC 5023 section 7 [RFC5023],
provides a mechanism for an Atom repository to make discoverable the
atom:category terms and allowed values used by a given repository.
ROLIE adds to this existing Atom extension mechanism by allowing
ROLIE specific category extensions to be registered with IANA, and
additionally has assigned an information-type category that has
special meaning for implementations of ROLIE. These aspects are
discussed in the following subsections.
7.1.1. General Use of the "atom:category" Element
The atom:category element can be used for characterizing a ROLIE
Resource. As discussed earlier in this document, an atom:category
element has a "term" attribute that indicates the assigned category
value, and a "scheme" attribute that provides an identifier for the
category type. The "scheme" provides a means to describe how a set
of category terms should be used and provides a namespace that can be
used to differentiate terms provided by multiple organizations with
different semantic meaning.
To further differentiate category types used in ROLIE, an IANA sub-
registry has been established for ROLIE protocol parameters to
support the registration of new category "scheme" attribute values by
ROLIE extension specifications. Use of this extension point is
discussed in section 8.3.
7.1.2. Identification of Security Automation Information Types
A ROLIE specific extension point is provided through the
atom:category "scheme" value
"urn:ietf:params:rolie:category:information-type". This value is a
Uniform Resource Name (URN) [RFC2141] that is registered with IANA as
described in section 8.3. When used as the "scheme" attribute in
this way, the "term" attribute is expected to be a registered value
as defined in section Section 8.4. Through this mechanism a given
security automation information type can be used to:
1. identify that an "app:collection" element in a Service Document 1. identify that an "app:collection" element in a Service Document
points to an Atom feed that contains entries pertaining to a points to an Atom Feed that contains entries pertaining to a
specific type of security automation information (see section specific type of security automation information (see section
5.1.2), or 5.1.2), or
2. identify that an "atom:feed" element in an Atom feed contains 2. identify that an "atom:feed" element in an Atom Feed contains
entries pertaining to a specific type of security automation entries pertaining to a specific type of security automation
information (see section 6.1.1). information (see section 6.1.1).
As mentioned earlier, a key goal of this specification is to allow a 3. identify the information-type of a standalone Resource (see
consumer to identify security automation information resources of section 6.2.4).
interest, and then choose a suitable format of the information to
retrieve. For a given type of security automation information, it is
expected that a number of different formats may be used to represent
this information. To support this use case, both the serialization
format and the specific data model expressed in that format must be
known by the consumer.
The following sections describe how information types are defined and For example, the notional security automation information type
used, and how specific content formats are declared in ROLIE. "incident" would be identified as follows:
8.1. Identification of Security Automation Information Types <atom:category
scheme="urn:ietf:params:rolie:category:information-type"
term="incident"/>
A security automation information type represents a class of A security automation information type represents a class of
information that represents the same or similar information model information that represents the same or similar information model
[RFC3444]. Notional examples of information types include: [RFC3444]. Notional examples of information types include:
indicator: Computing device- or network-related "observable features indicator: Computing device- or network-related "observable features
and phenomenon that aid in the forensic or proactive detection of and phenomenon that aid in the forensic or proactive detection of
malicious activity; and associated meta-data" (from malicious activity; and associated meta-data" (from
[I-D.ietf-mile-rfc5070-bis]). [I-D.ietf-mile-rfc5070-bis]).
skipping to change at page 19, line 14 skipping to change at page 20, line 36
vulnerability reports: Information identifying and describing a vulnerability reports: Information identifying and describing a
vulnerability in hardware or software. vulnerability in hardware or software.
configuration checklists: Content that can be used to assess the configuration checklists: Content that can be used to assess the
configuration settings related to installed software. configuration settings related to installed software.
software tags: Metadata used to identify and characterize software tags: Metadata used to identify and characterize
installable software. installable software.
This is a short list to inspire thought on possible information This is a short list to inspire new engineering of information type
types, which will also include other information used to automate extensions that support the automation of security processes.
security processes.
This document does not specific any information types. Instead, This document does not specific any information types. Instead,
information types in ROLIE are expected to be defined in extension information types in ROLIE are expected to be registered in extension
documents that describe one or more new information types. This documents that describe one or more new information types. This
allows the information types used by ROLIE implementations to grow allows the information types used by ROLIE implementations to grow
over time to support new security automation use cases. These over time to support new security automation use cases. These
extension documents may also enhance ROLIE resource representations extension documents may also enhance ROLIE Resource representations
by defining link relations, categories, and other AtomPub and Atom by defining link relations, other categories, and other AtomPub and
Syndication Format data model extensions to address the Atom Syndication Format data model extensions to address the
representational needs of specific information types. New representational needs of these specific information types. New
information types are added to ROLIE through registrations to the information types are added to ROLIE through registrations to the
IANA Security Resource Information Type registry defined in section IANA ROLIE Security Resource Information Type registry defined in
10.3. section 8.4.
8.2. General Use of the "atom:category" Element
The core extension point within this specification is the ability to
define different security automation information types, which can be
used to characterize the type of information contained in a ROLIE
resource collection. The information type of a resource collection
is characterized using an "atom:category" element with a "scheme"
attribute value of "urn:ietf:params:rolie:information-type", and a
"term" attribute value identifying the specific information type
declared.
For example, the security automation information type "incident"
would be identified as follows:
<atom:category scheme="urn:ietf:params:rolie:information-type"
term="incident"/>
The Uniform Resource Name (URN) [RFC2141]
"urn:ietf:params:rolie:information-type" is registered with IANA as
described in section 10.2.
Registered security automation information type values are defined in
the IANA table described in section 10.3.
8.3. Identification of Security Automation Information Formats
A given information type may have a number of supported formats. 7.2. The "rolie:format" Extension Point
Each format is expected to have a specification that defines the data
model for the format. As described in section 6.2.3, the
"rolie:format" element is used to describe the specific data model
used to represent the resource referenced by a given "atom:entry".
By declaring the data model used in this way, a consumer can choose
to download or ignore the resource, or look for alternate formats.
This saves the consumer from downloading and parsing resources that
the consumer is not interested in or resources expressed in formats
that are not understandable by the consumer.
TODO: Need to describe the structure and use of the rolie:format Security automation data pertaining to a given information type may
element. be expressed using a number of supported formats. As described in
section 6.2.3, the rolie:format element is used to describe the
specific data model used to represent the Resource referenced by a
given "atom:entry". The structure provided by the rolie:format
element, provides a mechanism for extension within the atom:entry
model. ROLIE extensions MAY further restrict which data models are
allowed to be used for a given information-type
9. Formal Syntax for the ROLIE Schema By declaring the data model used for a given Resource, a consumer can
choose to download or ignore the resource, or look for alternate
formats. This saves the consumer from downloading and parsing
resources that the consumer is not interested in or resources
expressed in formats that are not supported by the consumer.
TODO: define a schema for the "rolie:format" element. 7.3. The Link Relation Extension Point
10. IANA Considerations TODO This document uses several link relations defined in the IANA Link
Relation Types registry [2]. Additional link relations can be
registered in this registry to allow new relationships to be
represented in ROLIE according to RFC 4287 section 4.2.7.2 [RFC4287].
