draft-ietf-mile-rolie-11.txt   draft-ietf-mile-rolie-12.txt 
MILE Working Group J. Field MILE Working Group J. Field
Internet-Draft Pivotal Internet-Draft Pivotal
Intended status: Standards Track S. Banghart Intended status: Standards Track S. Banghart
Expires: April 22, 2018 D. Waltermire Expires: April 27, 2018 D. Waltermire
NIST NIST
October 19, 2017 October 24, 2017
Resource-Oriented Lightweight Information Exchange Resource-Oriented Lightweight Information Exchange
draft-ietf-mile-rolie-11 draft-ietf-mile-rolie-12
Abstract Abstract
This document defines a resource-oriented approach for security This document defines a resource-oriented approach for security
automation information publication, discovery, and sharing. Using automation information publication, discovery, and sharing. Using
this approach, producers may publish, share, and exchange this approach, producers may publish, share, and exchange
representations of software descriptors, security incidents, attack representations of software descriptors, security incidents, attack
indicators, software vulnerabilities, configuration checklists, and indicators, software vulnerabilities, configuration checklists, and
other security automation information as web-addressable resources. other security automation information as web-addressable resources.
Furthermore, consumers and other stakeholders may access and search Furthermore, consumers and other stakeholders may access and search
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 22, 2018. This Internet-Draft will expire on April 27, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 26 skipping to change at page 2, line 26
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. XML-related Conventions . . . . . . . . . . . . . . . . . . . 4 3. XML-related Conventions . . . . . . . . . . . . . . . . . . . 4
3.1. XML Namespaces . . . . . . . . . . . . . . . . . . . . . 4 3.1. XML Namespaces . . . . . . . . . . . . . . . . . . . . . 5
3.2. RELAX NG Compact Schema . . . . . . . . . . . . . . . . . 5 3.2. RELAX NG Compact Schema . . . . . . . . . . . . . . . . . 5
4. Background and Motivation . . . . . . . . . . . . . . . . . . 5 4. Background and Motivation . . . . . . . . . . . . . . . . . . 5
5. ROLIE Requirements for the Atom Publishing Protocol . . . . . 6 5. ROLIE Requirements for the Atom Publishing Protocol . . . . . 7
5.1. AtomPub Service Documents . . . . . . . . . . . . . . . . 7 5.1. AtomPub Service Documents . . . . . . . . . . . . . . . . 7
5.1.1. Use of the "app:workspace" Element . . . . . . . . . 7 5.1.1. Use of the "app:workspace" Element . . . . . . . . . 7
5.1.2. Use of the "app:collection" Element . . . . . . . . . 8 5.1.2. Use of the "app:collection" Element . . . . . . . . . 8
5.1.3. Service Document Discovery . . . . . . . . . . . . . 9 5.1.3. Service Document Discovery . . . . . . . . . . . . . 9
5.2. Category Documents . . . . . . . . . . . . . . . . . . . 9 5.2. Category Documents . . . . . . . . . . . . . . . . . . . 10
5.3. Transport Layer Security . . . . . . . . . . . . . . . . 9 5.3. Transport Layer Security . . . . . . . . . . . . . . . . 10
5.4. User Authentication and Authorization . . . . . . . . . . 10 5.4. User Authentication and Authorization . . . . . . . . . . 10
5.5. / (forward slash) Resource URL . . . . . . . . . . . . . 10 5.5. / (forward slash) Resource URL . . . . . . . . . . . . . 11
5.6. HTTP methods . . . . . . . . . . . . . . . . . . . . . . 11 5.6. HTTP methods . . . . . . . . . . . . . . . . . . . . . . 11
6. ROLIE Requirements for the Atom Syndication Format . . . . . 11 6. ROLIE Requirements for the Atom Syndication Format . . . . . 11
6.1. Use of the "atom:feed" element . . . . . . . . . . . . . 11 6.1. Use of the "atom:feed" element . . . . . . . . . . . . . 12
6.1.1. Use of the "atom:category" Element . . . . . . . . . 12 6.1.1. Use of the "atom:category" Element . . . . . . . . . 13
6.1.2. Use of the "atom:link" Element . . . . . . . . . . . 13 6.1.2. Use of the "atom:link" Element . . . . . . . . . . . 13
6.1.3. Use of the "atom:updated" Element . . . . . . . . . . 14 6.1.3. Use of the "atom:updated" Element . . . . . . . . . . 15
6.2. Use of the "atom:entry" Element . . . . . . . . . . . . 14 6.2. Use of the "atom:entry" Element . . . . . . . . . . . . 15
6.2.1. Use of the "atom:content" Element . . . . . . . . . . 15 6.2.1. Use of the "atom:content" Element . . . . . . . . . . 16
6.2.2. Use of the "atom:link" Element . . . . . . . . . . . 16 6.2.2. Use of the "atom:link" Element . . . . . . . . . . . 17
6.2.3. Use of the "rolie:format" Element . . . . . . . . . . 16 6.2.3. Use of the "rolie:format" Element . . . . . . . . . . 17
6.2.4. Use of the rolie:property Element . . . . . . . . . . 17 6.2.4. Use of the rolie:property Element . . . . . . . . . . 18
6.2.5. Requirements for a Standalone Entry . . . . . . . . . 18 6.2.5. Requirements for a Standalone Entry . . . . . . . . . 19
7. Available Extension Points Provided by ROLIE . . . . . . . . 19 7. Available Extension Points Provided by ROLIE . . . . . . . . 20
7.1. The Category Extension Point . . . . . . . . . . . . . . 19 7.1. The Category Extension Point . . . . . . . . . . . . . . 20
7.1.1. General Use of the "atom:category" Element . . . . . 20 7.1.1. General Use of the "atom:category" Element . . . . . 21
7.1.2. Identification of Security Automation Information 7.1.2. Identification of Security Automation Information
Types . . . . . . . . . . . . . . . . . . . . . . . . 20 Types . . . . . . . . . . . . . . . . . . . . . . . . 21
7.2. The "rolie:format" Extension Point . . . . . . . . . . . 21 7.2. The "rolie:format" Extension Point . . . . . . . . . . . 22
7.3. The Link Relation Extension Point . . . . . . . . . . . . 22 7.3. The Link Relation Extension Point . . . . . . . . . . . . 23
7.4. The "rolie:property" Extension Point . . . . . . . . . . 22 7.4. The "rolie:property" Extension Point . . . . . . . . . . 23
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
8.1. XML Namespaces and Schema URNs . . . . . . . . . . . . . 23 8.1. XML Namespaces and Schema URNs . . . . . . . . . . . . . 24
8.2. ROLIE URN Sub-namespace . . . . . . . . . . . . . . . . . 24 8.2. ROLIE URN Sub-namespace . . . . . . . . . . . . . . . . . 25
8.3. ROLIE URN Parameters . . . . . . . . . . . . . . . . . . 24 8.3. ROLIE URN Parameters . . . . . . . . . . . . . . . . . . 25
8.4. ROLIE Security Resource Information Type Sub-Registry . . 26 8.4. ROLIE Security Resource Information Type Sub-Registry . . 27
8.5. Well-Known URI Registrations . . . . . . . . . . . . . . 27 8.5. Well-Known URI Registration . . . . . . . . . . . . . . . 28
9. Security Considerations . . . . . . . . . . . . . . . . . . . 27 9. Security Considerations . . . . . . . . . . . . . . . . . . . 28
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 29 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 30
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 31
12.1. Normative References . . . . . . . . . . . . . . . . . . 30 12.1. Normative References . . . . . . . . . . . . . . . . . . 31
12.2. Informative References . . . . . . . . . . . . . . . . . 33 12.2. Informative References . . . . . . . . . . . . . . . . . 34
