draft-ietf-mile-rfc5070-bis-21.txt   draft-ietf-mile-rfc5070-bis-22.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) May 10, 2016 Obsoletes: 5070 (if approved) May 26, 2016
Intended status: Standards Track Intended status: Standards Track
Expires: November 11, 2016 Expires: November 27, 2016
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-21 draft-ietf-mile-rfc5070-bis-22
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for security incident reports and cyber data representation for security incident reports and cyber
indicators commonly exchanged by operational security teams for indicators commonly exchanged by operational security teams for
mitigation and watch and warning. This document describes an updated mitigation and watch and warning. This document describes an updated
information model for the IODEF and provides an associated data model information model for the IODEF and provides an associated data model
specified with XML Schema. This new information and data model specified with XML Schema. This new information and data model
obsoletes Request for Comment (RFC) 5070, "The Incident Object obsoletes Request for Comment (RFC) 5070, "The Incident Object
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 11, 2016. This Internet-Draft will expire on November 27, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 23 skipping to change at page 3, line 23
3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 33 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 33
3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 34 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 34
3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 35 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 35
3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 36 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 36
3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 38 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 38
3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 39 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 39
3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 40 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 40
3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 41 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 41
3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 43 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 43
3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 45 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 45
3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 47 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 48
3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 49 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 49
3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 50 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 50
3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 51 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 51
3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 52 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 52
3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 54 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 54
3.14.1. Relating the Incident and EventData Classes . . . . 56 3.14.1. Relating the Incident and EventData Classes . . . . 56
3.14.2. Recursive Definition of EventData . . . . . . . . . 56 3.14.2. Recursive Definition of EventData . . . . . . . . . 56
3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 57 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 57
3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 60 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 60
3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 61 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 61
skipping to change at page 4, line 17 skipping to change at page 4, line 17
3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 89 3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 89
3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91 3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91
3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91 3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91
3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 92 3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 92
3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 93 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 93
3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93
3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 96 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 96
3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 96 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 96
3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 97 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 97
3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 103 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 103
3.29.5. Expressions with IndicatorExpression . . . . . . . . 104 3.29.5. Expressions with IndicatorExpression . . . . . . . . 105
3.29.6. ObservableReference Class . . . . . . . . . . . . . 106 3.29.6. ObservableReference Class . . . . . . . . . . . . . 106
3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 106 3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 107
3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 107 3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 107
4. Processing Considerations . . . . . . . . . . . . . . . . . . 108 4. Processing Considerations . . . . . . . . . . . . . . . . . . 108
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 108 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 108
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 109 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 109
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 109 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 109
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 109 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 110
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 110 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 111
5.1. Extending the Enumerated Values of Attributes . . . . . . 110 5.1. Extending the Enumerated Values of Attributes . . . . . . 111
5.1.1. Private Extension of Enumerated Values . . . . . . . 111 5.1.1. Private Extension of Enumerated Values . . . . . . . 111
5.1.2. Public Extension of Enumerated Values . . . . . . . . 111 5.1.2. Public Extension of Enumerated Values . . . . . . . . 112
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 111 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 112
5.3. Deconflicting Private Extensions . . . . . . . . . . . . 113 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 114
6. Internationalization Issues . . . . . . . . . . . . . . . . . 114 6. Internationalization Issues . . . . . . . . . . . . . . . . . 115
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 115 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 116
7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 115 7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 116
7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 116 7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 116
8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 117 8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 118
9. Security Considerations . . . . . . . . . . . . . . . . . . . 157 9. Security Considerations . . . . . . . . . . . . . . . . . . . 157
9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 157 9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 157
9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 157 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 158
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 158 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 158
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 158 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 158
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 158 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 159
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 161 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 162
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 161 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 162
12.1. Normative References . . . . . . . . . . . . . . . . . . 161 12.1. Normative References . . . . . . . . . . . . . . . . . . 162
12.2. Informative References . . . . . . . . . . . . . . . . . 164 12.2. Informative References . . . . . . . . . . . . . . . . . 164
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 165 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 165
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a filter attack traffic, contacting a remote site to take down a
botnet, or sharing watch-lists of known malicious indicators in a botnet, or sharing watch-lists of known malicious indicators in a
skipping to change at page 38, line 36 skipping to change at page 38, line 36
protection, network analysis, malware analysis, or host forensics protection, network analysis, malware analysis, or host forensics
tool to identify a particular phenomenon. This class requires the tool to identify a particular phenomenon. This class requires the
identification of the target application and allows the configuration identification of the target application and allows the configuration
to be described in either free-form or machine readable form. to be described in either free-form or machine readable form.