Based on the preceding reference, if the link relation is too
specific or limited in the intended use, an absolute IRI can be used
in lieu of registering a new simple name with IANA.
This document defines a resource-oriented approach to security 8. IANA Considerations
information sharing, where such information may include a variety of
security resource categories, such as software identifiers (e.g.
tags), incident reports, configuration assessment guidance,
vulnerability assessment guidance, and so on.
TODO: Complete registration request specifics. This document has a number of IANA considerations described in the
following subsections.
10.1. XML Namespaces and Schema URNs 8.1. XML Namespaces and Schema URNs
This document uses URNs to describe XML namespaces and XML schemas This document uses URNs to describe XML namespaces and XML schemas
conforming to a registry mechanism described in [RFC3688]. conforming to a registry mechanism described in [RFC3688].
ROLIE XML Namespace The ROLIE namespace (rolie-1.0) has been ROLIE XML Namespace The ROLIE namespace (rolie-1.0) has been
registered in the "ns" registry. registered in the "ns" registry.
URI: urn:ietf:params:xml:ns:rolie-1.0 URI: urn:ietf:params:xml:ns:rolie-1.0
Registrant Contact: IESG Registrant Contact: IESG
XML: None. Namespace URIs do not represent an XML specification. XML: None. Namespace URIs do not represent an XML specification.
ROLIE XML Schema The ROLIE schema (rolie-1.0) has been registered in ROLIE XML Schema The ROLIE schema (rolie-1.0) has been registered in
the "schema" registry. the "schema" registry.
URI: urn:ietf:params:xml:schema:rolie-1.0 URI: urn:ietf:params:xml:schema:rolie-1.0
Registrant Contact: IESG Registrant Contact: IESG
XML: See section 9 of this document. XML: See section A of this document.
10.2. ROLIE Parameters 8.2. ROLIE URN Sub-namespace
ROLIE uses URNs to represent category schemes. This section creates IANA has added an entry to the "IETF URN Sub-namespace for Registered
and registers an IETF URN sub-namespace for use in ROLIE Protocol Parameter Identifiers" registry located at
specifications and future extensions. <http://www.iana.org/assignments/params/params.xml#params-1> as per
RFC3553 [RFC3553].
TODO: Add entry for: "urn:ietf:params:rolie:category:information- The entry is as follows:
type"
10.3. Security Resource Information Type Registry Registry name: rolie
This document creates the following registry for IANA to manage: Specification: This document
Name of Registry: "Security Resource Information Type" Repository: ROLIE URN Parameters. See Section 8.3 [TO BE REMOVED:
This registration should take place at the following location:
https://www.iana.org/assignments/rolie]
Location of Registry: https://www.iana.org/assignments/security- Index value: See Section 8.3
resource-information-type
Fields to record in the registry: 8.3. ROLIE URN Parameters
Full Name: The full name of the security resource information A new top-level registry has been created, entitled "Resource
type as a string from the printable ASCII character set RFC0020 Oriented Lightweight Information Exchange (ROLIE) Parameters". [TO
with individual embedded spaces allowed. The ABNF RFC5234 BE REMOVED: This registration should take place at the following
syntax for this field is: location: https://www.iana.org/assignments/rolie]
1*VCHAR *(SP 1*VCHAR) In this top-level registry, a sub-registry entitled "ROLIE URN
Parameters" has been created. Registration in this repository is via
the Specification Required policy [RFC5226]. Designated Expert
reviews should be routed through the MILE WG mailing list. Failing
this, the Designated Expert will be assigned by the IESG.
Security Resource Index: This is an IANA-assigned positive Each entry in this sub-registry must record the following fields:
integer that identifies the registration. The first entry
added to this registry uses the value 1, and this value is
incremented for each subsequent entry added to the registry.
Description: A complete description of the security resource Name: A URN segment that adheres to the pattern {type}:{label}.
information type as a string from the printable ASCII character The keywords are defined as follows:
set RFC0020 with individual embedded spaces allowed. The ABNF
RFC5324 syntax for this field is:
1*VCHAR *(SP 1*VCHAR) {type}: The parameter type. The allowed values are "category"
and "format". "category" denotes a category extension as
discussed in Section 7.1, "format" denotes a additional
supported format as discussed in Section 7.2.
Specification URI/Reference: A list of one or more URIs {label}: A required US-ASCII string that conforms to the URN
[RFC3986] from which the registered specification can be syntax requirements (see [RFC2141]). This string must be
obtained. The registered specification MUST be readily and unique within the namespace defined by the {type} keyword.
publicly available from that URI. The URI SHOULD be a stable
reference.
Initial registry contents: None. Extension IRI: The identifier to use within ROLIE, which is the
full URN using the form: urn:ietf:params:rolie:{name}, where
{name} is the "name" field of this registration.
Allocation Policy: Specification required RFC5226 (which implies Reference: A static link to the specification and section that the
expert review RFC5226). definition of the parameter can be found.
The Designated Expert is expected to consult with the MILE (Managed Sub-registry: An optional field that links to an IANA sub-registry
Incident Lightweight Exchange) working group or is successor if any for this parameter. If the {type} is "category", the sub-registry
such WG exists (e.g., via email to the working group's mailing list). must contain a "name" field whose registered values MUST be US-
The Designated Expert is expected to review the request and validate ASCII. The list of names are the allowed values of the "term"
the appropriateness of the name, description, and associated attribute in the atom:category element. (See Section 7.1.2).
specifications for the security resource category.
11. Security Considerations TODO This repository has the following initial values:
This document defines a resource-oriented approach to lightweight +-----------+--------------------+------+---------------------------+
information exchange using HTTP, TLS, Atom Syndicate Format, and Atom | Name | Extension IRI | Refe | Sub-Registry |
Publishing Protocol. As such, implementers must understand the | | | renc | |
security considerations described in those specifications. | | | e | |
+-----------+--------------------+------+---------------------------+
| category: | urn:ietf:params:ro | This | [TO BE REMOVED: This |
| informati | lie:category | docu | registration should take |
| on-type | :information-type | ment | place at the following |
| | | , Se | location: https://www.ian |
| | | ctio | a.org/assignments/rolie/c |
| | | n | ategory/information-type] |
| | | 9.4 | |
+-----------+--------------------+------+---------------------------+
In addition, there are a number of additional security considerations 8.4. ROLIE Security Resource Information Type Sub-Registry
that are unique to this specification.
A new sub-registry has been created to store ROLIE information-type
values.
Name of Registry: "ROLIE Information-Types"
Location of Registry:
https://www.iana.org/assignments/rolie/category/information-type
Fields to record in the registry:
name: The full name of the security resource information type
as a string from the printable ASCII character set [RFC0020]
with individual embedded spaces allowed. The ABNF [RFC5234]
syntax for this field is:
1*VCHAR *(SP 1*VCHAR)
index: This is an IANA-assigned positive integer that
identifies the registration. The first entry added to this
registry uses the value 1, and this value is incremented for
each subsequent entry added to the registry.
reference: A list of one or more URIs [RFC3986] from which the
registered specification can be obtained. The registered
specification MUST be readily and publicly available from that
URI. The URI SHOULD be a stable reference.