12.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 35 12.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Appendix A. Relax NG Compact Schema for ROLIE . . . . . . . . . 35 Appendix A. Relax NG Compact Schema for ROLIE . . . . . . . . . 36
Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 36 Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 37
B.1. Service Discovery . . . . . . . . . . . . . . . . . . . . 36 B.1. Service Discovery . . . . . . . . . . . . . . . . . . . . 37
B.2. Feed Retrieval . . . . . . . . . . . . . . . . . . . . . 39 B.2. Feed Retrieval . . . . . . . . . . . . . . . . . . . . . 40
B.3. Entry Retrieval . . . . . . . . . . . . . . . . . . . . . 41 B.3. Entry Retrieval . . . . . . . . . . . . . . . . . . . . . 42
Appendix C. Change History . . . . . . . . . . . . . . . . . . . 42 Appendix C. Change History . . . . . . . . . . . . . . . . . . . 43
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 46
1. Introduction 1. Introduction
This document defines a resource-oriented approach to security This document defines a resource-oriented approach to security
automation information sharing that follows the Representational automation information sharing that follows the Representational
State Transfer (REST) architectural style [REST]. In this approach, State Transfer (REST) architectural style [REST]. In this approach,
computer security resources are maintained in web-accessible computer security resources are maintained in web-accessible
repositories structured as Atom Syndication Format [RFC4287] Feeds. repositories structured as Atom Syndication Format [RFC4287] Feeds.
Within a given Feed, which may be requested by the consumer, Within a given Feed, which may be requested by the consumer,
representations of specific types of security automation information representations of specific types of security automation information
skipping to change at page 4, line 24 skipping to change at page 4, line 24
Sections 5 and 6 of this document define the core requirements of all Sections 5 and 6 of this document define the core requirements of all
implementations of this specification, and is resource representation implementations of this specification, and is resource representation
agnostic. An overview of the extension system is provided in agnostic. An overview of the extension system is provided in
Section 7. Implementers seeking to provide support for specific Section 7. Implementers seeking to provide support for specific
security automation information types should refer to the security automation information types should refer to the
specification for that domain described by the IANA registry found in specification for that domain described by the IANA registry found in
section 8.4. section 8.4.
2. Terminology 2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
The previous key words are used in this document to define the The previous key words are used in this document to define the
conformance requirements for implementations of this specification. requirements for implementations of this specification. As a result,
This document does not give any recommendations for the use of ROLIE, the key words in this document are not used for recommendations or
it only provides conformance requirements for implementations of this requirements for the use of ROLIE.
specification.
Definitions for some of the common computer security-related Definitions for some of the common computer security-related
terminology used in this document can be found in Section 2 of terminology used in this document can be found in Section 2 of
[RFC7970]. [RFC7970].
The following terms are unique to this specification: The following terms are unique to this specification:
Information Type A class of security automation information having Information Type A class of security automation information having
one or more associated data models. Often such security one or more associated data models. Often such security
automation information is used in the automation of a security automation information is used in the automation of a security
skipping to change at page 6, line 4 skipping to change at page 6, line 10
Extensible information type categories and format agnosticism: ROLIE Extensible information type categories and format agnosticism: ROLIE
is not bound to any given data format or category of information. is not bound to any given data format or category of information.
Instead, information categories are extensible, and entries Instead, information categories are extensible, and entries
declare the format of the referenced data. In cases where several declare the format of the referenced data. In cases where several
formats or serializations are available, ROLIE can use link formats or serializations are available, ROLIE can use link
relations to communicate how a consumer can access these formats. relations to communicate how a consumer can access these formats.
For example, clients may request that a given resource For example, clients may request that a given resource
representation be returned as XML, JSON, or in some other format representation be returned as XML, JSON, or in some other format
or serialization. This approach allows the provider to support or serialization. This approach allows the provider to support
multiple, compatible formats allowing the consumer to select the multiple isomorphic formats allowing the consumer to select the
most suitable version. most suitable version.
Open and distributed information sharing: Using the Atom Publishing Open and distributed information sharing: Using the Atom Publishing
Protocol, ROLIE feeds can easily aggregate feeds and accept Protocol, ROLIE feeds can easily aggregate feeds and accept
information POSTed to them from other sources. Webs of information POSTed to them from other sources. Webs of
communicating ROLIE servers form ad-hoc sharing communities, communicating ROLIE servers form ad-hoc sharing communities,
increasing data availability and the ability to correlate linked increasing data availability and the ability to correlate linked
data across sources for participating consumers. ROLIE servers data across sources for participating consumers. ROLIE servers
needn't be distributed however, as large ROLIE repositories can needn't be distributed however, as large ROLIE repositories can
function as a central or federated collections. function as a central or federated collections.
skipping to change at page 7, line 25 skipping to change at page 7, line 31
a number of app:collection elements. a number of app:collection elements.
The general structure of a service document is as follows (from The general structure of a service document is as follows (from
RFC5023 section 4.2 [RFC5023]): RFC5023 section 4.2 [RFC5023]):
Service Service
o- Workspace o- Workspace
| | | |
| o- Collection | o- Collection
| | | | | |
| | o- IRI, categories, media types | | o- URI, categories, media types
| | | |
| o- ... | o- ...
| |
o- Workspace o- Workspace
| | | |
| o- Collection | o- Collection
| | | | | |
| | o- IRI, categories, media types | | o- URI, categories, media types
| | | |
| o- ... | o- ...
| |
o- ... o- ...