+------------------------+ +------------------------+
| DetectionPattern | | DetectionPattern |
+------------------------+ +------------------------+
| ENUM restriction |<>----------[ Application ] | ENUM restriction |<>----------[ Application ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ DetectionConfiguration ] | ID observable-id |<>--{0..*}--[ DetectionConfiguration ]
+------------------------+ +------------------------+
Figure 18: The DetectionPattern Class Figure 18: The DetectionPattern Class
The aggregate classes of the DetectionPattern class are: The aggregate classes of the DetectionPattern class are:
Application Application
One. SOFTWARE. The application for which the One. SOFTWARE. The application for which the
DetectionConfiguration or Description is being provided. DetectionConfiguration or Description is being provided.
skipping to change at page 39, line 19 skipping to change at page 39, line 19
The attributes of the DetectionPattern class are: The attributes of the DetectionPattern class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.11. Method Class 3.11. Method Class
The Method class describes the tactics, techniques, procedures or The Method class describes the tactics, techniques, procedures or
weakness used by the threat actor in an incident. This class weakness used by the threat actor in an incident. This class
consists of both a list of references describing the attack methods consists of both a list of references describing the attack methods
and weaknesses and a free-form text description. and weaknesses and a free-form text description.
+------------------------+ +------------------------+
| Method | | Method |
+------------------------+ +------------------------+
skipping to change at page 61, line 21 skipping to change at page 61, line 21
+------------------------+ +------------------------+
| ENUM category |<>----------[ Node ] | ENUM category |<>----------[ Node ]
| STRING ext-category |<>--{0..*}--[ NodeRole ] | STRING ext-category |<>--{0..*}--[ NodeRole ]
| STRING interface |<>--{0..*}--[ Service ] | STRING interface |<>--{0..*}--[ Service ]
| ENUM spoofed |<>--{0..*}--[ OperatingSystem ] | ENUM spoofed |<>--{0..*}--[ OperatingSystem ]
| ENUM virtual |<>--{0..*}--[ Counter ] | ENUM virtual |<>--{0..*}--[ Counter ]
| ENUM ownership |<>--{0..*}--[ AssetID ] | ENUM ownership |<>--{0..*}--[ AssetID ]
| STRING ext-ownership |<>--{0..*}--[ Description ] | STRING ext-ownership |<>--{0..*}--[ Description ]
| ENUM restriction |<>--{0..*}--[ AdditionalData ] | ENUM restriction |<>--{0..*}--[ AdditionalData ]
| STRING ext-restriction | | STRING ext-restriction |
| ID observable-id |
+------------------------+ +------------------------+
Figure 33: The System Class Figure 33: The System Class
The aggregate classes of the System class are: The aggregate classes of the System class are:
Node Node
One. A host or network involved in the incident. See One. A host or network involved in the incident. See
Section 3.18. Section 3.18.
skipping to change at page 64, line 5 skipping to change at page 64, line 7
Optional. STRING. A means by which to extend the ownership Optional. STRING. A means by which to extend the ownership
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.18. Node Class 3.18. Node Class
The Node class identifies a system, asset or network; and its The Node class identifies a system, asset or network; and its
location. location.
+---------------+ +---------------+
| Node | | Node |
+---------------+ +---------------+
| |<>--{0..*}--[ DomainData ] | |<>--{0..*}--[ DomainData ]
| |<>--{0..*}--[ Address ] | |<>--{0..*}--[ Address ]
skipping to change at page 98, line 8 skipping to change at page 98, line 8
3.29.3. Observable Class 3.29.3. Observable Class
The Observable class describes a feature and phenomenon that can be The Observable class describes a feature and phenomenon that can be
observed or measured for the purposes of detecting malicious observed or measured for the purposes of detecting malicious
behavior. behavior.
