MILE Working Group                                              J. Field
Internet-Draft                                                   Pivotal
Intended status: Informational                               S. Banghart
Expires: May 4, 2017                                       D. Waltermire
                                                                    NIST
                                                        October 31, 2016


           Resource-Oriented Lightweight Information Exchange
                        draft-ietf-mile-rolie-05

Abstract

   This document defines a resource-oriented approach for security
   automation information publication, discovery, and sharing.  Using
   this approach, producers may publish, share, and exchange
   representations of security incidents, attack indicators, software
   vulnerabilities, configuration checklists, and other security
   automation information as Web-addressable resources.  Furthermore,
   consumers and other stakeholders may access and search this security
   information as needed, establishing a rapid and on-demand information
   exchange network for restricted internal use or public access
   repositories.  This specification extends the Atom Publishing
   Protocol and Atom Syndication Format to transport and share security
   automation resource representations.

Contributing to this document

   The source for this draft is being maintained on GitHub.  Suggested
   changes should be submitted as pull requests at
   <https://github.com/CISecurity/ROLIE>.  Instructions are on that page
   as well.  Editorial changes can be managed in GitHub, but any
   substantial issues need to be discussed on the MILE mailing list.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."



Field, et al.              Expires May 4, 2017                  [Page 1]


Internet-Draft                    ROLIE                     October 2016


   This Internet-Draft will expire on May 4, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  XML-related Conventions . . . . . . . . . . . . . . . . . . .   4
     3.1.  XML Namespaces  . . . . . . . . . . . . . . . . . . . . .   4
     3.2.  RELAX NG Compact Schema . . . . . . . . . . . . . . . . .   5
   4.  Background and Motivation . . . . . . . . . . . . . . . . . .   5
     4.1.  Proactive Sharing . . . . . . . . . . . . . . . . . . . .   5
     4.2.  Knowledge Aggregation . . . . . . . . . . . . . . . . . .   6
     4.3.  Resource-oriented Architecture  . . . . . . . . . . . . .   6
   5.  ROLIE Requirements for the Atom Publishing Protocol . . . . .   7
     5.1.  AtomPub Service Documents . . . . . . . . . . . . . . . .   7
       5.1.1.  Use of the "app:workspace" Element  . . . . . . . . .   8
       5.1.2.  Use of the "app:collection" Element . . . . . . . . .   8
       5.1.3.  Service Discovery . . . . . . . . . . . . . . . . . .   9
     5.2.  AtomPub Category Documents  . . . . . . . . . . . . . . .  10
     5.3.  Transport Layer Security  . . . . . . . . . . . . . . . .  10
     5.4.  User Authentication and Authorization . . . . . . . . . .  11
     5.5.  / (forward slash) Resource URL  . . . . . . . . . . . . .  11
     5.6.  HTTP methods  . . . . . . . . . . . . . . . . . . . . . .  12
   6.  ROLIE Requirements for the Atom Syndication Format  . . . . .  12
     6.1.  Use of the "atom:feed" element  . . . . . . . . . . . . .  12
       6.1.1.  Use of the "atom:category" Element  . . . . . . . . .  13
       6.1.2.  Use of the "atom:link" Element  . . . . . . . . . . .  14
       6.1.3.  Use of the "atom:updated" Element . . . . . . . . . .  15
     6.2.  Use of the  "atom:entry" Element  . . . . . . . . . . . .  15
       6.2.1.  Use of the "atom:content" Element . . . . . . . . . .  16
       6.2.2.  Use of the "atom:link" Element  . . . . . . . . . . .  16
       6.2.3.  Use of the "rolie:format" Element . . . . . . . . . .  17
       6.2.4.  Requirements for a Standalone Entry . . . . . . . . .  18



Field, et al.              Expires May 4, 2017                  [Page 2]


Internet-Draft                    ROLIE                     October 2016


   7.  Available Extension Points Provided by ROLIE  . . . . . . . .  18
     7.1.  The Category Extension Point  . . . . . . . . . . . . . .  18
       7.1.1.  General Use of the "atom:category" Element  . . . . .  19
       7.1.2.  Identification of Security Automation Information
               Types . . . . . . . . . . . . . . . . . . . . . . . .  19
     7.2.  The "rolie:format" Extension Point  . . . . . . . . . . .  21
     7.3.  The Link Relation Extension Point . . . . . . . . . . . .  21
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  21
     8.1.  XML Namespaces and Schema URNs  . . . . . . . . . . . . .  21
     8.2.  ROLIE URN Sub-namespace . . . . . . . . . . . . . . . . .  22
     8.3.  ROLIE URN Parameters  . . . . . . . . . . . . . . . . . .  22
     8.4.  ROLIE Security Resource Information Type Sub-Registry . .  23
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  24
   10. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  26
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  26
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  26
     11.2.  Informative References . . . . . . . . . . . . . . . . .  28
     11.3.  URIs . . . . . . . . . . . . . . . . . . . . . . . . . .  29
   Appendix A.  Relax NG Compact Schema for ROLIE  . . . . . . . . .  29
   Appendix B.  Examples of Use  . . . . . . . . . . . . . . . . . .  30
     B.1.  Service Discovery . . . . . . . . . . . . . . . . . . . .  30
     B.2.  Feed Retrieval  . . . . . . . . . . . . . . . . . . . . .  33
     B.3.  Entry Retrieval . . . . . . . . . . . . . . . . . . . . .  35
   Appendix C.  Change History . . . . . . . . . . . . . . . . . . .  36
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  37

1.  Introduction

   This document defines a resource-oriented approach to security
   automation information sharing that follows the REST (Architectural S
   tyles and the Design of Network-based Software Architectures)
   architectural style.  In this approach, computer security resources
   are maintained in web-accessible repositories structured as Atom
   Syndication Format [RFC4287] Feeds.  Representations of specific
   types of security automation information are categorized and
   organized into indexed Collections which may be requested by the
   consumer.  As the set of resource Collections are forward facing, the
   consumer may search all available content for which they are
   authorized to view, and request the information resources which are
   desired.  Through use of granular authentication and access controls,
   only authorized consumers may be permitted the ability to read or
   write to a given Feed.  This approach is in contrast to, and meant to
   improve on, the traditional point-to-point messaging system, in which
   consumers must request individual pieces of information from a server
   following a triggering event.  The point-to-point approach creates a
   closed system of information sharing that encourages duplication of
   effort and hinders automated security systems.




Field, et al.              Expires May 4, 2017                  [Page 3]


Internet-Draft                    ROLIE                     October 2016


   The goal of this document is to define a RESTful approach to security
   information communication with two primary intents: 1) increasing
   communication and sharing of incident reports, vulnerability
   assessments, configuration checklists, and other security automation
   information between providers and consumers; and 2) establishing a
   standardized communication system to support automated computer
   security systems.

   In order to deal with the great variety in security automation
   information types and associated resource representations, this
   specification defines extension points that can be used to add
   support for new information types and associated resource
   representations by means of additional supplementary specification
   documents.  This primary document is resource representation
   agnostic, and defines the core requirements of all implementations.
   An overview of the extension system is provided in Section 7.Those
   seeking to provide support for specific security automation
   information types should refer to the specification for that domain
   described by the IANA registry found in section 8.4.

2.  Terminology

   The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
   "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   Definitions for some of the common computer security-related
   terminology used in this document can be found in Section 2 of
   [RFC5070].

   The following terms are unqiue to this specification:

   Information Type  A class of security automation information, having
      an associated data model, that is the subject of a security
      process that can be automated.  See section 7.1.2 for more
      information.

      Do we need other terms to be defined?

3.  XML-related Conventions

3.1.  XML Namespaces

   This specification uses XML Namespaces [W3C.REC-xml-names-20091208]
   to uniquely identify XML element names.  It uses the following
   namespace prefix mappings for the indicated namespace URI:





Field, et al.              Expires May 4, 2017                  [Page 4]


Internet-Draft                    ROLIE                     October 2016


      "app" is used for the "http://www.w3.org/2007/app" namespace
      defined in [RFC5023].

      "atom" is used for the "http://www.w3.org/2005/Atom" namespace
      defined in [RFC4287].

      "rolie" is used for the "urn:ietf:params:xml:ns:rolie:1.0"
      namespace defined in section 8.1 of this specification.

3.2.  RELAX NG Compact Schema

   Some sections of this specification are illustrated with fragments of
   a non-normative RELAX NG Compact schema [relax-NG].  However, the
   text of this specification provides the definition of conformance.
   Schema for the "http://www.w3.org/2007/app" and
   "http://www.w3.org/2005/Atom" namespaces appear in RFC5023 appendix B
   [RFC5023] and RFC4287 appendix B [RFC4287] respectively.