Note that the IRIs in the original diagram have been replaced with
URIs.
5.1.1. Use of the "app:workspace" Element 5.1.1. Use of the "app:workspace" Element
In AtomPub, a Workspace, represented by the "app:workspace" element, In AtomPub, a Workspace, represented by the "app:workspace" element,
describes a group of one or more Collections. Building on the describes a group of one or more Collections. Building on the
AtomPub concept of a Workspace, in ROLIE a Workspace represents an AtomPub concept of a Workspace, in ROLIE a Workspace represents an
aggregation of Collections pertaining to security automation aggregation of Collections pertaining to security automation
information resources. This specification does not restrict the information resources. This specification does not restrict the
number of Workspaces that may be in a Service Document or the number of Workspaces that may be in a Service Document or the
specific Collections to be provided within a given Workspace. specific Collections to be provided within a given Workspace.
skipping to change at page 8, line 27 skipping to change at page 8, line 35
information resources pertaining to a given type of security information resources pertaining to a given type of security
automation information. Collections are represented as Atom Feeds as automation information. Collections are represented as Atom Feeds as
per RFC 5023. Atom Feed specific requirements are defined in section per RFC 5023. Atom Feed specific requirements are defined in section
6.1. 6.1.
ROLIE defines specialized data requirements for Collections, Feeds, ROLIE defines specialized data requirements for Collections, Feeds,
and Entries containing security automation related data. The and Entries containing security automation related data. The
difference between a ROLIE and a non-ROLIE Collection defined in a difference between a ROLIE and a non-ROLIE Collection defined in a
Service Document can be determined as follows: Service Document can be determined as follows:
ROLIE Collection: For an app:collection to be considered a ROLIE ROLIE Collection: An app:collection is considered a ROLIE Collection
Collection, the app:collection MUST contain an app:categories when it contains an app:categories element that contains only one
element that contains only one atom:category element with the atom:category element with the "scheme" attribute value of
"scheme" attribute value of "urn:ietf:params:rolie:category:information-type". Further, this
"urn:ietf:params:rolie:category:information-type". This category category has an appropriate "term" attribute value as defined in
MUST have an appropriate "term" attribute value as defined in
section 7.1.1. This ensures that a given Collection corresponds section 7.1.1. This ensures that a given Collection corresponds
to a specific type of security automation information. to a specific type of security automation information.
Non-ROLIE Collection: For an app:collection to be considered a non- Non-ROLIE Collection: An app:collection is considered a non-ROLIE
ROLIE Collection, the app:collection MUST NOT contain an Collection when it does not contain an atom:category element with
atom:category element with a "scheme" attribute value of a "scheme" attribute value of
"urn:ietf:params:rolie:category:information-type". "urn:ietf:params:rolie:category:information-type".
By distinguishing between ROLIE and non-ROLIE Collections in this By distinguishing between ROLIE and non-ROLIE Collections in this
way, implementations supporting ROLIE can host Collections pertaining way, implementations supporting ROLIE can host Collections pertaining
to security automation information alongside Collections of other to security automation information alongside Collections of other
non-ROLIE information within the same AtomPub instance. non-ROLIE information within the same AtomPub instance.
The following are additional requirements on the use of the The following are additional requirements on the use of the
app:collection element for a ROLIE Collection: app:collection element for a ROLIE Collection:
skipping to change at page 9, line 15 skipping to change at page 9, line 22
associated with the Collection and the associated Feed is associated with the Collection and the associated Feed is
discoverable in both of these resources. discoverable in both of these resources.
o The app:categories element in an app:collection MAY include o The app:categories element in an app:collection MAY include
additional atom:category elements using a scheme other than additional atom:category elements using a scheme other than
"urn:ietf:params:rolie:category:information-type". This allows "urn:ietf:params:rolie:category:information-type". This allows
other category metadata to be included. other category metadata to be included.
5.1.3. Service Document Discovery 5.1.3. Service Document Discovery
..his specification requires that an implementation MUST publish an ROLIE repositories are largely intended to be consumed by automated
Atom Service Document that describes the set of security information systems. While humans may be able to navigate a web page or receive
Collections provided by the service. The Service Document MUST be an email to find a link to the repository, automated systems struggle
retrievable using the standardized URI template with such tasks. By creating a standardized location for the Service
"https://{host:port}/.well-known/rolie/servicedocument", where Document, ROLIE clients need only a host name and port in order to
{host:port} is the authority portion of the URI. Dereferencing this locate a ROLIE repository. This lower barrier to entry reduces the
URI MAY result in a redirect based on an appropriate HTTP 3xx status amount of human intervention required for ROLIE clients to begin
code to direct the client to the actual Service Document. This reading Feeds.
allows clients to have a well-known location to find a ROLIE service
document, while giving implementations flexibility over how the
service is deployed.
This document registers the "rolie/servicedocument" well-known URI as An implementation MUST publish an Atom Service Document that
per [RFC5785] in Section 8.5. describes the set of security information Collections provided by the
service. The Service Document MUST be retrievable using the
standardized URI template "https://{host:port}/.well-known/rolie/
servicedocument", where {host:port} is the authority portion of the
URI. Dereferencing this URI MAY result in a redirect based on an
appropriate HTTP 3xx status code to direct the client to the actual
Service Document. This allows clients to have a well-known location
to find a ROLIE service document, while giving implementations
flexibility over how the service is deployed.
This document registers the "rolie" well-known URI as per [RFC5785]
in Section 8.5.
A mechanism to determine which host and port to use is not specified A mechanism to determine which host and port to use is not specified
in this document. Use of a mechanism such as DNS SRV Records in this document. Use of a mechanism such as DNS SRV Records
[RFC2782] can provide a secure and reliable discovery mechanism for [RFC2782] can provide a secure and reliable discovery mechanism for
determining a specific host and port to use for retrieving a Service determining a specific host and port to use for retrieving a Service
Document for a given DNS domain. Document for a given DNS domain. This is a feature that may be
standardized in the future.
5.2. Category Documents 5.2. Category Documents
As described in RFC5023 section 7 [RFC5023], a Category Document is As described in RFC5023 section 7 [RFC5023], a Category Document is
an XML-based document format that allows a client to dynamically an XML-based document format that allows a client to dynamically
discover the Categories used within AtomPub Service Documents, Atom discover the Categories used within AtomPub Service Documents, Atom
Syndication Feeds, and Entry documents provided by a publisher. A Syndication Feeds, and Entry documents provided by a publisher. A
Category Document consists of one app:categories element that Category Document consists of one app:categories element that
contains a number of inline atom:category elements, or a URI contains a number of inline atom:category elements, or a URI
referencing a Category Document. referencing a Category Document.
