| MILE Working Group | S. Banghart |
| Internet-Draft | NIST |
| Intended status: Informational | March 26, 2019 |
| Expires: September 27, 2019 |
Definition of ROLIE Vulnerability Extension
draft-banghart-mile-rolie-vuln-00
This document extends the Resource-Oriented Lightweight Information Exchange (ROLIE) core to add the information type categories and related requirements needed to support Vulnerability use cases. The vulnerability information type is defined as a ROLIE extensions. Additional supporting requirements are also defined that describe the use of specific formats and link relations pertaining to the new information type.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 27, 2019.
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Vulnerability information sharing is one of the main use cases listed in RFC8322. This document provides additional format specific requirements to support interoperability and rich metadata of vulnerability information shared using ROLIE.
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Definitions for some of the common computer security-related terminology used in this document can be found in [RFC4949].
The "vulnerability" information type represents any information describing or pertaining to a computer security vulnerability. This document uses the definition of vulnerability provided by [RFC4949]. Provided below is a non-exhaustive list of information that may be considered to be of a vulnerability information type.
Note again that this list is not exhaustive, any information that in is the abstract realm of an vulnerability should be classified under this information-type.
Todo
Todo
This document provides new registrations for valid rolie:property names. These properties provide optional exposure point for valuable information in the linked content document. Exposing this information in a rolie:property element means that clients do not need to download the linked document to determine if it contains the information they are looking for.
Provides an XML element that can be populated with an identifier from the vulnerability document linked to by an atom:content element. This value SHOULD be a uniquely identifying value for the document linked to in this entry's atom:content element.
These sections define requirements for atom:link elements in Entries. Note that the requirements are determined by the information type that appears in either the Entry or in the parent Feed.
If the category of an Entry is the vulnerability information type, then the following requirements MUST be followed for support of atom:link elements.
| Name | Description | Conformance |
|---|---|---|
| todo | todo | todo |
IANA has added the following entries to the "ROLIE Security Resource Information Type Sub-Registry" registry located at <https://www.iana.org/assignments/rolie/category/information-type> .
The entry is as follows:
IANA has added the following entries to the "ROLIE URN Parameters" registry located in <https://www.iana.org/assignments/rolie/>.
The entry is as follows:
This document implies the use of ROLIE in high-security use cases, as such, added care should be taken to fortify and secure ROLIE repositories and clients using this extension. The guidance in the ROLIE core specification is strongly recommended, and implementers should consider adding additional security measures as they see fit.
When providing a private workspace for closed sharing, it is recommended that the ROLIE repository checks user authorization when the user sends a GET request to the service document. If the user is not authorized to send any requests to a given workspace or collection, that workspace or collection should be truncated from the service document in the response. In this way the existence of unauthorized content remains unknown to potential attackers, hopefully reducing attack surface.
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
| [RFC4287] | Nottingham, M. and R. Sayre, "The Atom Syndication Format", RFC 4287, DOI 10.17487/RFC4287, December 2005. |
| [RFC4949] | Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007. |
| [RFC5023] | Gregorio, J. and B. de hOra, "The Atom Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023, October 2007. |
| [RFC8322] | Field, J., Banghart, S. and D. Waltermire, "Resource-Oriented Lightweight Information Exchange (ROLIE)", RFC 8322, DOI 10.17487/RFC8322, February 2018. |