4.  Background and Motivation

   Information sharing is one of the core components of automating
   security processes.  Vulnerabilities, configurations, software
   identification, security incidents, and patching data are just a few
   of the classes of information that are shared today to enable
   effective security on a wide scale.  However, as the scale of defense
   broadens to sometimes global networks, and the inherent scaling
   issues of human-in-the-loop sharing become apparent, the need for
   automation and machine-to-machine communication becomes apparent.

4.1.  Proactive Sharing

   Existing approaches to computer security information sharing often
   use message exchange patterns that are point-to-point.  Sometimes,
   information that may be useful to share with multiple peers is only
   made available to peers after they have specifically requested it.
   Unfortunately, a sharing peer may not know, a priori, what
   information to request from another peer.  Some existing systems
   provide a mechanism for unsolicited information requests, however,
   these reports are again sent point-to-point, and must be reviewed for
   relevance and then prioritized for action by the recipient,
   introducing additional latency.

   In order to adequately combat evolving threats, computer security
   information resource providers should be able to share selected
   information proactively.  Proactive sharing greatly aids knowledge
   dissemination, and improves response times and usability by allowing
   the consumer to choose which information is relevant to its needs.




Field, et al.              Expires May 4, 2017                  [Page 5]


Internet-Draft                    ROLIE                     October 2016


   For example, a security analyst can benefit by having the ability to
   search a comprehensive collection of attack indicators that have been
   published by a government agency, or by another member of a sharing
   consortium.  The representation of each indicator may include links
   to the related resources, enabling an appropriately authenticated and
   authorized analyst to freely navigate the information space of
   indicators, incidents, vulnerabilities, and other computer security
   domain concepts as needed.  In this way, an analyst can more
   effectively utilize the super set of information made publicly
   available.

4.2.  Knowledge Aggregation

   Additionally, there is value in maintaining a repository of knowledge
   that can be queried by a new consumer, allowing this consumer to
   identify and retrieve any information that is relevant to its needs.
   In this way, the consumer can gain access to meaningful current and
   historic information, catching up to the knowledge level of its
   peers.

   Consider the case of an automated endpoint management system
   attempting to proactively prevent software flaws and mis-configured
   software from compromising the security of the affected systems.
   During its full network sweep, the endpoint monitoring system would
   check each endpoint for outdated, vulnerable, and mis-configured
   software.  This system would benefit from having access to not only
   the software vendor's list of vulnerabilities and configuration
   baselines, but also similar information discovered by other security
   researchers.  An advanced system could even give back to this sharing
   consortium by sharing any relevant information discovered.

   These capabilities support a federated collection of information
   repositories that can be queried and contributed to by an
   organization, further supporting automated security solutions.

4.3.  Resource-oriented Architecture

   Applying the REST architectural style to the problem domain of
   security information sharing involves exposing information of any
   relevant type as simple Web-addressable resources.  Each provider
   maintains their own repository of data, with public and private
   sections as needed.  Any producer or consumer can then discover these
   repositories, search for relevant Feeds, and pull information from
   them.  By using this approach, an organization can more quickly and
   easily share relevant data representations with a much larger and
   potentially more diverse constituency.  A consumer may leverage
   virtually any available HTTP user agent in order to make requests of
   the service provider.  This improved ease of use enables more rapid



Field, et al.              Expires May 4, 2017                  [Page 6]


Internet-Draft                    ROLIE                     October 2016


   adoption and broader participation, thereby improving security for
   everyone.

   A key aspect of any RESTful Web service is the ability to provide
   multiple resource representations.  For example, clients may request
   that a given resource representation be returned as XML, JSON, or in
   some other format.  In order to enable backwards-compatibility and
   interoperability with existing implementations, the RESTful approach
   allows the provider to make differing formats available proactively,
   allowing the consumer to simply select the version that best suits
   them.

   Finally, an important principle of the REST architectural style is
   the focus on hypermedia as the engine of application state (HATEOAS).
   Rather than the server maintaining conversational state for each
   client, the server will instead include a suitable set of hyperlinks
   in the resource representation that is returned to the client.  The
   included hyperlinks provide the client with a specific set of
   permitted state transitions.  Using these links the client may
   perform an operation, such as updating or deleting the resource
   representation.  The client may also be provided with hypertext links
   that can be used to navigate to any related resource.  For example,
   the resource representation for an object may contain links to the
   related resource(s).  In this way, the server remains stateless with
   respect to a series of client requests.

5.  ROLIE Requirements for the Atom Publishing Protocol

   This section describes a number of restrictions of and extensions to
   the Atom Publishing Protocol (AtomPub) [RFC5023] that define the use
   of that protocol in the context of a ROLIE-based solution.  The
   normative requirements in this section are generally oriented towards
   client and server implementations.  An understanding of the Atom
   Publishing Protocol specification [RFC5023] is helpful to understand
   the requirements in this section.

5.1.  AtomPub Service Documents

   As described in RFC5023 section 8 [RFC5023], a Service Document is an
   XML-based document format that allows a client to dynamically
   discover the Collections provided by a publisher.  A Service Document
   consists of one or more app:workspace elements that may each contain
   a number of app:collection elements.

   The general structure of a service document is as follows (from
   RFC5023 section 4.2 [RFC5023]):





Field, et al.              Expires May 4, 2017                  [Page 7]


Internet-Draft                    ROLIE                     October 2016


        Service
           o- Workspace
           |    |
           |    o- Collection
           |         |
           |         o- IRI, categories, media types
           |
           o- Workspace
                |
                o- Collection
                     |
                     o- IRI, categories, media types

5.1.1.  Use of the "app:workspace" Element

   In AtomPub, a Workspace, represented by the "app:workspace" element,
   describes a group of one or more Collections.  Building on the
   AtomPub concept of a Workspace, in ROLIE a Workspace represents an
   aggregation of Collections pertaining to security automation
   information resources.  This specification does not impose any
   restrictions on the number of Workspaces that may be in a Service
   Document or the specific Collections to be provided within a given
   Workspace.

   The following restrictions are imposed on the use of the
   app:workspace element in ROLIE:

   o  A ROLIE repository can host Collections containing both public and
      private information entries.  It is RECOMMENDED that public and
      private Collections be segregated into different Workspaces.  By
      doing this, Workspaces that contain private information can be
      ignored by clients or can be omitted from the Service Document
      provided to a client that lacks the appropriate privilege to
      access the set of Collections associated with the Workspace.

   o  Appropriate descriptions and naming conventions SHOULD be used to
      indicate the intended audience of each workspace.  This helps to
      facilitate the selection of appropriate Workspaces by users.

5.1.2.  Use of the "app:collection" Element

   In AtomPub, a Collection in a Service Document, represented by the
   "app:collection" element, provides metadata that can be used to point
   to a specific Atom Feed that contains information Entries that may be
   of interest to a client.  The association between a Collection and a
   Feed is provided by the "href" attribute of the app:collection
   element.  Building on the AtomPub concept of a Collection, in ROLIE a
   Collection represents a pointer to a group of security automation



Field, et al.              Expires May 4, 2017                  [Page 8]


Internet-Draft                    ROLIE                     October 2016


   information resources pertaining to a given type of security
   automation information.  Collections are represented as Atom Feeds as
   per RFC 5023.  Atom Feed specific requirements are defined in section
   6.1.

   The following restrictions are imposed on the use of the
   app:collection element for ROLIE:

   o  The atom:category elements contained in the app:categories element
      MUST be the same set of atom:categories used in the Atom Feed
      resource indicated by the app:collection "href" attribute value.
      This ensures that the category metadata associated with the
      Collection is discoverable in both the Feed and the corresponding
      Collection in the Service Document.

   o  An app:collection pertaining to a security automation information
      resource Feed MUST contain an app:categories element that
      minimally contains a single atom:category element with the
      "scheme" attribute value of
      "urn:ietf:params:rolie:category:information-type".  This category
      MUST have an appropriate "term" attribute value as defined in
      section 7.1.1.  This ensures that a given Collection corresponds
      to a specific type of security automation information.

   o  Any app:collection element that does not contain a descendant
      atom:category element with the "scheme" attribute value of
      "urn:ietf:params:rolie:category:information-type" MUST be
      considered a non-ROLIE Collection.  This allows Collections
      pertaining to security automation information to co-exist
      alongside Collections of other non-ROLIE information within the
      same AtomPub instance.

   o  The app:categories element in an app:collection MAY include
      additional atom:category elements using a scheme other than
      "urn:ietf:params:rolie:category:information-type".  This allows
      other category metadata to be included.