Allocation Policy: Specification required as per [RFC5226]
9. Security Considerations
This document defines a resource-oriented approach for lightweight
information exchange using HTTP over TLS, the Atom Syndication
Format, and the Atom Publishing Protocol. As such, implementers must
understand the security considerations described in those
specifications. All that follows is guidance, more specific
instruction is out of scope for this document and will be located in
a dedicated informational document.
All security measures SHOULD be enforced at the source, that is, a
provider SHOULD NOT return any Feed content or member Entry content
for which the client identity has not been specifically
authenticated, authorized, and audited.
The approach described herein is based upon all policy enforcements The approach described herein is based upon all policy enforcements
being implemented at the point when a resource representation is being implemented at the point when a resource representation is
created. As such, producers sharing cyber security information using created. As such, producers sharing cyber security information using
this specification must take care to authenticate their HTTP clients this specification must take care to authenticate their HTTP clients
using a suitably strong user authentication mechanism. Sharing using a suitably strong user authentication mechanism. Sharing
communities that are exchanging information on well-known indicators communities that are exchanging information on well-known indicators
and incidents for purposes of public education may choose to rely and incidents for purposes of public education may choose to rely
upon, e.g. HTTP Authentication, or similar. However, sharing upon HTTP Authentication or similar. However, sharing communities
communities that are engaged in sensitive collaborative analysis and/ that are engaged in sensitive collaborative analysis and/or
or operational response for indicators and incidents targeting high operational response for indicators and incidents targeting high
value information systems should adopt a suitably stronger user value information systems should adopt a suitably stronger user
authentication solution, such as TLS client certificates, or a risk- authentication solution, such as a risk-based or multi-factor
based or multi-factor approach. In general, trust in the sharing approach. In general, trust in the sharing consortium will depend
consortium will depend upon the members maintaining adequate user upon the members maintaining adequate user authentication mechanisms.
authentication mechanisms.
Collaborating consortiums may benefit from the adoption of a Collaborating consortiums may benefit from the adoption of a
federated identity solution, such as those based upon SAML-core federated identity solution, such as those based upon SAML-core
[SAML-core] and SAML-bind [SAML-bind] and SAML-prof [SAML-prof] for [SAML-core] and SAML-bind [SAML-bind] and SAML-prof [SAML-prof] for
Web-based authentication and cross-organizational single sign-on. Web-based authentication and cross-organizational single sign-on.
Dependency on a trusted third party identity provider implies that Dependency on a trusted third party identity provider implies that
appropriate care must be exercised to sufficiently secure the appropriate care must be exercised to sufficiently secure the
Identity provider. Any attacks on the federated identity system Identity provider. Any attacks on the federated identity system
would present a risk to the CSIRT, as a relying party. Potential would present a risk to the CSIRT, as a relying party. Potential
mitigations include deployment of a federation-aware identity mitigations include deployment of a federation-aware identity
provider that is under the control of the information sharing provider that is under the control of the information sharing
consortium, with suitably stringent technical and management consortium, with suitably stringent technical and management
controls. controls.
skipping to change at page 23, line 16 skipping to change at page 25, line 18
Web-based authentication and cross-organizational single sign-on. Web-based authentication and cross-organizational single sign-on.
Dependency on a trusted third party identity provider implies that Dependency on a trusted third party identity provider implies that
appropriate care must be exercised to sufficiently secure the appropriate care must be exercised to sufficiently secure the
Identity provider. Any attacks on the federated identity system Identity provider. Any attacks on the federated identity system
would present a risk to the CSIRT, as a relying party. Potential would present a risk to the CSIRT, as a relying party. Potential
mitigations include deployment of a federation-aware identity mitigations include deployment of a federation-aware identity
provider that is under the control of the information sharing provider that is under the control of the information sharing
consortium, with suitably stringent technical and management consortium, with suitably stringent technical and management
controls. controls.
All security measures MUST be enforced at the source, that is, a
provider SHALL NOT return any feed content or member entry content
for which the client identity has not been specifically
authenticated, authorized, and audited.
Sharing communities that have a requirement for forward message
security (such that client systems are required to participate in
providing message level security and/or distributed authorization
policy enforcement), MUST use TODO.
The implementation details of the authorization scheme chosen by a
ROLIE-compliant provider are out of scope for this specification.
Implementers are free to choose any suitable authorization mechanism
that is capable of fulfilling the policy enforcement requirements
relevant to their consortium and/or organization.
Authorization of resource representations is the responsibility of Authorization of resource representations is the responsibility of
the source system, i.e. based on the authenticated user identity the source system, i.e. based on the authenticated user identity
associated with an HTTP(S) request. The required authorization associated with an HTTP(S) request. The required authorization
policies that are to be enforced must therefore be managed by the policies that are to be enforced must therefore be managed by the
security administrators of the source system. Various authorization security administrators of the source system. Various authorization
architectures would be suitable for this purpose, such as RBAC [3] architectures would be suitable for this purpose, such as RBAC [3]
and/or ABAC, as embodied in XACML [XACML]. In particular, and/or ABAC, as embodied in XACML [XACML]. In particular,
implementers adopting XACML may benefit from the capability to implementers adopting XACML may benefit from the capability to
represent their authorization policies in a standardized, represent their authorization policies in a standardized,
interoperable format. interoperable format. Note that implementers are free to choose any
suitable authorization mechanism that is capable of fulfilling the
policy enforcement requirements relevant to their consortium and/or
organization.
Additional security requirements such as enforcing message-level Additional security requirements such as enforcing message-level
security at the destination system could supplement the security security at the destination system could supplement the security
enforcements performed at the source system, however these enforcements performed at the source system, however these
destination-provided policy enforcements are out of scope for this destination-provided policy enforcements are out of scope for this
specification. Implementers requiring this capability should specification. Implementers requiring this capability should
consider leveraging, e.g. the <RIDPolicy> element in the RID schema. consider leveraging, e.g. the <RIDPolicy> element in the RID schema.
Refer to RFC6545 section 9 for more information. Refer to RFC6545 section 9 for more information.