+------------------------+ +------------------------+
| Observable | | Observable |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..1}--[ Address ] | ENUM restriction |<>--{0..1}--[ System ]
| STRING ext-restriction |<>--{0..1}--[ DomainData ] | STRING ext-restriction |<>--{0..1}--[ Address ]
| |<>--{0..1}--[ DomainData ]
| |<>--{0..1}--[ Service ] | |<>--{0..1}--[ Service ]
| |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ Service ] | |<>--{0..1}--[ Service ]
| |<>--{0..1}--[ WindowsRegistryKeysModified ] | |<>--{0..1}--[ WindowsRegistryKeysModified ]
| |<>--{0..1}--[ FileData ] | |<>--{0..1}--[ FileData ]
| |<>--{0..1}--[ CertificateData ] | |<>--{0..1}--[ CertificateData ]
| |<>--{0..1]--[ RegistryHandle ] | |<>--{0..1]--[ RegistryHandle ]
| |<>--{0..1}--[ RecordData ] | |<>--{0..1}--[ RecordData ]
| |<>--{0..1}--[ EventData ] | |<>--{0..1}--[ EventData ]
| |<>--{0..1}--[ Incident ] | |<>--{0..1}--[ Incident ]
| |<>--{0..1}--[ Expectation ] | |<>--{0..1}--[ Expectation ]
| |<>--{0..1}--[ Reference ] | |<>--{0..1}--[ Reference ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..1}--[ DetectionPattern ]
| |<>--{0..1}--[ HistoryItem ] | |<>--{0..1}--[ HistoryItem ]
| |<>--{0..1}--[ BulkObservable ] | |<>--{0..1}--[ BulkObservable ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 62: The Observable Class Figure 62: The Observable Class
The aggregate classes of the Observable class are: The aggregate classes of the Observable class are:
System
Zero or one. An System observable. See Section 3.17.
Address Address
Zero or one. An Address observable. See Section 3.18.1. Zero or one. An Address observable. See Section 3.18.1.
DomainData DomainData
Zero or one. A DomainData observable. See Section 3.19. Zero or one. A DomainData observable. See Section 3.19.
Service Service
Zero or one. A Service observable. See Section 3.20. Zero or one. A Service observable. See Section 3.20.
EmailData EmailData
skipping to change at page 99, line 29 skipping to change at page 99, line 35
Expectation Expectation
Zero or one. An Expectation observable. See Section 3.15. Zero or one. An Expectation observable. See Section 3.15.
Reference Reference
Zero or one. A Reference observable. See Section 3.11.1. Zero or one. A Reference observable. See Section 3.11.1.
Assessment Assessment
Zero or one. An Assessment observable. See Section 3.12. Zero or one. An Assessment observable. See Section 3.12.
DetectionPattern
Zero or one. A DetectionPattern observable. See Section 3.12.
HistoryItem HistoryItem
Zero or one. A HistoryItem observable. See Section 3.13.1. Zero or one. A HistoryItem observable. See Section 3.13.1.
BulkObservable BulkObservable
Zero or one. A bulk list of observables. See Section 3.29.3.1. Zero or one. A bulk list of observables. See Section 3.29.3.1.