5.1.3.  Service Discovery

   This specification requires that an implementation MUST publish an
   Atom Service Document that describes the set of security information
   sharing Collections that are provided by the repository.

   The Service Document SHOULD be discoverable via the organization's
   Web home page or another well-known public resource.  An example of
   this can be found in appendix B.1.





Field, et al.              Expires May 4, 2017                  [Page 9]


Internet-Draft                    ROLIE                     October 2016


   The Service Document SHOULD be located at the standardized location
   "https://{host:port}/rolie/servicedocument", where {host:port} is the
   authority portion of the URI.  Dereferencing this URI MAY result in a
   redirect based on a HTTP 3xx status code to direct the client to the
   actual Service Document.  This allows clients to have a well-known
   location to find a ROLIE service document, while giving
   implementations flexibility over how the service is deployed.

   When deploying a Service Document for use by a closed consortium, the
   service document MAY also be digitally signed and/or encrypted.  For
   example, consider XML Signature Syntax and Processing [xmldsig] and
   XML Encryption Syntax and Processing. [xmlenc]

5.2.  AtomPub Category Documents

   As described in RFC5023 section 7 [RFC5023], a Category Document is
   an XML-based document format that allows a client to dynamically
   discover the Categories used within AtomPub Service Documents, and
   Atom Syndication Feed and Entry documents provided by a publisher.  A
   Category Document consists of one or more app:categories elements
   that may each contain a number of app:collection elements.

   A ROLIE implementation MUST publish an Category Document that
   describes the set of atom:category elements and associated terms used
   within the implemented repository.

5.3.  Transport Layer Security

   ROLIE is intended to be handled with TLS.  The following requirements
   have been derived from [RFC7589].

   The most recent published version of TLS MUST be supported, and any
   mandatory-to-implement (MTI) cipher suites in that version MUST be
   supported as well.

   The server MUST support certificate-based client authentication.  The
   implementation MAY use any TLS cipher suite that supports mutual
   authentication.

   During the TLS negotiation, the client MUST carefully examine the
   certificate presented by the server to determine if it meets the
   client's expectations.  Particularly, the client MUST check its
   understanding of the server hostname against the server's identity as
   presented in the server Certificate message, in order to prevent man-
   in-the-middle attacks.  Matching is performed according to the rules
   laid out in the Security Considerations section of [RFC4642].





Field, et al.              Expires May 4, 2017                 [Page 10]


Internet-Draft                    ROLIE                     October 2016


   If the match fails, the client MUST either ask for explicit user
   confirmation or terminate the connection and indicate the server's
   identity is suspect.  Additionally, clients MUST verify the binding
   between the identity of the servers to which they connect and the
   public keys presented by those servers.  Clients SHOULD implement the
   algorithm in Section 6 of [RFC5280] for general certificate
   validation, but MAY supplement that algorithm with other validation
   methods that achieve equivalent levels of verification (such as
   comparing the server certificate against a local store of already-
   verified certificates and identity bindings).  If the client has
   external information as to the expected identity of the server, the
   hostname check MAY be omitted.

   The server MUST be capable of verifying the identity of the client
   with certificate-based authentication according to local policy to
   ensure that the incoming client request is legitimate before any
   configuration or state data is sent to or received from the client.

5.4.  User Authentication and Authorization

   Implementations MUST support user authentication.  User
   authentication MAY be enabled for specific Feeds.

   Servers participating in an information sharing consortium and
   supporting interactive user logins by members of the consortium
   SHOULD support client authentication via a federated identity scheme
   (e.g., SAML 2.0).

   This document does not mandate the use of any specific user
   authorization mechanisms.  However, service implementers SHOULD
   provide appropriate authorization checking for all resource accesses,
   including individual Atom Entries, Atom Feeds, and Atom Service
   Documents.

5.5.  / (forward slash) Resource URL

   The "/" resource MAY be provided for compatibility with existing
   deployments that are using Transport of Real-time Inter-network
   Defense (RID) Messages over HTTP/TLS [RFC6546].  If the "/" resource
   is supported the following behavior MUST be also supported:

   o  Consistent with RFC6546 errata, a client requesting a GET on "/"
      SHOULD receive an HTTP status code 405 Method Not Allowed.

   o  An implementation MAY provide full support for [RFC6546] such that
      a POST to "/" containing a recognized RID message is handled
      correctly as a RID request.  Alternatively, a client requesting a
      POST to "/" MAY receive an HTTP status code 307 Temporary



Field, et al.              Expires May 4, 2017                 [Page 11]


Internet-Draft                    ROLIE                     October 2016


      Redirect.  In this case, the location header in the HTTP response
      will provide the URL of the appropriate RID endpoint, and the
      client may repeat the POST method at the indicated location.

   If the "/" resource is unsupported, then a request for this resource
   MUST provide a 404 HTTP status code.

5.6.  HTTP methods

   Clients MUST be capable of recognizing and processing any standard
   HTTP status code, as defined in [RFC5023] Section 5.

6.  ROLIE Requirements for the Atom Syndication Format

   This section describes a number of restrictions of and extensions to
   the Atom Syndication Format [RFC4287] that define the use of that
   format in the context of a ROLIE-based solution.  The normative
   requirements in this section are generally oriented towards content
   to be published to a ROLIE repository.  An understanding of the Atom
   Syndication Format specification [RFC4287] is helpful to understand
   the requirements in this section.

6.1.  Use of the "atom:feed" element

   As described in RFC4287 section 4.1.1 [RFC4287], an Atom Feed is an
   XML-based document format that describes a list of related
   information items, also known as a Collection.  Each Feed document,
   represented using the atom:feed element, contains a collection of
   zero or more related information items individually called a "Member
   Entry" or "Entry".

   When applied to the problem domain of security automation information
   sharing, an Atom Feed may be used to represent any meaningful
   collection of security automation information resources.  Each Entry
   in an atom:feed represents an individual resource (e.g., a specific
   checklist , a software vulnerability record).  Additional Feeds can
   be used to represent other collections of security automation
   resources.

   The following Atom Feed definition represents a stricter definition
   of the atom:feed element defined in RFC 4287 for use in a ROLIE Any
   element not specified here inherits its definition and requirements
   from [RFC4287].








Field, et al.              Expires May 4, 2017                 [Page 12]


Internet-Draft                    ROLIE                     October 2016


      atomFeed =
         element atom:feed {
            atomCommonAttributes,
            (atomAuthor*
             & atomCategory+
             & atomContributor*
             & atomGenerator?
             & atomIcon?
             & atomId
             & atomLink+
             & atomLogo?
             & atomRights?
             & atomSubtitle?
             & atomTitle
             & atomUpdated
             & extensionElement*),
            atomEntry*
         }

6.1.1.  Use of the "atom:category" Element

   An atom:feed can be categorized and can contain information from zero
   or more categories.  In Atom the naming scheme and the semantic
   meaning of the terms used to identify an Atom category are
   application-defined.

   The following restrictions are imposed on the use of the
   atom:category element when used in an atom:feed:

   o  An atom:feed element MUST minimally contain a single atom:category
      element with the "scheme" attribute value of
      "urn:ietf:params:rolie:category:information-type".  This category
      MUST have an appropriate "term" attribute value as defined in
      section 7.1.1.  This ensures that a given Feed corresponds to a
      specific type of security automation information.  All member
      Entries in the Feed MUST represent security automation information
      records of this information type.

   o  Any atom:feed element that does not contain a child atom:category
      element with the "scheme" attribute value of
      "urn:ietf:params:rolie:category:information-type" MUST NOT be
      considered a ROLIE Collection.  This allows Feeds pertaining to
      security automation information to co-exist alongside Feeds of
      other non-ROLIE information within the same AtomPub instance.

   o  An atom:feed may include additional atom:category elements using a
      scheme other than "urn:ietf:params:rolie:category:information-
      type".  This allows other category metadata to be included.



Field, et al.              Expires May 4, 2017                 [Page 13]


Internet-Draft                    ROLIE                     October 2016


6.1.2.  Use of the "atom:link" Element

   Link relations defined by the atom:link element are used to represent
   state transitions using a stateless approach.  In Atom a type of link
   relationship can be defined using the "rel" attribute.