When security policies relevant to the source system are to be When security policies relevant to the source system are to be
skipping to change at page 24, line 24 skipping to change at page 26, line 13
document will enable users to more easily perform correlations across document will enable users to more easily perform correlations across
separate, and potentially unrelated, cyber security information separate, and potentially unrelated, cyber security information
providers. A client may succeed in assembling a data set that would providers. A client may succeed in assembling a data set that would
not have been permitted within the context of the authorization not have been permitted within the context of the authorization
policies of either provider when considered individually. Thus, policies of either provider when considered individually. Thus,
providers may face a risk of an attacker obtaining an access that providers may face a risk of an attacker obtaining an access that
constitutes an undetected separation of duties (SOD) violation. It constitutes an undetected separation of duties (SOD) violation. It
is important to note that this risk is not unique to this is important to note that this risk is not unique to this
specification, and a similar potential for abuse exists with any specification, and a similar potential for abuse exists with any
other cyber security information sharing protocol. However, the wide other cyber security information sharing protocol. However, the wide
availability of tools for HTTP clients and Atom feed handling implies availability of tools for HTTP clients and Atom Feed handling implies
that the resources and technical skills required for a successful that the resources and technical skills required for a successful
exploit may be less than it was previously. This risk can be best exploit may be less than it was previously. This risk can be best
mitigated through appropriate vetting of the client at account mitigated through appropriate vetting of the client at account
provisioning time. In addition, any increase in the risk of this provisioning time. In addition, any increase in the risk of this
type of abuse should be offset by the corresponding increase in type of abuse should be offset by the corresponding increase in
effectiveness that this specification affords to the defenders. effectiveness that this specification affords to the defenders.
While it is a goal of this specification to enable more agile cyber 10. Acknowledgements
security information sharing across a broader and varying
constituency, there is nothing in this specification that necessarily
requires this type of deployment. A cyber security information
sharing consortium may chose to adopt this specification while
continuing to operate as a gated community with strictly limited
membership.
12. Acknowledgements
The author gratefully acknowledges the valuable contributions of Tom The authors gratefully acknowledge the valuable contributions of Tom
Maguire, Kathleen Moriarty, and Vijayanand Bharadwaj. These Maguire, Kathleen Moriarty, and Vijayanand Bharadwaj. These
individuals provided detailed review comments on earlier drafts, and individuals provided detailed review comments on earlier drafts, and
many suggestions that have helped to improve this document . made many suggestions that have helped to improve this document.
13. References 11. References
13.1. Normative References
11.1. Normative References
[RFC0020] Cerf, V., "ASCII format for network interchange", STD 80,
RFC 20, DOI 10.17487/RFC0020, October 1969,
<http://www.rfc-editor.org/info/rfc20>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<http://www.rfc-editor.org/info/rfc3688>. <http://www.rfc-editor.org/info/rfc3688>.
skipping to change at page 25, line 42 skipping to change at page 27, line 27
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident
Object Description Exchange Format", RFC 5070, Object Description Exchange Format", RFC 5070,
DOI 10.17487/RFC5070, December 2007, DOI 10.17487/RFC5070, December 2007,
<http://www.rfc-editor.org/info/rfc5070>. <http://www.rfc-editor.org/info/rfc5070>.
[RFC6546] Trammell, B., "Transport of Real-time Inter-network [RFC6546] Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS", RFC 6546, Defense (RID) Messages over HTTP/TLS", RFC 6546,
DOI 10.17487/RFC6546, April 2012, DOI 10.17487/RFC6546, April 2012,
<http://www.rfc-editor.org/info/rfc6546>. <http://www.rfc-editor.org/info/rfc6546>.
[RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An
IETF URN Sub-namespace for Registered Protocol
Parameters", BCP 73, RFC 3553, DOI 10.17487/RFC3553, June
2003, <http://www.rfc-editor.org/info/rfc3553>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>.
[W3C.REC-xml-names-20091208] [W3C.REC-xml-names-20091208]
Bray, T., Hollander, D., Layman, A., Tobin, R., and H. Bray, T., Hollander, D., Layman, A., Tobin, R., and H.
Thompson, "Namespaces in XML 1.0 (Third Edition)", World Thompson, "Namespaces in XML 1.0 (Third Edition)", World
Wide Web Consortium Recommendation REC-xml-names-20091208, Wide Web Consortium Recommendation REC-xml-names-20091208,
December 2009, December 2009,
<http://www.w3.org/TR/2009/REC-xml-names-20091208>. <http://www.w3.org/TR/2009/REC-xml-names-20091208>.
[RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the
NETCONF Protocol over Transport Layer Security (TLS) with
Mutual X.509 Authentication", RFC 7589,
DOI 10.17487/RFC7589, June 2015,
<http://www.rfc-editor.org/info/rfc7589>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<http://www.rfc-editor.org/info/rfc5280>.
[RFC4642] Murchison, K., Vinocur, J., and C. Newman, "Using
Transport Layer Security (TLS) with Network News Transfer
Protocol (NNTP)", RFC 4642, DOI 10.17487/RFC4642, October
2006, <http://www.rfc-editor.org/info/rfc4642>.
[relax-NG] [relax-NG]
Clark, J., Ed., "RELAX NG Compact Syntax", 11 2002, Clark, J., Ed., "RELAX NG Compact Syntax", 11 2002,
<https://www.oasis-open.org/committees/relax-ng/compact- <https://www.oasis-open.org/committees/relax-ng/compact-
20021121.html>. 20021121.html>.
[opensearch]
Clinton, D., "OpenSearch 1.1 draft 5 specification", OASIS
Committee Specification saml-core-2.0-os, 2011,
<http://www.opensearch.org/Specifications/OpenSearch/1.1>.
[SAML-core] [SAML-core]
Cantor, S., Kemp, J., Philpott, R., and E. Maler, Cantor, S., Kemp, J., Philpott, R., and E. Maler,
"Assertions and Protocol for the OASIS Security Assertion "Assertions and Protocol for the OASIS Security Assertion
Markup Language (SAML) V2.0", OASIS Standard saml-core- Markup Language (SAML) V2.0", OASIS Standard saml-core-
2.0-os, March 2005, <http://docs.oasis- 2.0-os, March 2005, <http://docs.oasis-
open.org/security/saml/v2.0/saml-core-2.0-os.pdf>. open.org/security/saml/v2.0/saml-core-2.0-os.pdf>.
[SAML-prof] [SAML-prof]
Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra,
P., Philpott, R., and E. Maler, "Profiles for the OASIS P., Philpott, R., and E. Maler, "Profiles for the OASIS
skipping to change at page 26, line 37 skipping to change at page 28, line 43
<http://docs.oasis-open.org/security/saml/v2.0/ <http://docs.oasis-open.org/security/saml/v2.0/
saml-profiles-2.0-os.pdf>. saml-profiles-2.0-os.pdf>.
[SAML-bind] [SAML-bind]
Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E. Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E.
Maler, "Bindings for the OASIS Security Assertion Markup Maler, "Bindings for the OASIS Security Assertion Markup
Language (SAML) V2.0", OASIS Standard saml-bindings- Language (SAML) V2.0", OASIS Standard saml-bindings-
2.0-os, March 2005, <http://docs.oasis- 2.0-os, March 2005, <http://docs.oasis-
open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf>. open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf>.
13.2. Informative References 11.2. Informative References
[RFC2141] Moats, R., "URN Syntax", RFC 2141, DOI 10.17487/RFC2141, [RFC2141] Moats, R., "URN Syntax", RFC 2141, DOI 10.17487/RFC2141,
May 1997, <http://www.rfc-editor.org/info/rfc2141>. May 1997, <http://www.rfc-editor.org/info/rfc2141>.
[RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between
Information Models and Data Models", RFC 3444, Information Models and Data Models", RFC 3444,
DOI 10.17487/RFC3444, January 2003, DOI 10.17487/RFC3444, January 2003,
<http://www.rfc-editor.org/info/rfc3444>. <http://www.rfc-editor.org/info/rfc3444>.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)",
RFC 6545, DOI 10.17487/RFC6545, April 2012,
<http://www.rfc-editor.org/info/rfc6545>.
[I-D.ietf-mile-rfc5070-bis] [I-D.ietf-mile-rfc5070-bis]
Danyliw, R., "The Incident Object Description Exchange Danyliw, R., "The Incident Object Description Exchange
Format v2", draft-ietf-mile-rfc5070-bis-25 (work in Format v2", draft-ietf-mile-rfc5070-bis-26 (work in
progress), June 2016. progress), October 2016.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008,
<http://www.rfc-editor.org/info/rfc5234>.
[xmldsig] Bartel, M., Boyer, J., Fox, B., LaMacchia, B., and E.
Simon, "XML Signature Syntax and Processing (Second
Edition)", June 2008, <https://www.w3.org/TR/xmldsig-
core/>.
[xmlenc] Imamura, T., Dillaway, B., and E. Simon, "XML Encryption
Syntax and Processing", December 2002,
<https://www.w3.org/TR/xmlenc-core/>.
[XACML] Rissanen, E., "eXtensible Access Control Markup Language [XACML] Rissanen, E., "eXtensible Access Control Markup Language
(XACML) Version 3.0", August 2010, <http://docs.oasis- (XACML) Version 3.0", August 2010, <http://docs.oasis-
open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf>. open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf>.
[REST] Fielding, R., "Architectural Styles and the Design of [REST] Fielding, R., "Architectural Styles and the Design of
Network-based Software Architectures", 2000, Network-based Software Architectures", 2000,
<http://www.ics.uci.edu/~fielding/pubs/dissertation/ <http://www.ics.uci.edu/~fielding/pubs/dissertation/
top.htm>. top.htm>.
13.3. URIs 11.3. URIs
[1] https://www.iana.org/assignments/link-relations/link- [1] https://www.iana.org/assignments/link-relations/link-
relations.xhtml relations.xhtml
[2] https://www.iana.org/assignments/link-relations/link- [2] https://www.iana.org/assignments/link-relations/link-
relations.xhtml relations.xhtml
[3] http://csrc.nist.gov/groups/SNS/rbac/ [3] http://csrc.nist.gov/groups/SNS/rbac/
Appendix A. Use Case Examples Appendix A. Relax NG Compact Schema for ROLIE
A.1. Service Discovery This appendix is informative.
The Relax NG schema below defines the rolie:format element.
# -*- rnc -*-
# RELAX NG Compact Syntax Grammar for the rolie:format element
namespace rolie = "urn:ietf:params:xml:ns:rolie-1.0"
namespace atom = "http://www.w3.org/2005/Atom"
# rolie:format
rolieFormat =
element rolie:format {
atom:atomCommonAttributes,
attribute ns { atom:atomURI },
attribute version { text } ?,
attribute schema-location { atom:atomURI } ?,
attribute schema-type { atom:atomMediaType } ?,
empty
}
Appendix B. Examples of Use
B.1. Service Discovery
This section provides a non-normative example of a client doing This section provides a non-normative example of a client doing
service discovery. TODO: Standardize location of doc? service discovery.
An Atom service document enables a client to dynamically discover An Atom service document enables a client to dynamically discover
what feeds a particular publisher makes available. Thus, a provider what Feeds a particular publisher makes available. Thus, a provider
uses an Atom service document to enable clients or other authorized uses an Atom service document to enable clients or other authorized
parties to determine what specific information the provider makes parties to determine what specific information the provider makes
available to the community. The service document could be made available to the community. While the service document is at a
available at any well known location, such as via a link from the required location, the service document could also be made available
CSIRT's home page. One common technique is to include a link in the at any well known location, such as via a link from the producer's
<HEAD> section of the organization's home page, as shown below: home page.
Example of bootstrapping Service Document discovery:
<link rel="introspection"
type="application/atomsvc+xml"
title="Atom Publishing Protocol Service Document"
href="/csirt/svcdoc.xml" />
A client may then format an HTTP GET request to retrieve the service A client may format an HTTP GET request to retrieve the service
document: document from the specified location:
GET /provider/svcdoc.xml GET /rolie/servicedocument
Host: www.example.org Host: www.example.org
Accept: application/atomsvc+xml Accept: application/atomsvc+xml
Notice the use of the HTTP Accept: request header, indicating the Notice the use of the HTTP Accept: request header, indicating the
MIME type for Atom service discovery. The response to this GET MIME type for Atom service discovery. The response to this GET
request will be an XML document that contains information on the request will be an XML document that contains information on the
specific feed collections that are provided by the CSIRT. specific Feed Collections that are provided by the provider.
Example HTTP GET response: Example HTTP GET response:
HTTP/1.1 200 OK HTTP/1.1 200 OK
Date: Fri, 24 Aug 2012 17:09:11 GMT Date: Fri, 24 Aug 2012 17:09:11 GMT
Content-Length: 570 Content-Length: 570
Content-Type: application/atomsvc+xml;charset="utf-8" Content-Type: application/atomsvc+xml;charset="utf-8"
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<service xmlns="http://www.w3.org/2007/app" <service xmlns="http://www.w3.org/2007/app"
xmlns:atom="http://www.w3.org/2005/Atom" xmlns:atom="http://www.w3.org/2005/Atom">
xmlns:xml="http://www.w3.org/XML/1998/namespace" <workspace>
xml:lang="en-US"> <atom:title type="text">Vulnerabilities</atom:title>
<workspace> <collection href="http://example.org/provider/vulns">
<atom:title type="text">Incidents</atom:title> <atom:title type="text">Vulnerabilities Feed</atom:title>
<collection href="http://example.org/provider/incidents"> <categories fixed="yes">
<atom:title type="text">Incidents Feed</atom:title> <atom:category
<categories fixed="yes"> scheme="urn:ietf:params:rolie:category:information-type"
<atom:category term="vulnerability"/>
scheme="urn:ietf:params:rolie:information-type" </categories>
term="vulnerability"/> </collection>
</categories> </workspace>
<accept>application/atom+xml; type=entry</accept> </service>
</collection>
</workspace>
</service>
This simple Service Document example shows that this server provides This simple Service Document example shows that this server provides
one workspace, named "Incidents". Within that workspace, the one workspace, named "Vunerabilities". Within that workspace, the
producer makes one feed collection available. When attempting to GET producer makes one Feed Collection available.
or POST entries to that feed collection, the client must indicate a
content type of application/atom+xml.
A server may also offer a number of different feeds, each containing A server may also offer a number of different Feeds, each containing
different types of security automation information. In the following different types of security automation information. In the following
example, the feeds have been categorized. This categorization will example, the Feeds have been categorized. This categorization will
help the clients to decide which feeds will meet their needs. help the clients to decide which Feeds will meet their needs.