5.3. Transport Layer Security 5.3. Transport Layer Security
ROLIE is intended to be handled with TLS. TLS version 1.2 MUST be ROLIE is intended to be handled with TLS. TLS version 1.2 MUST be
supported. TLS 1.2 SHOULD be implemented according to all supported. TLS 1.2 SHOULD be implemented according to all
recommendations and best practices present in [RFC7525]. recommendations and best practices present in [RFC7525].
It is RECOMMENDED that the most recent published version of TLS is It is RECOMMENDED that the most recent published version of TLS is
supported. If this version is TLS 1.3 [I-D.ietf-tls-tls13], it is supported. If this version is TLS 1.3 [I-D.ietf-tls-tls13] it is
recommended that 0-RTT (Zero Round Trip Time Resumption) is not used, suggested that 0-RTT (Zero Round Trip Time Resumption) is not used in
as there is a replay attack that is possible with that option. order to prevent replay attacks. Replay attacks on PUT, POST, or
DELETE requests can disrupt repository operation by modifying data
unexpectedly.
For example, an automated ROLIE repository that updates very
frequently may receive a PUT request against a given resource a few
times an hour (or more). An attacker may store an early PUT request,
and at the end of the resumption window replay the PUT request,
reverting the resource to an old version. Not only could an attacker
be doing this replay continuously to cause havoc on the server, but
the client is completely unaware of the attack taking place.
Given the potentially sensitive nature of data handled by ROLIE, all
appropriate precautions should be taken at the transport layer to
protect forward secrecy and user privacy.
The server MUST implement certificate-based client authentication. The server MUST implement certificate-based client authentication.
This MAY be enabled on a workspace by workspace basis. This MAY be enabled on a workspace by workspace basis.
5.4. User Authentication and Authorization 5.4. User Authentication and Authorization
Implementations MUST support user authentication. However, a given Implementations MUST support user authentication. However, a given
implementation MAY allow user authentication to be disabled on a Feed implementation MAY allow user authentication to be disabled on a Feed
by Feed, or Workspace by Workspace basis. by Feed, or Workspace by Workspace basis.
Servers participating in an information sharing consortium and It is recommended that servers participating in an information
supporting interactive user logins by members of the consortium sharing consortium and supporting interactive user logins by members
SHOULD support client authentication via a federated identity scheme. of the consortium support client authentication via a federated
identity scheme.
This document does not mandate the use of any specific user This document does not mandate the use of any specific user
authorization mechanisms. However, service implementers SHOULD authorization mechanisms. However, service implementers SHOULD
support appropriate authorization checking for all resource accesses, support appropriate authorization checking for all resource accesses,
including individual Atom Entries, Atom Feeds, and Atom Service including individual Atom Entries, Atom Feeds, and Atom Service
Documents. Documents.
5.5. / (forward slash) Resource URL 5.5. / (forward slash) Resource URL
The "/" resource MAY be supported for compatibility with existing The "/" resource MAY be supported for compatibility with existing
skipping to change at page 11, line 16 skipping to change at page 11, line 46
Servers MAY accept request methods beyond those specified in this Servers MAY accept request methods beyond those specified in this
document. document.
Clients MUST be capable of recognizing and processing any standard Clients MUST be capable of recognizing and processing any standard
HTTP status code, as defined in [RFC5023] Section 5. HTTP status code, as defined in [RFC5023] Section 5.
6. ROLIE Requirements for the Atom Syndication Format 6. ROLIE Requirements for the Atom Syndication Format
This section describes a number of restrictions of and extensions to This section describes a number of restrictions of and extensions to
the Atom Syndication Format [RFC4287] that define the use of that the Atom Syndication Format [RFC4287] that define valid use of the
format in the context of a ROLIE-based solution. The normative format in the context of a ROLIE implementation. An understanding of
requirements in this section are generally oriented towards any the Atom Syndication Format specification [RFC4287] is helpful to
content to be published to a ROLIE server. An understanding of the
Atom Syndication Format specification [RFC4287] is helpful to
understand the requirements in this section. understand the requirements in this section.
6.1. Use of the "atom:feed" element 6.1. Use of the "atom:feed" element
As described in RFC4287 section 4.1.1 [RFC4287], an Atom Feed is an As described in RFC4287 section 4.1.1 [RFC4287], an Atom Feed is an
XML-based document format that describes a list of related XML-based document format that describes a list of related
information items. The list of Atom Feeds provided by a ROLIE information items. The list of Atom Feeds provided by a ROLIE
service are listed in the service's Service Document through one or service are listed in the service's Service Document through one or
more app:collection elements. Each Feed document, represented using more app:collection elements. Each Feed document, represented using
the atom:feed element, contains a listing of zero or more Entries. the atom:feed element, contains a listing of zero or more Entries.
skipping to change at page 13, line 19 skipping to change at page 13, line 49
scheme other than "urn:ietf:params:rolie:category:information- scheme other than "urn:ietf:params:rolie:category:information-
type". This allows other category metadata to be included. type". This allows other category metadata to be included.
6.1.2. Use of the "atom:link" Element 6.1.2. Use of the "atom:link" Element
Link relations defined by the atom:link element are used to represent Link relations defined by the atom:link element are used to represent
state transitions using a stateless approach. In Atom a type of link state transitions using a stateless approach. In Atom a type of link
relationship can be defined using the "rel" attribute. relationship can be defined using the "rel" attribute.
A ROLIE atom:feed MUST contain one or more atom:link elements with A ROLIE atom:feed MUST contain one or more atom:link elements with
rel="service" and href attribute whose value is a IRI that points to rel="service" and href attribute whose value is a URI that points to
an Atom Service Document associated with the atom:feed. If a client an Atom Service Document associated with the atom:feed. If a client
accesses a Feed without first accessing the service's service accesses a Feed without first accessing the service's service
document, a link with the "service" relationship provides a means to document, a link with the "service" relationship provides a means to
discover additional security automation information. The "service" discover additional security automation information. The "service"
link relationship is defined in the IANA Link Relations Registry [1]. link relationship is defined in the IANA Link Relations Registry [1].
An atom:feed can contain an arbitrary number of Entries. In some An atom:feed can contain an arbitrary number of Entries. In some
cases, a complete Feed may consist of a large number of Entries. cases, a complete Feed may consist of a large number of Entries.
