draft-ietf-mile-rolie-13.txt   draft-ietf-mile-rolie-14.txt 
MILE Working Group J. Field MILE Working Group J. Field
Internet-Draft Pivotal Internet-Draft Pivotal
Intended status: Standards Track S. Banghart Intended status: Standards Track S. Banghart
Expires: April 29, 2018 D. Waltermire Expires: May 19, 2018 D. Waltermire
NIST NIST
October 26, 2017 November 15, 2017
Resource-Oriented Lightweight Information Exchange Resource-Oriented Lightweight Information Exchange
draft-ietf-mile-rolie-13 draft-ietf-mile-rolie-14
Abstract Abstract
This document defines a resource-oriented approach for security This document defines a resource-oriented approach for security
automation information publication, discovery, and sharing. Using automation information publication, discovery, and sharing. Using
this approach, producers may publish, share, and exchange this approach, producers may publish, share, and exchange
representations of software descriptors, security incidents, attack representations of software descriptors, security incidents, attack
indicators, software vulnerabilities, configuration checklists, and indicators, software vulnerabilities, configuration checklists, and
other security automation information as web-addressable resources. other security automation information as web-addressable resources.
Furthermore, consumers and other stakeholders may access and search Furthermore, consumers and other stakeholders may access and search
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 29, 2018. This Internet-Draft will expire on May 19, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 26 skipping to change at page 2, line 26
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. XML-related Conventions . . . . . . . . . . . . . . . . . . . 4 3. XML-related Conventions . . . . . . . . . . . . . . . . . . . 4
3.1. XML Namespaces . . . . . . . . . . . . . . . . . . . . . 5 3.1. XML Namespaces . . . . . . . . . . . . . . . . . . . . . 4
3.2. RELAX NG Compact Schema . . . . . . . . . . . . . . . . . 5 3.2. RELAX NG Compact Schema . . . . . . . . . . . . . . . . . 5
4. Background and Motivation . . . . . . . . . . . . . . . . . . 5 4. Background and Motivation . . . . . . . . . . . . . . . . . . 5
5. ROLIE Requirements for the Atom Publishing Protocol . . . . . 7 5. ROLIE Requirements for the Atom Publishing Protocol . . . . . 6
5.1. AtomPub Service Documents . . . . . . . . . . . . . . . . 7 5.1. AtomPub Service Documents . . . . . . . . . . . . . . . . 7
5.1.1. Use of the "app:workspace" Element . . . . . . . . . 7 5.1.1. Use of the "app:workspace" Element . . . . . . . . . 7
5.1.2. Use of the "app:collection" Element . . . . . . . . . 8 5.1.2. Use of the "app:collection" Element . . . . . . . . . 8
5.1.3. Service Document Discovery . . . . . . . . . . . . . 9 5.1.3. Service Document Discovery . . . . . . . . . . . . . 9
5.2. Category Documents . . . . . . . . . . . . . . . . . . . 10 5.2. Category Documents . . . . . . . . . . . . . . . . . . . 9
5.3. Transport Layer Security . . . . . . . . . . . . . . . . 10 5.3. Transport Layer Security . . . . . . . . . . . . . . . . 9
5.4. User Authentication and Authorization . . . . . . . . . . 10 5.4. User Authentication and Authorization . . . . . . . . . . 10
5.5. / (forward slash) Resource URL . . . . . . . . . . . . . 11 5.5. / (forward slash) Resource URL . . . . . . . . . . . . . 10
5.6. HTTP methods . . . . . . . . . . . . . . . . . . . . . . 11 5.6. HTTP methods . . . . . . . . . . . . . . . . . . . . . . 11
6. ROLIE Requirements for the Atom Syndication Format . . . . . 11 6. ROLIE Requirements for the Atom Syndication Format . . . . . 11
6.1. Use of the "atom:feed" element . . . . . . . . . . . . . 12 6.1. Use of the "atom:feed" element . . . . . . . . . . . . . 11
6.1.1. Use of the "atom:category" Element . . . . . . . . . 13 6.1.1. Use of the "atom:category" Element . . . . . . . . . 13
6.1.2. Use of the "atom:link" Element . . . . . . . . . . . 13 6.1.2. Use of the "atom:link" Element . . . . . . . . . . . 13
6.1.3. Use of the "atom:updated" Element . . . . . . . . . . 15 6.1.3. Use of the "atom:updated" Element . . . . . . . . . . 14
6.2. Use of the "atom:entry" Element . . . . . . . . . . . . 15 6.2. Use of the "atom:entry" Element . . . . . . . . . . . . 15
6.2.1. Use of the "atom:content" Element . . . . . . . . . . 16 6.2.1. Use of the "atom:content" Element . . . . . . . . . . 15
6.2.2. Use of the "atom:link" Element . . . . . . . . . . . 17 6.2.2. Use of the "atom:link" Element . . . . . . . . . . . 16
6.2.3. Use of the "rolie:format" Element . . . . . . . . . . 17 6.2.3. Use of the "rolie:format" Element . . . . . . . . . . 16
6.2.4. Use of the rolie:property Element . . . . . . . . . . 18 6.2.4. Use of the rolie:property Element . . . . . . . . . . 18
6.2.5. Requirements for a Standalone Entry . . . . . . . . . 19 6.2.5. Requirements for a Standalone Entry . . . . . . . . . 19
7. Available Extension Points Provided by ROLIE . . . . . . . . 20 7. Available Extension Points Provided by ROLIE . . . . . . . . 19
7.1. The Category Extension Point . . . . . . . . . . . . . . 20 7.1. The Category Extension Point . . . . . . . . . . . . . . 19
7.1.1. General Use of the "atom:category" Element . . . . . 21 7.1.1. General Use of the "atom:category" Element . . . . . 20
7.1.2. Identification of Security Automation Information 7.1.2. Identification of Security Automation Information
Types . . . . . . . . . . . . . . . . . . . . . . . . 21 Types . . . . . . . . . . . . . . . . . . . . . . . . 20