HTTP/1.1 200 OK HTTP/1.1 200 OK
Date: Fri, 24 Aug 2012 17:10:11 GMT Date: Fri, 24 Aug 2012 17:10:11 GMT
Content-Length: 1912 Content-Length: 1912
Content-Type: application/atomsvc+xml;charset="utf-8" Content-Type: application/atomsvc+xml;charset="utf-8"
<?xml version="1.0" encoding='utf-8'?> <?xml version="1.0" encoding='utf-8'?>
<service xmlns="http://www.w3.org/2007/app" <service xmlns="http://www.w3.org/2007/app"
xmlns:atom="http://www.w3.org/2005/Atom"> xmlns:atom="http://www.w3.org/2005/Atom">
<workspace> <workspace>
<atom:title>Public Security Information Sharing</atom:title> <atom:title>Public Security Information Sharing</atom:title>
<collection <collection
href="http://example.org/provider/public/vulnerabilties"> href="http://example.org/provider/public/vulns">
<atom:title>Public Vulnerabilities</atom:title> <atom:title>Public Vulnerabilities</atom:title>
<accept>application/atom+xml; type=entry</accept> <link rel="service"
<categories fixed="yes"> href="www.example.com/rolie/servicedocument">
<atom:category <categories fixed="yes">
scheme="urn:ietf:params:rolie:information-type" <atom:category
term="vulnerability"/> scheme="urn:ietf:params:rolie:category:information-type"
</categories> term="vulnerability"/>
</collection> </categories>
<collection </collection>
href="http://example.org/provider/public/incidents"> </workspace>
<atom:title>Public Incidents</atom:title> <workspace>
<accept>application/atom+xml; type=entry</accept> <atom:title>Private Consortium Sharing</atom:title>
<categories fixed="yes"> <collection
<atom:category href="http://example.org/provider/private/vulns">
scheme="urn:ietf:params:rolie:information-type" <atom:title>Incidents</atom:title>
term="incident"/> <link rel="service"
</categories> href="www.example.com/rolie/servicedocument">
</collection> <categories fixed="yes">
</workspace> <atom:category
<workspace> scheme="urn:ietf:params:rolie:category:information-type"
<atom:title>Private Consortium Sharing</atom:title> term="incidents"/>
<collection </categories>
href="http://example.org/provider/private/incidents" > </collection>
<atom:title>Incidents</atom:title> </workspace>
<accept>application/atom+xml;type=entry</accept> </service>
<categories fixed="yes">
<atom:category
scheme="urn:ietf:params:rolie:information-type"
term="incident"/>
</categories>
</collection>
</workspace>
</service>
In this example, the CSIRT is providing a total of three feed In this example, the provider is making available a total of two Feed
collections, organized into two different workspaces. The first Collections, organized into two different workspaces. The first
workspace contains two feeds, consisting of publicly available workspace contains a Feed consisting of publicly available software
software vulnerabilities and publicly available incidents, vulnerabilities. The second workspace provides one additional
respectively. The second workspace provides one additional feed, for vulnerability Feed, for use by a private sharing consortium. An
use by a sharing consortium. The feed contains incident information appropriately authenticated and authorized client may then proceed to
containing entries related to three purposes: traceback, mitigation, make GET requests for one or more of these Feeds. The publicly
and reporting. The entries in this feed are categorized with a provided incident information may be accessible with or without
restriction of either "Need-to-Know" or "private". An appropriately authentication. However, users accessing the Feed targeted to the
authenticated and authorized client may then proceed to make GET
requests for one or more of these feeds. The publicly provided
incident information may be accessible with or without
authentication. However, users accessing the feed targeted to the
private sharing consortium would be expected to authenticate, and private sharing consortium would be expected to authenticate, and
appropriate authorization policies would subsequently be enforced by appropriate authorization policies would subsequently be enforced by
the feed provider. the Feed provider.
A.2. Feed Retrieval B.2. Feed Retrieval
This section provides a non-normative example of a client retrieving This section provides a non-normative example of a client retrieving
an incident feed. TODO an incident Feed.
Having discovered the available security information sharing feeds, Having discovered the available security information sharing Feeds, a
an authenticated and authorized client who is a member of the private client who is a member of the general public may be interested in
sharing consortium may be interested in receiving the feed of known receiving the Feed of public vulnerabilities. The client may
incidents. The client may retrieve this feed by performing an HTTP retrieve this Feed by performing an HTTP GET operation on the
GET operation on the indicated URL. indicated URL.
Example HTTP GET request for a Feed: Example HTTP GET request for a Feed:
GET /provider/private/incidents GET /provider/vulns
Host: www.example.org Host: www.example.org
Accept: application/atom+xml Accept: application/atom+xml
The corresponding HTTP response would be an XML document containing The corresponding HTTP response would be an XML document containing
the incidents feed: the incidents Feed:
Example HTTP GET response for a Feed: Example HTTP GET response for a Feed:
HTTP/1.1 200 OK HTTP/1.1 200 OK
Date: Fri, 24 Aug 2012 17:20:11 GMT Date: Fri, 24 Aug 2012 17:20:11 GMT
Content-Length: 2882 Content-Length: 2882
Content-Type: application/atom+xml;type=feed;charset="utf-8" Content-Type: application/atom+xml;type=feed;charset="utf-8"
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"
xml:lang="en-US">
<generator version="1.0">
Example Provider ROLIE Feed Generator
</generator>
<id>http://www.example.org/provider/private/incidents</id>
<title type="text">
Atom formatted representation of
a feed of XML incident documents
</title>
<!-- The category is taken from the related IANA table -->
<atom:category
scheme="urn:ietf:params:rolie:information-type"
term="incident"/>
<updated>2012-05-04T18:13:51.0Z</updated>
<author>
<email>provider@example.org</email>
<name>Example Provider</name>
</author>
<!-- By convention there is usually a self link for the feed -->
<link href="http://www.example.org/provider/private/incidents"
rel="self" type="application/atom+xml"/>
<entry>
<id>
http://www.example.org/provider/private/incidents/123456
</id>
<title>Sample Incident</title>
<!-- by convention -->
<link
href="http://www.example.org/provider/private/incidents/12345"
rel="self" type="application/atom+xml"/>
<!-- required by Atom spec --> <?xml version="1.0" encoding="UTF-8"?>
<link <feed xmlns="http://www.w3.org/2005/Atom"
href="http://www.example.org/provider/private/incidents/12345" xml:lang="en-US">
rel="alternate" type="xml"/> <id>http://www.example.org/provider/vulns</id>
<title type="text">
Atom formatted representation of
a feed of XML incident documents
</title>
<atom:category
scheme="urn:ietf:params:rolie:category:information-type"
term="vulnerability"/>
<updated>2012-05-04T18:13:51.0Z</updated>
<link rel="self" href="http://example.org/provider/vulns" />
<link rel="service"
href="http://example.org/rolie/servicedocument"/>
<entry>
<rolie:format ns="urn:ietf:params:xml:ns:exampleformat"/>
<id>
http://www.example.org/provider/vulns/123456
</id>
<title>Sample Incident</title>
<published>2014-08-04T18:13:51.0Z</published>
<updated>2014-08-05T18:13:51.0Z</updated>
<summary>A short description of this resource</summary>
<content type="application/xml"
src="http://www.example.org/provider/vulns/123456/data"
</entry>
<published>2014-08-04T18:13:51.0Z</published> <entry>
<updated>2014-08-05T18:13:51.0Z</updated> <!-- ...another entry... -->
<summary>A short description of this resource</summary> </entry>
</entry>
<entry> </feed>
<!-- ...another entry... -->
</entry>
</feed> This Feed document has two atom entries, one of which has been
This feed document has two atom entries, one of which has been elided. The completed Entry illustrates an Atom <entry> element that
elided. The completed entry illustrates an Atom <entry> element that
provides a summary of essential details about one particular provides a summary of essential details about one particular
incident. Based upon this summary information and the provided incident. Based upon this summary information and the provided
category information, a client may choose to do an HTTP GET operation category information, a client may choose to do an HTTP GET operation
to retrieve the full details of the incident. This example to retrieve the full details of the incident. This example
exemplifies the benefits a RESTful alternative has to traditional exemplifies the benefits a RESTful alternative has to traditional
point-to-point messaging systems. point-to-point messaging systems.