Additionally, as new and updated Entries are ordered at the beginning Additionally, as new and updated Entries are ordered at the beginning
of a Feed, a client may only be interested in retrieving the first N of a Feed, a client may only be interested in retrieving the first N
entries in a Feed to process only the Entries that have changed since entries in a Feed to process only the Entries that have changed since
the last retrieval of the Feed. As a practical matter, a large set the last retrieval of the Feed. As a practical matter, a large set
of Entries will likely need to be divided into more manageable of Entries will likely need to be divided into more manageable
portions, or pages. Based on RFC5005 section 3 [RFC5005], link portions, or pages. Based on RFC5005 section 3 [RFC5005], link
elements SHOULD be included in all Feeds to support paging using the elements SHOULD be included in all Feeds to support paging using the
following link relation types: following link relation types:
o "first" - Indicates that the href attribute value of the link o "first" - Indicates that the href attribute value of the link
identifies a resource IRI for the furthest preceding page of the identifies a resource URI for the furthest preceding page of the
Feed. Feed.
o "last" - Indicates that the href attribute value of the link o "last" - Indicates that the href attribute value of the link
identifies a resource IRI for the furthest following page of the identifies a resource URI for the furthest following page of the
Feed. Feed.
o "previous" - Indicates that the href attribute value of the link o "previous" - Indicates that the href attribute value of the link
identifies a resource IRI for the immediately preceding page of identifies a resource URI for the immediately preceding page of
the Feed. the Feed.
o "next" - Indicates that the href attribute value of the link o "next" - Indicates that the href attribute value of the link
identifies a resource IRI for the immediately following page of identifies a resource URI for the immediately following page of
the Feed. the Feed.
For example: For example:
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"> <feed xmlns="http://www.w3.org/2005/Atom">
<id>b7f65304-b63b-4246-88e2-c104049c5fd7</id> <id>b7f65304-b63b-4246-88e2-c104049c5fd7</id>
<title>Paged Feed</title> <title>Paged Feed</title>
<link rel="self" href="http://example.org/feedA?page=5"/> <link rel="self" href="https://example.org/feedA?page=5"/>
<link rel="first" href="http://example.org/feedA?page=1"/> <link rel="first" href="https://example.org/feedA?page=1"/>
<link rel="prev" href="http://example.org/feedA?page=4"/> <link rel="prev" href="https://example.org/feedA?page=4"/>
<link rel="next" href="http://example.org/feedA?page=6"/> <link rel="next" href="https://example.org/feedA?page=6"/>
<link rel="last" href="http://example.org/feedA?page=10"/> <link rel="last" href="https://example.org/feedA?page=10"/>
<updated>2012-05-04T18:13:51.0Z</updated> <updated>2012-05-04T18:13:51.0Z</updated>
<!-- remainder of feed elements --> <!-- remainder of feed elements -->
</feed> </feed>
Example Paged Feed Example Paged Feed
A reference to a historical Feed may need to be stable, and/or a Feed A reference to a historical Feed may need to be stable, and/or a Feed
may need to be divided into a series of defined epochs. may need to be divided into a series of defined epochs.
Implementations SHOULD support the mechanisms described in RFC5005 Implementations SHOULD support the mechanisms described in RFC5005
skipping to change at page 16, line 9 skipping to change at page 17, line 6
empty empty
} }
This restricts atomContent in ROLIE to the atomOutofLine forumulation This restricts atomContent in ROLIE to the atomOutofLine forumulation
presented in[RFC4287]. presented in[RFC4287].
The type attribute MUST identify the serialization type of the The type attribute MUST identify the serialization type of the
content, for example, application/xml or application/json. A content, for example, application/xml or application/json. A
prefixed media type MAY be used to reflect a specific model used with prefixed media type MAY be used to reflect a specific model used with
a given serialization approach (e.g., application/rdf+xml). The src a given serialization approach (e.g., application/rdf+xml). The src
attribute MUST be an IRI that can be dereferenced to retrieve the attribute MUST be an URI that can be dereferenced to retrieve the
related content data. related content data.
6.2.2. Use of the "atom:link" Element 6.2.2. Use of the "atom:link" Element
Link relations can be included in an atom:entry to represent state Link relations can be included in an atom:entry to represent state
transitions for the Entry. transitions for the Entry.
If there is a need to provide the same information in different data If there is a need to provide the same information in different data
models and/or serialization formats, separate Entry instances can be models and/or serialization formats, separate Entry instances can be
included in the same or a different Feed. Such an alternate content included in the same or a different Feed. Such an alternate content
skipping to change at page 18, line 51 skipping to change at page 19, line 51
not recognize a property with an unregistered name attribute MAY not recognize a property with an unregistered name attribute MAY
ignore the rolie:property. ignore the rolie:property.
6.2.5. Requirements for a Standalone Entry 6.2.5. Requirements for a Standalone Entry
If an Entry is ever shared as a standalone resource, separate from If an Entry is ever shared as a standalone resource, separate from
its containing Feed, then the following additional requirements its containing Feed, then the following additional requirements
apply: apply:
o The Entry MUST have an atom:link element with rel="collection" and o The Entry MUST have an atom:link element with rel="collection" and
href="[IRI of the containing Collection]". This allows the Feed href="[URI of the containing Collection]". This allows the Feed
or Feeds for which the Entry is a member to be discovered, along or Feeds for which the Entry is a member to be discovered, along
with the related information the Feed may contain. In the case of with the related information the Feed may contain. In the case of
the Entry have multiple containing Feeds, the Entry MUST have one the Entry have multiple containing Feeds, the Entry MUST have one
atom:link for each related Feed. atom:link for each related Feed.
o The Entry MUST declare the information type of the content o The Entry MUST declare the information type of the content
resource referenced by the Entry (see Section 7.1.2). resource referenced by the Entry (see Section 7.1.2).
7. Available Extension Points Provided by ROLIE 7. Available Extension Points Provided by ROLIE
skipping to change at page 22, line 18 skipping to change at page 23, line 18
resources that the consumer is not interested in or resources resources that the consumer is not interested in or resources
expressed in formats that are not supported by the consumer. expressed in formats that are not supported by the consumer.
7.3. The Link Relation Extension Point 7.3. The Link Relation Extension Point
This document uses several link relations defined in the IANA Link This document uses several link relations defined in the IANA Link
Relation Types registry [2]. Additional link relations can be Relation Types registry [2]. Additional link relations can be
registered in this registry to allow new relationships to be registered in this registry to allow new relationships to be
represented in ROLIE according to RFC 4287 section 4.2.7.2 [RFC4287]. represented in ROLIE according to RFC 4287 section 4.2.7.2 [RFC4287].