   A ROLIE atom:feed MUST contain one or more atom:link elements with
   rel="service" and href attribute whose value is a IRI that points to
   an Atom Service Document associated with the atom:feed.  When a
   client is presented with a Feed as its initial view into a
   repository, a link with the service relationship provides a means to
   discover additional security automation information.  The "service"
   link relationship is defined in the IANA Link Relations Registry [1].

   An atom:feed can contain an arbitrary number of Entries.  In some
   cases, a complete Feed may consist of a large number of Entries.
   Additionally, as new and updated Entries are ordered at the beginning
   of a Feed, a client may only be interested in retrieving the first N
   entries in a Feed to process only the Entries that have changed since
   the last retrieval of the Feed.  As a practical matter, a large set
   of Entries will likely need to be divided into more manageable
   portions.  Based on RFC5005 section 3 [RFC5005], link elements SHOULD
   be included in all Feeds to support paging using the following link
   relation types:

   o  "first" - Indicates that the href attribute value of the link
      identifies a resource IRI for the furthest preceding page of the
      Feed.

   o  "last" - Indicates that the href attribute value of the link
      identifies a resource IRI for the furthest following page of the
      Feed.

   o  "previous" - Indicates that the href attribute value of the link
      identifies a resource IRI for the immediately preceding page of
      the Feed.

   o  "next" - Indicates that the href attribute value of the link
      identifies a resource IRI for the immediately following page of
      the Feed.

   For example:









Field, et al.              Expires May 4, 2017                 [Page 14]


Internet-Draft                    ROLIE                     October 2016


     <?xml version="1.0" encoding="UTF-8"?>
     <feed xmlns="http://www.w3.org/2005/Atom">
         <id>b7f65304-b63b-4246-88e2-c104049c5fd7</id>
         <title>Paged Feed</title>
         <link rel="self" href="http://example.org/feedA?page=5"/>
         <link rel="first" href="http://example.org/feedA?page=1"/>
         <link rel="prev" href="http://example.org/feedA?page=4"/>
         <link rel="next" href="http://example.org/feedA?page=6"/>
         <link rel="last" href="http://example.org/feedA?page=10"/>
         <updated>2012-05-04T18:13:51.0Z</updated>

         <!-- remainder of feed elements -->
     </feed>

                            Example Paged Feed

   A reference to a historical Feed may need to be stable, and/or a Feed
   may need to be divided into a series of defined epochs.
   Implementations SHOULD support the mechanisms described in RFC5005
   section 4 [RFC5005] to provide link-based state transitions for
   maintaining archiving of Feeds.

   An atom:feed MAY include additional link relationships not specified
   in this document.  If a client encounters an unknown link
   relationship type, the client MUST ignore the unrecognized link and
   continue processing as if the unrecognized link element did not
   appear.  The definition of new Link relations that provide additional
   state transition extensions is discussed in section 7.3.

6.1.3.  Use of the "atom:updated" Element

   The atom:updated element MUST be populated with the current time at
   the instant the Feed representation was last updated by adding,
   updating, or deleting an Entry; or changing any metadata for the
   Feed.

6.2.  Use of the "atom:entry" Element

   Each Entry in an Atom Feed, represented by the atom:entry element,
   describes a single information record, format, and type combination.
   The following atom:entry schema definition represents a stricter
   representation of the atom:entry element defined in [RFC4287] for use
   in a ROLIE-based Atom Feed.








Field, et al.              Expires May 4, 2017                 [Page 15]


Internet-Draft                    ROLIE                     October 2016


     atomEntry =
       element atom:entry {
         atomCommonAttributes,
         (atomAuthor*
         & atomCategory*
         & atomContent
         & atomContributor*
         & atomId
         & atomLink*
         & atomPublished?
         & atomRights?
         & atomSource?
         & atomSummary?
         & atomTitle
         & atomUpdated
         & rolieFormat
         & extensionElement*)
     }

6.2.1.  Use of the "atom:content" Element

   There MUST be exactly one atomContent element in the Entry.  The
   content element MUST adhere to this definition, which is a stricter
   representation of the atom:content element defined in [RFC4287]:

     atomContent =
       element atom:content {
         atomCommonAttributes,
         attribute type { atomMediaType },
         attribute src { atomUri },
         empty
     }

   The type attribute MUST identify the serialization type of the
   content, for example, application/xml or application/json.  A
   prefixed media type MAY be used to reflect a specific model used with
   a given serialization approach (e.g., application/rdf+xml).  The src
   attribute MUST be an IRI that can be dereferenced to retrieve the
   related content data.

6.2.2.  Use of the "atom:link" Element

   Link relations can be included in an atom:entry to represent state
   transitions for the Entry.

   If there is a need to provide the same information in different data
   models and/or serialization formats, separate Entry instances can be
   included in the same or a different Feed.  Such an alternate content



Field, et al.              Expires May 4, 2017                 [Page 16]


Internet-Draft                    ROLIE                     October 2016


   representation can be indicated using an atom:link having a rel
   attribute with the value "alternate".

   An atom:feed MAY include additional link relationships not specified
   in this document.  If a client encounters an unknown link
   relationship type, the client MUST ignore the unrecognized link and
   continue processing as if the unrecognized link element did not
   appear.  The definition of new Link relations that provide additional
   state transition extensions is discussed in section 7.3.

6.2.3.  Use of the "rolie:format" Element

   As mentioned earlier, a key goal of this specification is to allow a
   consumer to review a set of published security automation information
   resources, and then identify and retrieve any resources of interest.
   The format of the data is a key criteria to consider when deciding
   what information to retrieve.  For a given type of security
   automation information, it is expected that a number of different
   formats may be used to represent this information.  To support this
   use case, both the serialization format and the specific data model
   expressed in that format must be known by the consumer.

   The rolie:format element is used to describe the data model used to
   express the information referenced in the atom:content element of an
   atom:entry.  It also allows a schema to be identified that can be
   used when parsing the content to verify or better understand the
   structure of the content.

   There MUST be exactly one rolie:format element in an atom:entry.  The
   element MUST adhere to this definition:

     rolieFormat =
       element rolie:format {
         atomCommonAttributes,
         attribute ns { atomURI },
         attribute version { text } ?,
         attribute schema-location { atomURI } ?,
         attribute schema-type { atomMediaType } ?,
         empty
     }

   The rolie:format element MUST provide a "ns" attribute that
   identifies the data model of the resource referenced by the
   atom:content element.  For example, the namespace used may be an XML
   namespace URI, or an identifier that represents a serialized JSON
   model.  The URI used for the "ns" attribute value MUST be an absolute
   or opaque URI.  The resource identified by the URI need not be
   resolvable.



Field, et al.              Expires May 4, 2017                 [Page 17]


Internet-Draft                    ROLIE                     October 2016


   The rolie:format element MAY provide a "version" attribute that
   identifies the version of the format used for the related
   atom:content.

   The rolie:format element MAY provide a "schema-location" element that
   is a URI that identifies a schema resource that can be used to
   validate the related atom:content.

   The rolie:format element MAY provide a "schema-type" element, which
   is a mime type identifying the format of the schema resource
   identified by the "schema-location" attribute.

6.2.4.  Requirements for a Standalone Entry

   If an Entry is ever shared as a standalone resource, separate from
   its containing Feed, then the following additional requirements
   apply:

   o  The Entry MUST have a atom:link element with rel="collection" and
      href="[IRI of the containing Collection]".  This allows the Feed
      or Feeds for which the Entry is a member to be discovered, along
      with the related information the Feed may contain.  In the case of
      the Entry have multiple containing Feeds, the Entry MUST have one
      atom:link for each related Feed.

   o  The Entry MUST declare the information type of the content
      resource referenced by the Entry (see Section 7.1.2).

7.  Available Extension Points Provided by ROLIE

   This specification does not require particular information types or
   data formats; rather, ROLIE is intended to be extended by additional
   specifications that define the use of new categories and link
   relations.  The primary point of extension is through the definition
   of new information type category terms.  Additional specifications
   can register new information type category terms with IANA that serve
   as the main characterizing feature of a ROLIE Collection/Feed or
   Resource/Entry.  These additional specifications defining new
   information type terms, can describe additional requirements for
   including specific categories, link relations, as well as, use of
   specific data formats supporting a given information type term.

7.1.  The Category Extension Point

   The atom:category element, defined in RFC 4287 section 4.2.2
   [RFC4287], provides a mechanism to provide additional categorization
   information for a content resource in ROLIE.  The ability to define
   new categories is one of the core extension points provided by Atom.