A.3. Entry Retrieval B.3. Entry Retrieval
This section provides a non-normative example of a client retrieving This section provides a non-normative example of a client retrieving
an incident as an Atom entry. TODO an incident as an Atom Entry.
Having retrieved the feed of interest, the client may then decide Having retrieved the Feed of interest, the client may then decide
based on the description and/or category information that one of the based on the description and/or category information that one of the
entries in the feed is of further interest. The client may retrieve entries in the Feed is of further interest. The client may retrieve
this incident Entry by performing an HTTP GET operation on the this incident Entry by performing an HTTP GET operation on the
indicated URL. indicated URL.
Example HTTP GET request for an Entry: Example HTTP GET request for an Entry:
GET /provider/private/incidents/123456 GET /provider/vulns/123456
Host: www.example.org Host: www.example.org
Accept: application/atom+xml Accept: application/atom+xml
The corresponding HTTP response would be an XML document containing The corresponding HTTP response would be an XML document containing
the incident: the incident:
Example HTTP GET response for an Entry: Example HTTP GET response for an Entry:
HTTP/1.1 200 OK HTTP/1.1 200 OK
Date: Fri, 24 Aug 2012 17:30:11 GMT Date: Fri, 24 Aug 2012 17:30:11 GMT
Content-Length: 4965 Content-Length: 4965
Content-Type: application/atom+xml;type=entry;charset="utf-8" Content-Type: application/atom+xml;type=entry;charset="utf-8"
<?xml version="1.0" encoding="UTF-8"?>
<entry>
<id>http://www.example.org/provider/private/incidents/123456</id>
<title>Sample Incident</title>
<!-- by convention -->
<link href="http://www.example.org/csirt/private/incidents/123456"
rel="self" type="application/atom+xml"/>
<!-- required by Atom spec -->
<link href="http://www.example.org/csirt/private/incidents/123456"
rel="alternate" type="IODEF"/>
<published>2012-08-04T18:13:51.0Z</published>
<updated>2012-08-05T18:13:51.0Z</updated>
<!-- The category is taken from the related IANA table -->
<atom:category
scheme="urn:ietf:params:rolie:information-type"
term="incident"/>
<summary>A short description of this incident resource</summary>
<!-- Typical operations that can be
performed on this entry include edit -->
<link href="http://www.example.org/csirt/private/incidents/123456"
rel="edit"/>
<!-- the next and previous are just sequential access,
may not map to anything related to this resource -->
<link href="http://www.example.org/csirt/private/incidents/123457"
rel="next"/>
<link href="http://www.example.org/csirt/private/incidents/123455"
rel="previous"/>
<!-- navigate up to the full collection.
Might also be rel="collection" as per IANA registry -->
<link href="http://www.example.org/csirt/private/incidents"
rel="up"/>
<content type="application/xml"> <?xml version="1.0" encoding="UTF-8"?>
<xml> <entry>
<tag> <id>http://www.example.org/provider/vulns/123456</id>
<data> Example </data> <title>Sample Incident</title>
</tag> <published>2012-08-04T18:13:51.0Z</published>
</xml> <updated>2012-08-05T18:13:51.0Z</updated>
</content> <atom:category
</entry> scheme="urn:ietf:params:rolie:category:information-type"
term="incident"/>
<summary>A short description of this incident resource</summary>
<rolie:format ns="urn:ietf:params:xml:ns:exampleformat"/>
<content type="application/xml"
src="http://www.example.org/provider/vulns/123456/data">
</content>
</entry>
As can be seen in the example response, above, an XML document is As can be seen in the example response, above, an XML document is
contained within the Atom <content> element. The client may now linked to in the attributes of the Atom <content> element. The
process the XML document as needed. client may now process the XML document as needed.
Note also that, as described previously, the content of the Atom Note also that, as described previously, the content of the Atom
<category> element is application-defined. The Atom categories have <category> element is application-defined. The Atom categories have
been assigned based on the IANA table content model. been assigned based on the IANA table content model.
Finally, it should be noted that in order to optimize the client Finally, it should be noted that in order to optimize the client
experience, and avoid an additional round trip, a feed provider may experience, and avoid an additional round trip, a Feed provider may
choose to include the entry content inline, as part of the feed choose to include certain Entry elements inline, as part of the Feed
document. That is, an Atom <entry> element within a Feed document document. That is, an Atom <entry> element within a Feed document
may contain an Atom <content> element as a child. In this case, the may contain arbitrary non-required Atom elements as children. In
client will receive the full content of the entries within the feed. this case, the client will receive the more explicit information on
The decision of whether to include the entry content inline or to entries from within the Feed. The decision of whether to include
include it as a link is a design choice left to the feed provider extra Entry elements inline or to include it as a link is a design
(e.g. based upon local environmental factors such as the number of choice left to the Feed provider (e.g. based upon local environmental
entries contained in a feed, the available network bandwidth, the factors such as the number of entries contained in a Feed, the
available server compute cycles, the expected client usage patterns, available network bandwidth, the available server compute cycles, the
etc.). expected client usage patterns, etc.).
A.4. Use Case: Search
This section provides a non-normative example of a search use case.
The following example provides a RESTful solution to handling search
results. Note that in the RESTful approach described herein there is
no requirement to define a query language. Instead, implementations
may provide support for search operations via existing search
facilities, and advertise these capabilities via an appropriate URL
template. Clients dynamically retrieve the search description
document, and invoke specific searches via an instantiated URL
template.
An HTTP response body may include a link relationship of type
"search." This link provides a reference to an OpenSearch
description document.