Based on the preceding reference, if the link relation is too Based on the preceding reference, if the link relation is too
specific or limited in the intended use, an absolute IRI can be used specific or limited in the intended use, an absolute URI can be used
in lieu of registering a new simple name with IANA. in lieu of registering a new simple name with IANA.
7.4. The "rolie:property" Extension Point 7.4. The "rolie:property" Extension Point
As discussed previously in Section 6.2.4, many formats contain unique As discussed previously in Section 6.2.4, many formats contain unique
identifying and characterizing properties that are vital for sharing identifying and characterizing properties that are vital for sharing
information. In order to provide a global reference for these information. In order to provide a global reference for these
properties, this document establishes an IANA registry in Section 8.3 properties, this document establishes an IANA registry in Section 8.3
that allows ROLIE extensions to register named properties using the that allows ROLIE extensions to register named properties using the
name field with a type parameter of "property" to indicate a property name field with a type parameter of "property" to indicate a property
skipping to change at page 23, line 52 skipping to change at page 24, line 52
XML: None. Namespace URIs do not represent an XML specification. XML: None. Namespace URIs do not represent an XML specification.
ROLIE XML Schema The ROLIE schema (rolie-1.0) has been registered in ROLIE XML Schema The ROLIE schema (rolie-1.0) has been registered in
the "schema" registry. the "schema" registry.
URI: urn:ietf:params:xml:schema:rolie-1.0 URI: urn:ietf:params:xml:schema:rolie-1.0
Registrant Contact: IESG Registrant Contact: IESG
XML: See section A of this document. XML: See Appendix A of this document.
8.2. ROLIE URN Sub-namespace 8.2. ROLIE URN Sub-namespace
IANA has added an entry to the "IETF URN Sub-namespace for Registered IANA has added an entry to the "IETF URN Sub-namespace for Registered
Protocol Parameter Identifiers" registry located at Protocol Parameter Identifiers" registry located at
<http://www.iana.org/assignments/params/params.xml#params-1> as per <http://www.iana.org/assignments/params/params.xml#params-1> as per
RFC3553 [RFC3553]. RFC3553 [RFC3553].
The entry is as follows: The entry is as follows:
skipping to change at page 24, line 27 skipping to change at page 25, line 27
Repository: ROLIE URN Parameters. See Section 8.3 [TO BE REMOVED: Repository: ROLIE URN Parameters. See Section 8.3 [TO BE REMOVED:
This registration should take place at the following location: This registration should take place at the following location:
https://www.iana.org/assignments/rolie] https://www.iana.org/assignments/rolie]
Index value: See Section 8.3 Index value: See Section 8.3
8.3. ROLIE URN Parameters 8.3. ROLIE URN Parameters
A new top-level registry has been created, entitled "Resource A new top-level registry has been created, entitled "Resource
Oriented Lightweight Information Exchange (ROLIE) Parameters". [TO Oriented Lightweight Information Exchange (ROLIE) URN Parameters".
BE REMOVED: This registration should take place at the following [TO BE REMOVED: This registration should take place at the following
location: https://www.iana.org/assignments/rolie] location: https://www.iana.org/assignments/rolie]
In this top-level registry, a sub-registry entitled "ROLIE URN Registration in the ROLIE URN Parameters registry is via the
Parameters" has been created. Registration in this repository is via Specification Required policy [RFC8126]. Designated Expert reviews
the Specification Required policy [RFC8126]. Designated Expert should be routed through the MILE WG mailing list. Failing this, the
reviews should be routed through the MILE WG mailing list. Failing Designated Expert will be assigned by the IESG.
this, the Designated Expert will be assigned by the IESG.
Each entry in this sub-registry must record the following fields: Each entry in this sub-registry must record the following fields:
Name: A URN segment that adheres to the pattern {type}:{label}. Name: A URN segment that adheres to the pattern {type}:{label}.
The keywords are defined as follows: The keywords are defined as follows:
{type}: The parameter type. The allowed values are "category" {type}: The parameter type. The allowed values are "category"
or "property". "category" denotes a category extension as or "property". "category" denotes a category extension as
discussed in Section 7.1. "property" denotes a property discussed in Section 7.1. "property" denotes a property
extension as discussed in Section 7.4. extension as discussed in Section 7.4.
{label}: A required US-ASCII string that conforms to the URN {label}: A required US-ASCII string that conforms to the URN
syntax requirements (see [RFC8141]). This string must be syntax requirements (see [RFC8141]). This string must be
unique within the namespace defined by the {type} keyword. The unique within the namespace defined by the {type} keyword. The
"local" label for both the "category" and "property" types has "local" label for both the "category" and "property" types has
been reserved for private use. been reserved for private use.
Extension IRI: The identifier to use within ROLIE, which is the Extension URI: The identifier to use within ROLIE, which is the
full URN using the form: urn:ietf:params:rolie:{name}, where full URN using the form: urn:ietf:params:rolie:{name}, where
{name} is the "name" field of this registration. {name} is the "name" field of this registration.
Reference: A static link to the specification and section that the Reference: A static link to the specification and section that the
definition of the parameter can be found. definition of the parameter can be found.
Sub-registry: An optional field that links to an IANA sub-registry Sub-registry: An optional field that links to an IANA sub-registry
for this parameter. If the {type} is "category", the sub-registry for this parameter. If the {type} is "category", the sub-registry
must contain a "name" field whose registered values MUST be US- must contain a "name" field whose registered values MUST be US-
ASCII. The list of names are the allowed values of the "term" ASCII. The list of names are the allowed values of the "term"
attribute in the atom:category element. (See Section 7.1.2). attribute in the atom:category element. (See Section 7.1.2).