Field, et al.              Expires May 4, 2017                 [Page 18]


Internet-Draft                    ROLIE                     October 2016


   A Category Document, defined in RFC 5023 section 7 [RFC5023],
   provides a mechanism for an Atom repository to make discoverable the
   atom:category terms and allowed values used by a given repository.

   ROLIE further defines the use of the existing Atom extension category
   mechanism by allowing ROLIE specific category extensions to be
   registered with IANA, and additionally has assigned the
   "urn:ietf:params:rolie:category:information-type" category scheme
   that has special meaning for implementations of ROLIE.  This allows
   category scheme namespaces to be managed in a more consistent way,
   allowing for greater interoperability between content producers and
   consumers.

   Use of the "atom:category" element is discussed in the following
   subsections.

7.1.1.  General Use of the "atom:category" Element

   The atom:category element can be used for characterizing a ROLIE
   Resource.  As discussed earlier in this document, an atom:category
   element has a "term" attribute that indicates the assigned category
   value, and a "scheme" attribute that provides an identifier for the
   category type.  The "scheme" provides a means to describe how a set
   of category terms should be used and provides a namespace that can be
   used to differentiate terms provided by multiple organizations with
   different semantic meaning.

   To further differentiate category types used in ROLIE, an IANA sub-
   registry has been established for ROLIE protocol parameters to
   support the registration of new category "scheme" attribute values by
   ROLIE extension specifications.  Use of this extension point is
   discussed in section 8.3.

7.1.2.  Identification of Security Automation Information Types

   A ROLIE specific extension point is provided through the
   atom:category "scheme" value
   "urn:ietf:params:rolie:category:information-type".  This value is a
   Uniform Resource Name (URN) [RFC2141] that is registered with IANA as
   described in section 8.3.  When used as the "scheme" attribute in
   this way, the "term" attribute is expected to be a registered value
   as defined in section Section 8.4.  Through this mechanism a given
   security automation information type can be used to:

   1.  identify that an "app:collection" element in a Service Document
       points to an Atom Feed that contains Entries pertaining to a
       specific type of security automation information (see section
       5.1.2), or



Field, et al.              Expires May 4, 2017                 [Page 19]


Internet-Draft                    ROLIE                     October 2016


   2.  identify that an "atom:feed" element in an Atom Feed contains
       Entries pertaining to a specific type of security automation
       information (see section 6.1.1).

   3.  identify the information type of a standalone Resource (see
       section 6.2.4).

   For example, the notional security automation information type
   "incident" would be identified as follows:

      <atom:category
          scheme="urn:ietf:params:rolie:category:information-type"
          term="incident"/>

   A security automation information type represents a class of
   information that represents the same or similar information model
   [RFC3444].  Notional examples of information types include:

   indicator:  Computing device- or network-related "observable features
       and phenomenon that aid in the forensic or proactive detection of
       malicious activity; and associated meta-data" (from
       [I-D.ietf-mile-rfc5070-bis]).

   incident:  Information pertaining to and "derived analysis from
       security incidents" (from [I-D.ietf-mile-rfc5070-bis]).

   vulnerability reports:  Information identifying and describing a
       vulnerability in hardware or software.

   configuration checklists:  Content that can be used to assess the
       configuration settings related to installed software.

   software tags:  Metadata used to identify and characterize
       installable software.

   This is a short list to inspire new engineering of information type
   extensions that support the automation of security processes.

   This document does not specific any information types.  Instead,
   information types in ROLIE are expected to be registered in extension
   documents that describe one or more new information types.  This
   allows the information types used by ROLIE implementations to grow
   over time to support new security automation use cases.  These
   extension documents may also enhance ROLIE Service, Category, Feed,
   and Entry documents by defining link relations, other categories, and
   Format data model extensions to address the representational needs of
   these specific information types.  New information types are added to




Field, et al.              Expires May 4, 2017                 [Page 20]


Internet-Draft                    ROLIE                     October 2016


   ROLIE through registrations to the IANA ROLIE Security Resource
   Information Type registry defined in section 8.4.

7.2.  The "rolie:format" Extension Point

   Security automation data pertaining to a given information type may
   be expressed using a number of supported formats.  As described in
   section 6.2.3, the rolie:format element is used to describe the
   specific data model used to represent the resource referenced by a
   given "atom:entry".  The structure provided by the rolie:format
   element, provides a mechanism for extension within the atom:entry
   model.  ROLIE extensions MAY further restrict which data models are
   allowed to be used for a given information type.

   By declaring the data model used for a given Resource, a consumer can
   choose to download or ignore the Resource, or look for alternate
   formats.  This saves the consumer from downloading and parsing
   resources that the consumer is not interested in or resources
   expressed in formats that are not supported by the consumer.

7.3.  The Link Relation Extension Point

   This document uses several link relations defined in the IANA Link
   Relation Types registry [2].  Additional link relations can be
   registered in this registry to allow new relationships to be
   represented in ROLIE according to RFC 4287 section 4.2.7.2 [RFC4287].
   Based on the preceding reference, if the link relation is too
   specific or limited in the intended use, an absolute IRI can be used
   in lieu of registering a new simple name with IANA.

8.  IANA Considerations

   This document has a number of IANA considerations described in the
   following subsections.

8.1.  XML Namespaces and Schema URNs

   This document uses URNs to describe XML namespaces and XML schemas
   conforming to a registry mechanism described in [RFC3688].

   ROLIE XML Namespace  The ROLIE namespace (rolie-1.0) has been
       registered in the "ns" registry.

       URI: urn:ietf:params:xml:ns:rolie-1.0

       Registrant Contact: IESG

       XML: None.  Namespace URIs do not represent an XML specification.



Field, et al.              Expires May 4, 2017                 [Page 21]


Internet-Draft                    ROLIE                     October 2016


   ROLIE XML Schema  The ROLIE schema (rolie-1.0) has been registered in
       the "schema" registry.

       URI: urn:ietf:params:xml:schema:rolie-1.0

       Registrant Contact: IESG

       XML: See section A of this document.

8.2.  ROLIE URN Sub-namespace

   IANA has added an entry to the "IETF URN Sub-namespace for Registered
   Protocol Parameter Identifiers" registry located at
   <http://www.iana.org/assignments/params/params.xml#params-1> as per
   RFC3553 [RFC3553].

   The entry is as follows:

      Registry name: rolie

      Specification: This document

      Repository: ROLIE URN Parameters.  See Section 8.3 [TO BE REMOVED:
      This registration should take place at the following location:
      https://www.iana.org/assignments/rolie]

      Index value: See Section 8.3

8.3.  ROLIE URN Parameters

   A new top-level registry has been created, entitled "Resource
   Oriented Lightweight Information Exchange (ROLIE) Parameters".  [TO
   BE REMOVED: This registration should take place at the following
   location: https://www.iana.org/assignments/rolie]

   In this top-level registry, a sub-registry entitled "ROLIE URN
   Parameters" has been created.  Registration in this repository is via
   the Specification Required policy [RFC5226].  Designated Expert
   reviews should be routed through the MILE WG mailing list.  Failing
   this, the Designated Expert will be assigned by the IESG.

   Each entry in this sub-registry must record the following fields:

      Name: A URN segment that adheres to the pattern {type}:{label}.
      The keywords are defined as follows:

         {type}: The parameter type.  The allowed value is "category".
         "category" denotes a category extension as discussed in



Field, et al.              Expires May 4, 2017                 [Page 22]


Internet-Draft                    ROLIE                     October 2016


         Section 7.1.  While a single value is used in this
         specification, future revisions or extensions of this
         specification may define additional {type} values.

         {label}: A required US-ASCII string that conforms to the URN
         syntax requirements (see [RFC2141]).  This string must be
         unique within the namespace defined by the {type} keyword.

      Extension IRI: The identifier to use within ROLIE, which is the
      full URN using the form: urn:ietf:params:rolie:{name}, where
      {name} is the "name" field of this registration.

      Reference: A static link to the specification and section that the
      definition of the parameter can be found.

      Sub-registry: An optional field that links to an IANA sub-registry
      for this parameter.  If the {type} is "category", the sub-registry
      must contain a "name" field whose registered values MUST be US-
      ASCII.  The list of names are the allowed values of the "term"
      attribute in the atom:category element.  (See Section 7.1.2).