Example HTTP response that includes a "search" link:
HTTP/1.1 200 OK
Date: Fri, 24 Aug 2012 17:20:11 GMT
Content-Length: nnnn
Content-Type: application/atom+xml;type=feed;charset="utf-8"
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.w3.org/2005/Atom file:/
C:/schemas/atom.xsd
urn:ietf:params:xml:ns:iodef-1.0
file:/C:/schemas/iodef-1.0.xsd"
xml:lang="en-US">
<link href="http://www.example.org/opensearchdescription.xml"
rel="search"
type="application/opensearchdescription+xml"
title="CSIRT search facility" />
<!-- ...other links... -->
<entry>
<!-- ...zero or more entries... -->
</entry>
</feed>
The OpenSearch Description document contains the information needed
by a client to request a search. An example of an Open Search
description document is shown below:
Example HTTP response that includes a "search" link:
<?xml version="1.0" encoding="UTF-8"?>
<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/">
<ShortName>CSIRT search example</ShortName>
<Description>Cyber security information
sharing consortium search interface</Description>
<Tags>example csirt indicator search</Tags>
<Contact>admin@example.org</Contact>
<!-- optionally, other elements, as per OpenSearch specification -->
<Url type="application/opensearchdescription+xml" rel="self"
template="http://www.example.com/csirt/opensearchdescription.xml"/>
<Url type="application/atom+xml" rel="results"
template="http://www.example.org/csirt?q={searchTerms}&amp;
format=Atom+xml"/>
<LongName>www.example.org CSIRT search</LongName>
<Query role="example" searchTerms="incident" />
<Language>en-us</Language>
<OutputEncoding>UTF-8</OutputEncoding>
<InputEncoding>UTF-8</InputEncoding>
</OpenSearchDescription>
The OpenSearch Description document shown above contains two <Url>
elements that contain parametrized URL templates. These templates
provide a representation of how the client should make search
requests. The exact format of the query string, including the
parametrization is specified by the feed provider
This OpenSearch Description Document also contains an example of a
<Query> element. Each <Query> element describes a specific search
request that can be made by the client. Note that the parameters of
the <Query> element correspond to the URL template parameters. In
this way, a provider may fully describe the search interface
available to the clients. The search section, above, provides
specific NORMATIVE requirements for the use of Open Search.
Appendix B. XACML Guidance
ROLIE assumes that all authorization policy enforcement is provided
at the source server. The implementation details of the
authorization scheme chosen by a ROLIE-compliant provider are out of
scope for this specification. Implementers are free to choose any
suitable authorization mechanism that is capable of fulfilling the
policy enforcement requirements relevant to their consortium and/or
organization.
It is well known that one of the major barriers to information
sharing is ensuring acceptable use of the information shared. In the
case of ROLIE, one way to lower that barrier may be to develop a
XACML profile. Use of XACML would allow a ROLIE-compliant provider
to express their information sharing authorization policies in a
standards-compliant, and machine-readable format.
This improved interoperability may, in turn, enable more agile
interactions in the cyber security sharing community. For example, a
peer CSIRT, or another interested stakeholder such as an auditor,
would be able to review and compare CSIRT sharing policies using
appropriate tooling.
The XACML 3.0 standard is based upon the notion that authorization
policies are defined in terms of predicate logic expressions written
against the attributes associated with one or more of the following
four entities:
o SUBJECT Appendix C. Change History
o ACTION Changes in draft-ietf-mile-rolie-04 since draft-ietf-mile-rolie-04
version, July 8, 2016 to October 31, 2016
o RESOURCE o Further specification and clarification of requirements
o ENVIRONMENT o IANA Considerations and extension system fleshed out and
described.
Thus, a suitable approach to a XACML 3.0 profile for ROLIE o Examples and References updated.
authorization policies could begin by using the 3-tuple of [SUBJECT,
ACTION, RESOURCE] where:
o SUBJECT is the suitably authenticated identity of the requestor. o Schema created.
o ACTION is the associated HTTP method, GET, PUT, POST, DELETE, o Fixed both internal section and external document referencing.
HEAD, (PATCH).
o RESOURCE is an XPath expression that uniquely identifies the o Removed XACML Guidance Appendix. This will be added to a future
instance or type of the ROLIE resource being requested. draft on ROLIE Authentication and Access Control.
Implementers who have a need may also choose to evaluate based upon Changes made in draft-ietf-mile-rolie-03 since draft-ietf-mile-
the additional ENVIRONMENT factors, such as current threat level, and rolie-02 version, May 27, 2016 to July 8, 2015
so on. One could also write policy to consider the CVSS score
associated with the resource, or the lifecycle phase of the resource
(vulnerability unverified, confirmed, patch available, etc.), and so
on.
Having these policies expressed in a standards-compliant and machine- o Atom Syndication and Atom Pub requirements split and greatly
readable format could improve the agility and effectiveness of a expanded for increased justification and technical specification.
cyber security information sharing group or consortium, and enable
better cyber defenses.
Appendix C. Relax NG Schema for ROLIE Extensions o Reintroduction and reformatting of some use case examples in order
to provide some guidance on use.
TODO o Established rough version of IANA table extension system along
with explanations of said system.
Appendix D. Change Tracking o Re-organized document to put non-vital information in appendices.
Changes since draft-field-mile-rolie-01 version, December, 2015 to Changes made in draft-ietf-mile-rolie-02 since draft-field-mile-
May 27, 2016: rolie-01 version, December, 2015 to May 27, 2016:
o All CSIRT and IODEF/RID material moved to companion CSIRT document o All CSIRT and IODEF/RID material moved to companion CSIRT document
TODO: add reference TODO: add reference
o Recast document into a more general use perspective. The o Recast document into a more general use perspective. The
implication of CSIRTs as the defacto end-user has been removed implication of CSIRTs as the defacto end-user has been removed
where ever possible. All of the original CSIRT based use cases where ever possible. All of the original CSIRT based use cases
remain completely supported by this document, it has been opened remain completely supported by this document, it has been opened
up to support many other use cases. up to support many other use cases.
skipping to change at page 38, line 38 skipping to change at page 37, line 34
o Removed any requirements from the Background section and, if not o Removed any requirements from the Background section and, if not
already stated, placed them in the requirements section already stated, placed them in the requirements section
o Re-formatted the requirements section to make it clearer that it o Re-formatted the requirements section to make it clearer that it
contains the lions-share of the requirements of the specification contains the lions-share of the requirements of the specification
Changes made in draft-ietf-mile-rolie-01 since draft-field-mile- Changes made in draft-ietf-mile-rolie-01 since draft-field-mile-
rolie-02 version, August 15, 2013 to December 2, 2015: rolie-02 version, August 15, 2013 to December 2, 2015:
o Added section specifying the use of RFC5005 for Archive and Paging o Added section specifying the use of RFC5005 for Archive and Paging
of feeds. of Feeds.
o Added section describing use of atom categories that correspond to o Added section describing use of atom categories that correspond to
IODEF expectation class and impact classes. See: normative- IODEF expectation class and impact classes. See: normative-
expectation-impact expectation-impact
o Dropped references to adoption of a MILE-specific HTTP media type o Dropped references to adoption of a MILE-specific HTTP media type
parameter. parameter.
o Updated IANA Considerations section to clarify that no IANA o Updated IANA Considerations section to clarify that no IANA
actions are required. actions are required.
 End of changes. 205 change blocks. 
920 lines changed or deleted 845 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/