This repository has the following initial values: This repository has the following initial values:
+------------+--------------------+-------+-------------------------+ +------------+--------------------+-------+-------------------------+
| Name | Extension IRI | Refer | Sub-Registry | | Name | Extension URI | Refer | Sub-Registry |
| | | ence | | | | | ence | |
+------------+--------------------+-------+-------------------------+ +------------+--------------------+-------+-------------------------+
| category:i | urn:ietf:params:ro | This | [TO BE REMOVED: This | | category:i | urn:ietf:params:ro | This | [TO BE REMOVED: This |
| nformation | lie:category | docum | registration should | | nformation | lie:category | docum | registration should |
| -type | :information-type | ent, | take place at the | | -type | :information-type | ent, | take place at the |
| | | Secti | following location: htt | | | | Secti | following location: htt |
| | | on | ps://www.iana.org/assig | | | | on | ps://www.iana.org/assig |
| | | 8.4 | nments/rolie/category | | | | 8.4 | nments/rolie/category |
| | | | /information-type] | | | | | /information-type] |
| property:l | urn:ietf:params:ro | This | None | | property:l | urn:ietf:params:ro | This | None |
skipping to change at page 27, line 32 skipping to change at page 28, line 32
registry uses the value 1, and this value is incremented for registry uses the value 1, and this value is incremented for
each subsequent entry added to the registry. each subsequent entry added to the registry.
reference: A list of one or more URIs [RFC3986] from which the reference: A list of one or more URIs [RFC3986] from which the
registered specification can be obtained. The registered registered specification can be obtained. The registered
specification MUST be readily and publicly available from that specification MUST be readily and publicly available from that
URI. The URI SHOULD be a stable reference. URI. The URI SHOULD be a stable reference.
Allocation Policy: Specification required as per [RFC8126] Allocation Policy: Specification required as per [RFC8126]
8.5. Well-Known URI Registrations 8.5. Well-Known URI Registration
This document makes the follow two registrations to the Well-Known This document makes the follow two registrations to the Well-Known
URI Registry at https://www.iana.org/assignments/well-known-uris/ URI Registry at https://www.iana.org/assignments/well-known-uris/
well-known-uris.xhtml. well-known-uris.xhtml.
Service Document registration: Service Document registration:
URI suffix: rolie/servicedocument URI suffix: rolie
Change controller: IETF Change controller: IETF
Specification document: This document, Section 5.1.3 Specification document: This document, Section 5.1.3
Related information: None Related information: None
9. Security Considerations 9. Security Considerations
This document defines a resource-oriented approach for lightweight This document defines a resource-oriented approach for lightweight
skipping to change at page 30, line 27 skipping to change at page 31, line 27
specification, and a similar potential for abuse exists with any specification, and a similar potential for abuse exists with any
other cyber security information sharing protocol. However, the wide other cyber security information sharing protocol. However, the wide
availability of tools for HTTP clients and Atom Feed handling implies availability of tools for HTTP clients and Atom Feed handling implies
that the resources and technical skills required for a successful that the resources and technical skills required for a successful
exploit may be less than it was previously. This risk can be best exploit may be less than it was previously. This risk can be best
mitigated through appropriate vetting of the client at account mitigated through appropriate vetting of the client at account
provisioning time. In addition, any increase in the risk of this provisioning time. In addition, any increase in the risk of this
type of abuse should be offset by the corresponding increase in type of abuse should be offset by the corresponding increase in
effectiveness that this specification affords to the defenders. effectiveness that this specification affords to the defenders.
Overall, ROLIE introduces few privacy concerns above and beyond those Overall, privacy concerns in ROLIE can be mitigated by following
present in any other HTTP protocol. Those that exist can be security considerations and careful use of the optional personally
mitigated by following security considerations and carefully using identifying elements (e.g., author) provided by Atom Syndication and
the optional identifying elements. ROLIE.
11. Acknowledgements 11. Acknowledgements
The authors gratefully acknowledge the valuable contributions of Tom The authors gratefully acknowledge the valuable contributions of Tom
Maguire, Kathleen Moriarty, and Vijayanand Bharadwaj. These Maguire, Kathleen Moriarty, and Vijayanand Bharadwaj. These
individuals provided detailed review comments on earlier drafts, and individuals provided detailed review comments on earlier drafts, and
made many suggestions that have helped to improve this document. made many suggestions that have helped to improve this document.
The authors would also like to thank the MILE Working Group, the SACM The authors would also like to thank the MILE Working Group, the SACM
Working Group, and countless other people from both within the IETF Working Group, and countless other people from both within the IETF
skipping to change at page 32, line 42 skipping to change at page 33, line 42
[RFC7970] Danyliw, R., "The Incident Object Description Exchange [RFC7970] Danyliw, R., "The Incident Object Description Exchange
Format Version 2", RFC 7970, DOI 10.17487/RFC7970, Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
November 2016, <https://www.rfc-editor.org/info/rfc7970>. November 2016, <https://www.rfc-editor.org/info/rfc7970>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[W3C.REC-xml-names-20091208] [W3C.REC-xml-names-20091208]
Bray, T., Hollander, D., Layman, A., Tobin, R., and H. Bray, T., Hollander, D., Layman, A., Tobin, R., and H.
Thompson, "Namespaces in XML 1.0 (Third Edition)", World Thompson, "Namespaces in XML 1.0 (Third Edition)", World
Wide Web Consortium Recommendation REC-xml-names-20091208, Wide Web Consortium Recommendation REC-xml-names-20091208,
December 2009, December 2009,
<http://www.w3.org/TR/2009/REC-xml-names-20091208>. <http://www.w3.org/TR/2009/REC-xml-names-20091208>.