   This repository has the following initial values:

   +-----------+--------------------+------+---------------------------+
   | Name      | Extension IRI      | Refe | Sub-Registry              |
   |           |                    | renc |                           |
   |           |                    | e    |                           |
   +-----------+--------------------+------+---------------------------+
   | category: | urn:ietf:params:ro | This | [TO BE REMOVED: This      |
   | informati | lie:category       | docu | registration should take  |
   | on-type   | :information-type  | ment | place at the following    |
   |           |                    | , Se | location: https://www.ian |
   |           |                    | ctio | a.org/assignments/rolie/c |
   |           |                    | n    | ategory/information-type] |
   |           |                    | 9.4  |                           |
   +-----------+--------------------+------+---------------------------+

8.4.  ROLIE Security Resource Information Type Sub-Registry

   A new sub-registry has been created to store ROLIE information type
   values.

      Name of Registry: "ROLIE Information Types"

      Location of Registry:
      https://www.iana.org/assignments/rolie/category/information-type

      Fields to record in the registry:



Field, et al.              Expires May 4, 2017                 [Page 23]


Internet-Draft                    ROLIE                     October 2016


         name: The full name of the security resource information type
         as a string from the printable ASCII character set [RFC0020]
         with individual embedded spaces allowed.  The ABNF [RFC5234]
         syntax for this field is:

            1*VCHAR *(SP 1*VCHAR)

         index: This is an IANA-assigned positive integer that
         identifies the registration.  The first entry added to this
         registry uses the value 1, and this value is incremented for
         each subsequent entry added to the registry.

         reference: A list of one or more URIs [RFC3986] from which the
         registered specification can be obtained.  The registered
         specification MUST be readily and publicly available from that
         URI.  The URI SHOULD be a stable reference.

      Allocation Policy: Specification required as per [RFC5226]

9.  Security Considerations

   This document defines a resource-oriented approach for lightweight
   information exchange using HTTP over TLS, the Atom Syndication
   Format, and the Atom Publishing Protocol.  As such, implementers must
   understand the security considerations described in those
   specifications.  All that follows is guidance, more specific
   instruction is out of scope for this document and will be located in
   a dedicated informational document.

   All security measures SHOULD be enforced at the source, that is, a
   provider SHOULD NOT return any Feed content or member Entry content
   for which the client identity has not been specifically
   authenticated, authorized, and audited.

   The approach described herein is based upon all policy enforcements
   being implemented at the point when a resource representation is
   created.  As such, producers sharing cyber security information using
   this specification must take care to authenticate their HTTP clients
   using a suitably strong user authentication mechanism.  Sharing
   communities that are exchanging information on well-known indicators
   and incidents for purposes of public education may choose to rely
   upon HTTP Authentication or similar.  However, sharing communities
   that are engaged in sensitive collaborative analysis and/or
   operational response for indicators and incidents targeting high
   value information systems should adopt a suitably stronger user
   authentication solution, such as a risk-based or multi-factor
   approach.  In general, trust in the sharing consortium will depend
   upon the members maintaining adequate user authentication mechanisms.



Field, et al.              Expires May 4, 2017                 [Page 24]


Internet-Draft                    ROLIE                     October 2016


   Collaborating consortiums may benefit from the adoption of a
   federated identity solution, such as those based upon SAML-core
   [SAML-core], SAML-bind [SAML-bind], and SAML-prof [SAML-prof] for
   Web-based authentication and cross-organizational single sign-on.
   Dependency on a trusted third party identity provider implies that
   appropriate care must be exercised to sufficiently secure the
   Identity provider.  Any attacks on the federated identity system
   would present a risk to the CSIRT, as a relying party.  Potential
   mitigations include deployment of a federation-aware identity
   provider that is under the control of the information sharing
   consortium, with suitably stringent technical and management
   controls.

   Authorization of resource representations is the responsibility of
   the source system, i.e. based on the authenticated user identity
   associated with an HTTP(S) request.  The required authorization
   policies that are to be enforced must therefore be managed by the
   security administrators of the source system.  Various authorization
   architectures would be suitable for this purpose, such as RBAC [3]
   and/or ABAC, as embodied in XACML [XACML].  In particular,
   implementers adopting XACML may benefit from the capability to
   represent their authorization policies in a standardized,
   interoperable format.  Note that implementers are free to choose any
   suitable authorization mechanism that is capable of fulfilling the
   policy enforcement requirements relevant to their consortium and/or
   organization.

   Additional security requirements such as enforcing message-level
   security at the destination system could supplement the security
   enforcements performed at the source system, however these
   destination-provided policy enforcements are out of scope for this
   specification.  Implementers requiring this capability should
   consider leveraging, e.g. the <RIDPolicy> element in the RID schema.
   Refer to RFC6545 section 9 for more information.

   When security policies relevant to the source system are to be
   enforced at both the source and destination systems, implementers
   must take care to avoid unintended interactions of the separately
   enforced policies.  Potential risks will include unintended denial of
   service and/or unintended information leakage.  These problems may be
   mitigated by avoiding any dependence upon enforcements performed at
   the destination system.  When distributed enforcement is unavoidable,
   the usage of a standard language (e.g.  XACML) for the expression of
   authorization policies will enable the source and destination systems
   to better coordinate and align their respective policy expressions.

   Adoption of the information sharing approach described in this
   document will enable users to more easily perform correlations across



Field, et al.              Expires May 4, 2017                 [Page 25]


Internet-Draft                    ROLIE                     October 2016


   separate, and potentially unrelated, cyber security information
   providers.  A client may succeed in assembling a data set that would
   not have been permitted within the context of the authorization
   policies of either provider when considered individually.  Thus,
   providers may face a risk of an attacker obtaining an access that
   constitutes an undetected separation of duties (SOD) violation.  It
   is important to note that this risk is not unique to this
   specification, and a similar potential for abuse exists with any
   other cyber security information sharing protocol.  However, the wide
   availability of tools for HTTP clients and Atom Feed handling implies
   that the resources and technical skills required for a successful
   exploit may be less than it was previously.  This risk can be best
   mitigated through appropriate vetting of the client at account
   provisioning time.  In addition, any increase in the risk of this
   type of abuse should be offset by the corresponding increase in
   effectiveness that this specification affords to the defenders.

10.  Acknowledgements

   The authors gratefully acknowledge the valuable contributions of Tom
   Maguire, Kathleen Moriarty, and Vijayanand Bharadwaj.  These
   individuals provided detailed review comments on earlier drafts, and
   made many suggestions that have helped to improve this document.

11.  References

11.1.  Normative References

   [RFC0020]  Cerf, V., "ASCII format for network interchange", STD 80,
              RFC 20, DOI 10.17487/RFC0020, October 1969,
              <http://www.rfc-editor.org/info/rfc20>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
              DOI 10.17487/RFC3688, January 2004,
              <http://www.rfc-editor.org/info/rfc3688>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <http://www.rfc-editor.org/info/rfc3986>.






Field, et al.              Expires May 4, 2017                 [Page 26]


Internet-Draft                    ROLIE                     October 2016


   [RFC4287]  Nottingham, M., Ed. and R. Sayre, Ed., "The Atom
              Syndication Format", RFC 4287, DOI 10.17487/RFC4287,
              December 2005, <http://www.rfc-editor.org/info/rfc4287>.

   [RFC5005]  Nottingham, M., "Feed Paging and Archiving", RFC 5005,
              DOI 10.17487/RFC5005, September 2007,
              <http://www.rfc-editor.org/info/rfc5005>.

   [RFC5023]  Gregorio, J., Ed. and B. de hOra, Ed., "The Atom
              Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023,
              October 2007, <http://www.rfc-editor.org/info/rfc5023>.

   [RFC5070]  Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident
              Object Description Exchange Format", RFC 5070,
              DOI 10.17487/RFC5070, December 2007,
              <http://www.rfc-editor.org/info/rfc5070>.

   [RFC6546]  Trammell, B., "Transport of Real-time Inter-network
              Defense (RID) Messages over HTTP/TLS", RFC 6546,
              DOI 10.17487/RFC6546, April 2012,
              <http://www.rfc-editor.org/info/rfc6546>.

   [RFC3553]  Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An
              IETF URN Sub-namespace for Registered Protocol
              Parameters", BCP 73, RFC 3553, DOI 10.17487/RFC3553, June
              2003, <http://www.rfc-editor.org/info/rfc3553>.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              DOI 10.17487/RFC5226, May 2008,
              <http://www.rfc-editor.org/info/rfc5226>.

   [W3C.REC-xml-names-20091208]
              Bray, T., Hollander, D., Layman, A., Tobin, R., and H.
              Thompson, "Namespaces in XML 1.0 (Third Edition)", World
              Wide Web Consortium Recommendation REC-xml-names-20091208,
              December 2009,
              <http://www.w3.org/TR/2009/REC-xml-names-20091208>.