AdditionalData AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
skipping to change at page 118, line 16 skipping to change at page 118, line 34
<xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0" <xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0"
schemaLocation="http://www.iana.org/assignments/ schemaLocation="http://www.iana.org/assignments/
xml-registry/schema/iodef-enum-1.0.xsd"/> xml-registry/schema/iodef-enum-1.0.xsd"/>
<xs:import namespace="urn:ietf:params:xml:ns:iodef-sci-1.0" <xs:import namespace="urn:ietf:params:xml:ns:iodef-sci-1.0"
schemaLocation="http://www.iana.org/assignments/ schemaLocation="http://www.iana.org/assignments/
xml-registry/schema/iodef-sci-1.0.xsd"/> xml-registry/schema/iodef-sci-1.0.xsd"/>
<xs:import namespace="http://www.w3.org/XML/1998/namespace" <xs:import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="http://www.w3c.org/2001/xml.xsd"/> schemaLocation="http://www.w3c.org/2001/xml.xsd"/>
<xs:annotation> <xs:annotation>
<xs:documentation> <xs:documentation>
Incident Object Description Exchange Format v2.0, RFC5070bis Incident Object Description Exchange Format v2.0
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<!-- <!--
=================================================================== ===================================================================
== IODEF-Document class == == IODEF-Document class ==
=================================================================== ===================================================================
--> -->
<xs:element name="IODEF-Document"> <xs:element name="IODEF-Document">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
skipping to change at page 128, line 35 skipping to change at page 129, line 4
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Application"/> <xs:element ref="iodef:Application"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DetectionConfiguration" <xs:element name="DetectionConfiguration"
type="xs:string" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/> type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
=================================================================== ===================================================================
== Method class == == Method class ==
=================================================================== ===================================================================
--> -->
<xs:element name="Method"> <xs:element name="Method">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
skipping to change at page 135, line 32 skipping to change at page 135, line 50
type="yes-no-unknown-type" use="optional" type="yes-no-unknown-type" use="optional"
default="unknown"/> default="unknown"/>
<xs:attribute name="ownership" type="system-ownership-type" <xs:attribute name="ownership" type="system-ownership-type"
use="optional"/> use="optional"/>
<xs:attribute name="ext-ownership" <xs:attribute name="ext-ownership"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/> type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="OperatingSystem" type="iodef:SoftwareType"/> <xs:element name="OperatingSystem" type="iodef:SoftwareType"/>
<xs:simpleType name="system-category-type"> <xs:simpleType name="system-category-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/> <xs:enumeration value="source"/>
<xs:enumeration value="target"/> <xs:enumeration value="target"/>
<xs:enumeration value="intermediate"/> <xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/> <xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/> <xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
skipping to change at page 150, line 4 skipping to change at page 150, line 23
</xs:element> </xs:element>
<xs:element name="AlternativeIndicatorID"> <xs:element name="AlternativeIndicatorID">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:IndicatorID" maxOccurs="unbounded"/> <xs:element ref="iodef:IndicatorID" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/> type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Observable"> <xs:element name="Observable">
<xs:complexType> <xs:complexType>
<xs:choice> <xs:choice>
<xs:element ref="iodef:System" minOccurs="0"/>
<xs:element ref="iodef:Address" minOccurs="0"/> <xs:element ref="iodef:Address" minOccurs="0"/>
<xs:element ref="iodef:DomainData" minOccurs="0"/> <xs:element ref="iodef:DomainData" minOccurs="0"/>
<xs:element ref="iodef:EmailData" minOccurs="0"/> <xs:element ref="iodef:EmailData" minOccurs="0"/>
<xs:element ref="iodef:Service" minOccurs="0"/> <xs:element ref="iodef:Service" minOccurs="0"/>
<xs:element ref="iodef:WindowsRegistryKeysModified" <xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:FileData" minOccurs="0"/> <xs:element ref="iodef:FileData" minOccurs="0"/>
<xs:element ref="iodef:CertificateData" minOccurs="0"/> <xs:element ref="iodef:CertificateData" minOccurs="0"/>
<xs:element ref="iodef:RegistryHandle" minOccurs="0"/> <xs:element ref="iodef:RegistryHandle" minOccurs="0"/>
<xs:element ref="iodef:RecordData" minOccurs="0"/> <xs:element ref="iodef:RecordData" minOccurs="0"/>
<xs:element ref="iodef:EventData" minOccurs="0"/> <xs:element ref="iodef:EventData" minOccurs="0"/>
<xs:element ref="iodef:Incident" minOccurs="0"/> <xs:element ref="iodef:Incident" minOccurs="0"/>
<xs:element ref="iodef:Expectation" minOccurs="0"/> <xs:element ref="iodef:Expectation" minOccurs="0"/>
<xs:element ref="iodef:Reference" minOccurs="0"/> <xs:element ref="iodef:Reference" minOccurs="0"/>
<xs:element ref="iodef:Assessment" minOccurs="0"/> <xs:element ref="iodef:Assessment" minOccurs="0"/>
<xs:element ref="iodef:DetectionPattern" minOccurs="0"/>
<xs:element ref="iodef:HistoryItem" minOccurs="0"/> <xs:element ref="iodef:HistoryItem" minOccurs="0"/>
<xs:element ref="iodef:BulkObservable" minOccurs="0"/> <xs:element ref="iodef:BulkObservable" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:choice> </xs:choice>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/> type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="BulkObservable"> <xs:element name="BulkObservable">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:BulkObservableFormat" minOccurs="0"/> <xs:element ref="iodef:BulkObservableFormat" minOccurs="0"/>
<xs:element name="BulkObservableList"/> <xs:element name="BulkObservableList"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
skipping to change at page 158, line 46 skipping to change at page 159, line 18
o URI: urn:ietf:params:xml:schema:iodef-2.0 o URI: urn:ietf:params:xml:schema:iodef-2.0
o Registrant Contact: See the first author of the "Author's Address" o Registrant Contact: See the first author of the "Author's Address"
section of this document. section of this document.