12.2. Informative References 12.2. Informative References
[I-D.ietf-tls-tls13] [I-D.ietf-tls-tls13]
skipping to change at page 37, line 15 skipping to change at page 38, line 15
HTTP/1.1 200 OK HTTP/1.1 200 OK
Date: Fri, 24 Aug 2016 17:09:11 GMT Date: Fri, 24 Aug 2016 17:09:11 GMT
Content-Length: 570 Content-Length: 570
Content-Type: application/atomsvc+xml;charset="utf-8" Content-Type: application/atomsvc+xml;charset="utf-8"
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<service xmlns="http://www.w3.org/2007/app" <service xmlns="http://www.w3.org/2007/app"
xmlns:atom="http://www.w3.org/2005/Atom"> xmlns:atom="http://www.w3.org/2005/Atom">
<workspace> <workspace>
<atom:title type="text">Vulnerabilities</atom:title> <atom:title type="text">Vulnerabilities</atom:title>
<collection href="http://example.org/provider/vulns"> <collection href="https://example.org/provider/vulns">
<atom:title type="text">Vulnerabilities Feed</atom:title> <atom:title type="text">Vulnerabilities Feed</atom:title>
<categories fixed="yes"> <categories fixed="yes">
<atom:category <atom:category
scheme="urn:ietf:params:rolie:category:information-type" scheme="urn:ietf:params:rolie:category:information-type"
term="vulnerability"/> term="vulnerability"/>
</categories> </categories>
</collection> </collection>
</workspace> </workspace>
</service> </service>
skipping to change at page 38, line 16 skipping to change at page 39, line 16
Date: Fri, 24 Aug 2016 17:10:11 GMT Date: Fri, 24 Aug 2016 17:10:11 GMT
Content-Length: 1912 Content-Length: 1912
Content-Type: application/atomsvc+xml;charset="utf-8" Content-Type: application/atomsvc+xml;charset="utf-8"
<?xml version="1.0" encoding='utf-8'?> <?xml version="1.0" encoding='utf-8'?>
<service xmlns="http://www.w3.org/2007/app" <service xmlns="http://www.w3.org/2007/app"
xmlns:atom="http://www.w3.org/2005/Atom"> xmlns:atom="http://www.w3.org/2005/Atom">
<workspace> <workspace>
<atom:title>Public Security Information Sharing</atom:title> <atom:title>Public Security Information Sharing</atom:title>
<collection <collection
href="http://example.org/provider/public/vulns"> href="https://example.org/provider/public/vulns">
<atom:title>Public Vulnerabilities</atom:title> <atom:title>Public Vulnerabilities</atom:title>
<atom:link rel="service" <atom:link rel="service"
href="www.example.com/rolie/servicedocument"/> href="https://example.org/rolie/servicedocument"/>
<categories fixed="yes"> <categories fixed="yes">
<atom:category <atom:category
scheme="urn:ietf:params:rolie:category:information-type" scheme="urn:ietf:params:rolie:category:information-type"
term="vulnerability"/> term="vulnerability"/>
</categories> </categories>
</collection> </collection>
</workspace> </workspace>
<workspace> <workspace>
<atom:title>Private Consortium Sharing</atom:title> <atom:title>Private Consortium Sharing</atom:title>
<collection <collection
href="http://example.org/provider/private/incidents"> href="https://example.org/provider/private/incidents">
<atom:title>Incidents</atom:title> <atom:title>Incidents</atom:title>
<atom:link rel="service" <atom:link rel="service"
href="www.example.com/rolie/servicedocument"/> href="https://example.org/rolie/servicedocument"/>
<categories fixed="yes"> <categories fixed="yes">
<atom:category <atom:category
scheme="urn:ietf:params:rolie:category:information-type" scheme="urn:ietf:params:rolie:category:information-type"
term="incident"/> term="incident"/>
</categories> </categories>
</collection> </collection>
</workspace> </workspace>
</service> </service>
In this example, the provider is making available a total of two In this example, the provider is making available a total of two
skipping to change at page 40, line 24 skipping to change at page 41, line 24
<id>2a7e265a-39bc-43f2-b711-b8fd9264b5c9</id> <id>2a7e265a-39bc-43f2-b711-b8fd9264b5c9</id>
<title type="text"> <title type="text">
Atom formatted representation of Atom formatted representation of
a feed of XML vulnerability documents a feed of XML vulnerability documents
</title> </title>
<category <category
scheme="urn:ietf:params:rolie:category:information-type" scheme="urn:ietf:params:rolie:category:information-type"
term="vulnerability"/> term="vulnerability"/>
<updated>2016-05-04T18:13:51.0Z</updated> <updated>2016-05-04T18:13:51.0Z</updated>
<link rel="self" <link rel="self"
href="http://example.org/provider/public/vulns" /> href="https://example.org/provider/public/vulns" />
<link rel="service" <link rel="service"
href="http://example.org/rolie/servicedocument"/> href="https://example.org/rolie/servicedocument"/>
<entry> <entry>
<rolie:format ns="urn:ietf:params:xml:ns:exampleformat"/> <rolie:format ns="urn:ietf:params:xml:ns:exampleformat"/>
<id>dd786dba-88e6-440b-9158-b8fae67ef67c</id> <id>dd786dba-88e6-440b-9158-b8fae67ef67c</id>
<title>Sample Vulnerability</title> <title>Sample Vulnerability</title>
<published>2015-08-04T18:13:51.0Z</published> <published>2015-08-04T18:13:51.0Z</published>
<updated>2015-08-05T18:13:51.0Z</updated> <updated>2015-08-05T18:13:51.0Z</updated>
<summary>A vulnerability issue identified by CVE-...</summary> <summary>A vulnerability issue identified by CVE-...</summary>
<content type="application/xml" <content type="application/xml"
src="http://www.example.org/provider/vulns/123456/data"/> src="https://example.org/provider/vulns/123456/data"/>
</entry> </entry>
<entry> <entry>
<!-- ...another entry... --> <!-- ...another entry... -->
</entry> </entry>
</feed> </feed>
This Feed document has two Atom Entries, one of which has been This Feed document has two Atom Entries, one of which has been
elided. The first Entry illustrates an atom:entry element that elided. The first Entry illustrates an atom:entry element that
skipping to change at page 41, line 46 skipping to change at page 42, line 46
<id>f63aafa9-4082-48a3-9ce6-97a2d69d4a9b</id> <id>f63aafa9-4082-48a3-9ce6-97a2d69d4a9b</id>
<title>Sample Vulnerability</title> <title>Sample Vulnerability</title>
<published>2015-08-04T18:13:51.0Z</published> <published>2015-08-04T18:13:51.0Z</published>
<updated>2015-08-05T18:13:51.0Z</updated> <updated>2015-08-05T18:13:51.0Z</updated>
<category <category
scheme="urn:ietf:params:rolie:category:information-type" scheme="urn:ietf:params:rolie:category:information-type"
term="vulnerability"/> term="vulnerability"/>
<summary>A vulnerability issue identified by CVE-...</summary> <summary>A vulnerability issue identified by CVE-...</summary>
<rolie:format ns="urn:ietf:params:xml:ns:exampleformat"/> <rolie:format ns="urn:ietf:params:xml:ns:exampleformat"/>
<content type="application/xml" <content type="application/xml"
src="http://www.example.org/provider/vulns/123456/data"> src="https://example.org/provider/vulns/123456/data">
</content> </content>
</entry> </entry>
The example response above shows an XML document referenced by the The example response above shows an XML document referenced by the
"src" attribute of the atom:content element. The client may retrieve "src" attribute of the atom:content element. The client may retrieve
the document using this URL. the document using this URL.
Appendix C. Change History Appendix C. Change History
Changes in draft-ietf-mile-rolie-11 since draft-ietf-mile-rolie-09 Changes in draft-ietf-mile-rolie-11 since draft-ietf-mile-rolie-09
 End of changes. 52 change blocks. 
127 lines changed or deleted 155 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/