   [RFC7589]  Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the
              NETCONF Protocol over Transport Layer Security (TLS) with
              Mutual X.509 Authentication", RFC 7589,
              DOI 10.17487/RFC7589, June 2015,
              <http://www.rfc-editor.org/info/rfc7589>.







Field, et al.              Expires May 4, 2017                 [Page 27]


Internet-Draft                    ROLIE                     October 2016


   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <http://www.rfc-editor.org/info/rfc5280>.

   [RFC4642]  Murchison, K., Vinocur, J., and C. Newman, "Using
              Transport Layer Security (TLS) with Network News Transfer
              Protocol (NNTP)", RFC 4642, DOI 10.17487/RFC4642, October
              2006, <http://www.rfc-editor.org/info/rfc4642>.

   [relax-NG]
              Clark, J., Ed., "RELAX NG Compact Syntax", 11 2002,
              <https://www.oasis-open.org/committees/relax-ng/compact-
              20021121.html>.

   [SAML-core]
              Cantor, S., Kemp, J., Philpott, R., and E. Maler,
              "Assertions and Protocol for the OASIS Security Assertion
              Markup Language (SAML) V2.0", OASIS Standard saml-core-
              2.0-os, March 2005, <http://docs.oasis-
              open.org/security/saml/v2.0/saml-core-2.0-os.pdf>.

   [SAML-prof]
              Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra,
              P., Philpott, R., and E. Maler, "Profiles for the OASIS
              Security Assertion Markup Language (SAML) V2.0", OASIS
              Standard OASIS.saml-profiles-2.0-os, March 2005,
              <http://docs.oasis-open.org/security/saml/v2.0/
              saml-profiles-2.0-os.pdf>.

   [SAML-bind]
              Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E.
              Maler, "Bindings for the OASIS Security Assertion Markup
              Language (SAML) V2.0", OASIS Standard saml-bindings-
              2.0-os, March 2005, <http://docs.oasis-
              open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf>.

11.2.  Informative References

   [RFC2141]  Moats, R., "URN Syntax", RFC 2141, DOI 10.17487/RFC2141,
              May 1997, <http://www.rfc-editor.org/info/rfc2141>.

   [RFC3444]  Pras, A. and J. Schoenwaelder, "On the Difference between
              Information Models and Data Models", RFC 3444,
              DOI 10.17487/RFC3444, January 2003,
              <http://www.rfc-editor.org/info/rfc3444>.




Field, et al.              Expires May 4, 2017                 [Page 28]


Internet-Draft                    ROLIE                     October 2016


   [I-D.ietf-mile-rfc5070-bis]
              Danyliw, R., "The Incident Object Description Exchange
              Format v2", draft-ietf-mile-rfc5070-bis-26 (work in
              progress), October 2016.

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234,
              DOI 10.17487/RFC5234, January 2008,
              <http://www.rfc-editor.org/info/rfc5234>.

   [xmldsig]  Bartel, M., Boyer, J., Fox, B., LaMacchia, B., and E.
              Simon, "XML Signature Syntax and Processing (Second
              Edition)", June 2008, <https://www.w3.org/TR/xmldsig-
              core/>.

   [xmlenc]   Imamura, T., Dillaway, B., and E. Simon, "XML Encryption
              Syntax and Processing", December 2002,
              <https://www.w3.org/TR/xmlenc-core/>.

   [XACML]    Rissanen, E., "eXtensible Access Control Markup Language
              (XACML) Version 3.0", August 2010, <http://docs.oasis-
              open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf>.

   [REST]     Fielding, R., "Architectural Styles and the Design of
              Network-based Software Architectures", 2000,
              <http://www.ics.uci.edu/~fielding/pubs/dissertation/
              top.htm>.

11.3.  URIs

   [1] https://www.iana.org/assignments/link-relations/link-
       relations.xhtml

   [2] https://www.iana.org/assignments/link-relations/link-
       relations.xhtml

   [3] http://csrc.nist.gov/groups/SNS/rbac/

Appendix A.  Relax NG Compact Schema for ROLIE

   This appendix is informative.

   The Relax NG schema below defines the rolie:format element.








Field, et al.              Expires May 4, 2017                 [Page 29]


Internet-Draft                    ROLIE                     October 2016


    # -*- rnc -*-
    # RELAX NG Compact Syntax Grammar for the rolie:format element

    namespace rolie = "urn:ietf:params:xml:ns:rolie-1.0"
    namespace atom = "http://www.w3.org/2005/Atom"

    # rolie:format

    rolieFormat =
       element rolie:format {
          atom:atomCommonAttributes,
          attribute ns { atom:atomURI },
          attribute version { text } ?,
          attribute schema-location { atom:atomURI } ?,
          attribute schema-type { atom:atomMediaType } ?,
          empty
       }

Appendix B.  Examples of Use

B.1.  Service Discovery

   This section provides a non-normative example of a client doing
   service discovery.

   An Atom service document enables a client to dynamically discover
   what Feeds a particular publisher makes available.  Thus, a provider
   uses an Atom service document to enable clients or other authorized
   parties to determine what specific information the provider makes
   available to the community.  While the service document is at a
   required location, the service document could also be made available
   at any well known location, such as via a link from the producer's
   home page.

   A client may format an HTTP GET request to retrieve the service
   document from the specified location:

     GET /rolie/servicedocument
     Host: www.example.org
     Accept: application/atomsvc+xml

   Notice the use of the HTTP Accept: request header, indicating the
   MIME type for Atom service discovery.  The response to this GET
   request will be an XML document that contains information on the
   specific Feed Collections that are provided by the provider.

   Example HTTP GET response:




Field, et al.              Expires May 4, 2017                 [Page 30]


Internet-Draft                    ROLIE                     October 2016


    HTTP/1.1 200 OK
    Date: Fri, 24 Aug 2012 17:09:11 GMT
    Content-Length: 570
    Content-Type: application/atomsvc+xml;charset="utf-8"

    <?xml version="1.0" encoding="UTF-8"?>
    <service xmlns="http://www.w3.org/2007/app"
        xmlns:atom="http://www.w3.org/2005/Atom">
      <workspace>
        <atom:title type="text">Vulnerabilities</atom:title>
        <collection href="http://example.org/provider/vulns">
          <atom:title type="text">Vulnerabilities Feed</atom:title>
          <categories fixed="yes">
            <atom:category
                scheme="urn:ietf:params:rolie:category:information-type"
                term="vulnerability"/>
          </categories>
        </collection>
      </workspace>
    </service>

   This simple Service Document example shows that this server provides
   one workspace, named "Vunerabilities".  Within that workspace, the
   producer makes one Feed Collection available.

   A server may also offer a number of different Feeds, each containing
   different types of security automation information.  In the following
   example, the Feeds have been categorized.  This categorization will
   help the clients to decide which Feeds will meet their needs.






















Field, et al.              Expires May 4, 2017                 [Page 31]


Internet-Draft                    ROLIE                     October 2016


    HTTP/1.1 200 OK
    Date: Fri, 24 Aug 2012 17:10:11 GMT
    Content-Length: 1912
    Content-Type: application/atomsvc+xml;charset="utf-8"

    <?xml version="1.0" encoding='utf-8'?>
    <service xmlns="http://www.w3.org/2007/app"
        xmlns:atom="http://www.w3.org/2005/Atom">
      <workspace>
        <atom:title>Public Security Information Sharing</atom:title>
        <collection
            href="http://example.org/provider/public/vulns">
          <atom:title>Public Vulnerabilities</atom:title>
          <link rel="service"
            href="www.example.com/rolie/servicedocument">
          <categories fixed="yes">
            <atom:category
                scheme="urn:ietf:params:rolie:category:information-type"
                term="vulnerability"/>
          </categories>
        </collection>
      </workspace>
      <workspace>
        <atom:title>Private Consortium Sharing</atom:title>
        <collection
            href="http://example.org/provider/private/vulns">
          <atom:title>Incidents</atom:title>
          <link rel="service"
            href="www.example.com/rolie/servicedocument">
          <categories fixed="yes">
            <atom:category
                scheme="urn:ietf:params:rolie:category:information-type"
                term="incidents"/>
          </categories>
        </collection>
      </workspace>
    </service>

   In this example, the provider is making available a total of two Feed
   Collections, organized into two different workspaces.  The first
   workspace contains a Feed consisting of publicly available software
   vulnerabilities.  The second workspace provides one additional
   vulnerability Feed, for use by a private sharing consortium.  An
   appropriately authenticated and authorized client may then proceed to
   make GET requests for one or more of these Feeds.  The publicly
   provided incident information may be accessible with or without
   authentication.  However, users accessing the Feed targeted to the
   private sharing consortium would be expected to authenticate, and



Field, et al.              Expires May 4, 2017                 [Page 32]


Internet-Draft                    ROLIE                     October 2016


   appropriate authorization policies would subsequently be enforced by
   the Feed provider.