o XML: See Section 8 of this document. o XML: See Section 8 of this document.
10.2. Enumerated Value Registries 10.2. Enumerated Value Registries
This document creates 33 identically structured registries to be This document creates 34 identically structured registries to be
managed by IANA: managed by IANA:
o Name of the parent registry: "Incident Object Description Exchange o Name of the parent registry: "Incident Object Description Exchange
Format v2 (IODEF)" Format v2 (IODEF)"
o URL of the registry: http://www.iana.org/assignments/iodef2 o URL of the registry: http://www.iana.org/assignments/iodef2
o Namespace format: A registry entry consists of: o Namespace format: A registry entry consists of:
* Value. An enumerated value for a given IODEF attribute. * Value. A value for a given IODEF attribute. It MUST conform
to the formatting specified by the IODEF ENUM data type which
is implemented as an "xs:NMTOKEN" type per Section 3.3.4 of
[W3C.SCHEMA.DTYPES]. The value SHOULD conform to the
convention specified in Section 5.2.
* Description. A short description of the enumerated value. * Description. A short description of the enumerated value.
* Reference. An optional list of URIs to further describe the * Reference. An optional list of URIs to further describe the
value. value.
o Allocation policy: Expert Review per [RFC5226] o Allocation policy: Expert Review per [RFC5226]. This reviewer
will ensure that the requested registry entry conforms to the
prescribed formatting. The reviewer will also ensure that the
entry is an appropriate value for the attribute per the
information model (Section 3).
The registries to be created are named in the "Registry Name" column The registries to be created are named in the "Registry Name" column
of Table 1. The initial values for the Value and Description fields of Table 1. Each registry is initially populated with values and
of a given registry are listed in the "IV (Value)" and "IV descriptions that come from an attribute specified in the IODEF
(Description)" columns respectively. The "IV (Value)" points to a schema (Section 8) whose description is found in a sub-section of the
given schema type per Section 8. Each enumerated value in the schema information model (Section 3). The initial values for the Value and
gets a corresponding entry in a given registry. The "IV Description fields of a given registry are listed in the "IV (Value)"
and "IV (Description)" columns respectively. The "IV (Value)" points
to a given schema type per Section 8. Each enumerated value in the
schema gets a corresponding entry in a given registry. The "IV
(Description)" points to a section in the text of this document that (Description)" points to a section in the text of this document that
describes each enumerated value. The initial value of the Reference describes each enumerated value. The initial value of the Reference
field of every registry entry described below should be this field of every registry entry described below should be this
document. document.
+-----------------------+---------------------------+---------------+ +-----------------------+---------------------------+---------------+
| Registry Name | IV (Value) | IV | | Registry Name | IV (Value) | IV |
| | | (Description) | | | | (Description) |
+-----------------------+---------------------------+---------------+ +-----------------------+---------------------------+---------------+
| Restriction | iodef-restriction-type | Section 3.3.1 | | Restriction | iodef-restriction-type | Section 3.3.1 |
 End of changes. 33 change blocks. 
35 lines changed or deleted 67 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/