B.2.  Feed Retrieval

   This section provides a non-normative example of a client retrieving
   an incident Feed.

   Having discovered the available security information sharing Feeds, a
   client who is a member of the general public may be interested in
   receiving the Feed of public vulnerabilities.  The client may
   retrieve this Feed by performing an HTTP GET operation on the
   indicated URL.

   Example HTTP GET request for a Feed:

     GET /provider/vulns
     Host: www.example.org
     Accept: application/atom+xml

   The corresponding HTTP response would be an XML document containing
   the incidents Feed:

   Example HTTP GET response for a Feed:



























Field, et al.              Expires May 4, 2017                 [Page 33]


Internet-Draft                    ROLIE                     October 2016


     HTTP/1.1 200 OK
     Date: Fri, 24 Aug 2012 17:20:11 GMT
     Content-Length: 2882
     Content-Type: application/atom+xml;type=feed;charset="utf-8"

     <?xml version="1.0" encoding="UTF-8"?>
     <feed xmlns="http://www.w3.org/2005/Atom"
         xml:lang="en-US">
       <id>http://www.example.org/provider/vulns</id>
       <title type="text">
           Atom formatted representation of
           a feed of XML incident documents
       </title>
       <atom:category
           scheme="urn:ietf:params:rolie:category:information-type"
           term="vulnerability"/>
       <updated>2012-05-04T18:13:51.0Z</updated>
       <link rel="self" href="http://example.org/provider/vulns" />
       <link rel="service"
           href="http://example.org/rolie/servicedocument"/>
       <entry>
         <rolie:format ns="urn:ietf:params:xml:ns:exampleformat"/>
         <id>
             http://www.example.org/provider/vulns/123456
         </id>
         <title>Sample Incident</title>
         <published>2014-08-04T18:13:51.0Z</published>
         <updated>2014-08-05T18:13:51.0Z</updated>
         <summary>A short description of this resource</summary>
         <content type="application/xml"
             src="http://www.example.org/provider/vulns/123456/data"
       </entry>

       <entry>
           <!-- ...another entry... -->
       </entry>

     </feed>

   This Feed document has two atom entries, one of which has been
   elided.  The completed Entry illustrates an Atom <entry> element that
   provides a summary of essential details about one particular
   incident.  Based upon this summary information and the provided
   category information, a client may choose to do an HTTP GET operation
   to retrieve the full details of the incident.  This example
   exemplifies the benefits a RESTful alternative has to traditional
   point-to-point messaging systems.




Field, et al.              Expires May 4, 2017                 [Page 34]


Internet-Draft                    ROLIE                     October 2016


B.3.  Entry Retrieval

   This section provides a non-normative example of a client retrieving
   an incident as an Atom Entry.

   Having retrieved the Feed of interest, the client may then decide
   based on the description and/or category information that one of the
   entries in the Feed is of further interest.  The client may retrieve
   this incident Entry by performing an HTTP GET operation on the
   indicated URL.

   Example HTTP GET request for an Entry:

     GET /provider/vulns/123456
     Host: www.example.org
     Accept: application/atom+xml

   The corresponding HTTP response would be an XML document containing
   the incident:

   Example HTTP GET response for an Entry:

     HTTP/1.1 200 OK
     Date: Fri, 24 Aug 2012 17:30:11 GMT
     Content-Length: 4965
     Content-Type: application/atom+xml;type=entry;charset="utf-8"

     <?xml version="1.0" encoding="UTF-8"?>
     <entry>
       <id>http://www.example.org/provider/vulns/123456</id>
       <title>Sample Incident</title>
       <published>2012-08-04T18:13:51.0Z</published>
       <updated>2012-08-05T18:13:51.0Z</updated>
       <atom:category
           scheme="urn:ietf:params:rolie:category:information-type"
           term="incident"/>
       <summary>A short description of this incident resource</summary>
       <rolie:format ns="urn:ietf:params:xml:ns:exampleformat"/>
       <content type="application/xml"
           src="http://www.example.org/provider/vulns/123456/data">
       </content>
     </entry>

   As can be seen in the example response, above, an XML document is
   linked to in the attributes of the Atom <content> element.  The
   client may now process the XML document as needed.





Field, et al.              Expires May 4, 2017                 [Page 35]


Internet-Draft                    ROLIE                     October 2016


   Note also that, as described previously, the content of the Atom
   <category> element is application-defined.  The Atom categories have
   been assigned based on the IANA table content model.

   Finally, it should be noted that in order to optimize the client
   experience, and avoid an additional round trip, a Feed provider may
   choose to include certain Entry elements inline, as part of the Feed
   document.  That is, an Atom <entry> element within a Feed document
   may contain arbitrary non-required Atom elements as children.  In
   this case, the client will receive the more explicit information on
   entries from within the Feed.  The decision of whether to include
   extra Entry elements inline or to include it as a link is a design
   choice left to the Feed provider (e.g. based upon local environmental
   factors such as the number of entries contained in a Feed, the
   available network bandwidth, the available server compute cycles, the
   expected client usage patterns, etc.).

Appendix C.  Change History

   Changes in draft-ietf-mile-rolie-04 since draft-ietf-mile-rolie-04
   version, July 8, 2016 to October 31, 2016

   o  Further specification and clarification of requirements

   o  IANA Considerations and extension system fleshed out and
      described.

   o  Examples and References updated.

   o  Schema created.

   o  Fixed both internal section and external document referencing.

   o  Removed XACML Guidance Appendix.  This will be added to a future
      draft on ROLIE Authentication and Access Control.

   Changes made in draft-ietf-mile-rolie-03 since draft-ietf-mile-
   rolie-02 version, May 27, 2016 to July 8, 2015

   o  Atom Syndication and Atom Pub requirements split and greatly
      expanded for increased justification and technical specification.

   o  Reintroduction and reformatting of some use case examples in order
      to provide some guidance on use.

   o  Established rough version of IANA table extension system along
      with explanations of said system.




Field, et al.              Expires May 4, 2017                 [Page 36]


Internet-Draft                    ROLIE                     October 2016


   o  Re-organized document to put non-vital information in appendices.

   Changes made in draft-ietf-mile-rolie-02 since draft-field-mile-
   rolie-01 version, December, 2015 to May 27, 2016:

   o  All CSIRT and IODEF/RID material moved to companion CSIRT document
      TODO: add reference

   o  Recast document into a more general use perspective.  The
      implication of CSIRTs as the defacto end-user has been removed
      where ever possible.  All of the original CSIRT based use cases
      remain completely supported by this document, it has been opened
      up to support many other use cases.

   o  Changed the content model to broaden support of representation

   o  Edited and rewrote much of sections 1,2 and 3 in order to
      accomplish a broader scope and greater readability

   o  Removed any requirements from the Background section and, if not
      already stated, placed them in the requirements section

   o  Re-formatted the requirements section to make it clearer that it
      contains the lions-share of the requirements of the specification

   Changes made in draft-ietf-mile-rolie-01 since draft-field-mile-
   rolie-02 version, August 15, 2013 to December 2, 2015:

   o  Added section specifying the use of RFC5005 for Archive and Paging
      of Feeds.

   o  Added section describing use of atom categories that correspond to
      IODEF expectation class and impact classes.  See: normative-
      expectation-impact

   o  Dropped references to adoption of a MILE-specific HTTP media type
      parameter.

   o  Updated IANA Considerations section to clarify that no IANA
      actions are required.

Authors' Addresses









Field, et al.              Expires May 4, 2017                 [Page 37]


Internet-Draft                    ROLIE                     October 2016


   John P. Field
   Pivotal Software, Inc.
   625 Avenue of the Americas
   New York, New York
   USA

   Phone: (646)792-5770
   Email: jfield@pivotal.io


   Stephen A. Banghart
   National Institute of Standards and Technology
   100 Bureau Drive
   Gaithersburg, Maryland
   USA

   Phone: (301)975-4288
   Email: sab3@nist.gov


   David Waltermire
   National Institute of Standards and Technology
   100 Bureau Drive
   Gaithersburg, Maryland  20877
   USA

   Email: david.waltermire@nist.gov
























Field, et al.              Expires May 4, 2017                 [Page 38]