7.2. The "rolie:format" Extension Point . . . . . . . . . . . 22 7.2. The "rolie:format" Extension Point . . . . . . . . . . . 22
7.3. The Link Relation Extension Point . . . . . . . . . . . . 23 7.3. The Link Relation Extension Point . . . . . . . . . . . . 22
7.4. The "rolie:property" Extension Point . . . . . . . . . . 23 7.4. The "rolie:property" Extension Point . . . . . . . . . . 22
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
8.1. XML Namespaces and Schema URNs . . . . . . . . . . . . . 24 8.1. XML Namespaces and Schema URNs . . . . . . . . . . . . . 23
8.2. ROLIE URN Sub-namespace . . . . . . . . . . . . . . . . . 25 8.2. ROLIE URN Sub-namespace . . . . . . . . . . . . . . . . . 24
8.3. ROLIE URN Parameters . . . . . . . . . . . . . . . . . . 25 8.3. ROLIE URN Parameters . . . . . . . . . . . . . . . . . . 24
8.4. ROLIE Security Resource Information Type Sub-Registry . . 27 8.4. ROLIE Security Resource Information Type Sub-Registry . . 26
8.5. Well-Known URI Registration . . . . . . . . . . . . . . . 28 9. Security Considerations . . . . . . . . . . . . . . . . . . . 27
9. Security Considerations . . . . . . . . . . . . . . . . . . . 28 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 29
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 30 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 30
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 12.1. Normative References . . . . . . . . . . . . . . . . . . 30
12.1. Normative References . . . . . . . . . . . . . . . . . . 31 12.2. Informative References . . . . . . . . . . . . . . . . . 32
12.2. Informative References . . . . . . . . . . . . . . . . . 34 12.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 34
12.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Appendix A. Relax NG Compact Schema for ROLIE . . . . . . . . . 34
Appendix A. Relax NG Compact Schema for ROLIE . . . . . . . . . 36 Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 35
Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 37 B.1. Service Discovery . . . . . . . . . . . . . . . . . . . . 35
B.1. Service Discovery . . . . . . . . . . . . . . . . . . . . 37 B.2. Feed Retrieval . . . . . . . . . . . . . . . . . . . . . 38
B.2. Feed Retrieval . . . . . . . . . . . . . . . . . . . . . 40 B.3. Entry Retrieval . . . . . . . . . . . . . . . . . . . . . 40
B.3. Entry Retrieval . . . . . . . . . . . . . . . . . . . . . 42 Appendix C. Change History . . . . . . . . . . . . . . . . . . . 41
Appendix C. Change History . . . . . . . . . . . . . . . . . . . 43 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 46
1. Introduction 1. Introduction
This document defines a resource-oriented approach to security This document defines a resource-oriented approach to security
automation information sharing that follows the Representational automation information sharing that follows the Representational
State Transfer (REST) architectural style [REST]. In this approach, State Transfer (REST) architectural style [REST]. In this approach,
computer security resources are maintained in web-accessible computer security resources are maintained in web-accessible
repositories structured as Atom Syndication Format [RFC4287] Feeds. repositories structured as Atom Syndication Format [RFC4287] Feeds.
Within a given Feed, which may be requested by the consumer, Within a given Feed, which may be requested by the consumer,
representations of specific types of security automation information representations of specific types of security automation information
skipping to change at page 4, line 20 skipping to change at page 4, line 19
time goes on, this specification defines a number of extension points time goes on, this specification defines a number of extension points
that can be used either privately or globally. These global that can be used either privately or globally. These global
extensions are IANA registered by ROLIE extension specifications, and extensions are IANA registered by ROLIE extension specifications, and
provide enhanced interoperability for new use cases and domains. provide enhanced interoperability for new use cases and domains.
Sections 5 and 6 of this document define the core requirements of all Sections 5 and 6 of this document define the core requirements of all
implementations of this specification, and is resource representation implementations of this specification, and is resource representation
agnostic. An overview of the extension system is provided in agnostic. An overview of the extension system is provided in
Section 7. Implementers seeking to provide support for specific Section 7. Implementers seeking to provide support for specific
security automation information types should refer to the security automation information types should refer to the
specification for that domain described by the IANA registry found in specification for that domain described by the IANA registry found in
section 8.4. Section 8.4.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
The previous key words are used in this document to define the The previous key words are used in this document to define the
skipping to change at page 4, line 44 skipping to change at page 4, line 43
Definitions for some of the common computer security-related Definitions for some of the common computer security-related
terminology used in this document can be found in Section 2 of terminology used in this document can be found in Section 2 of
[RFC7970]. [RFC7970].
The following terms are unique to this specification: The following terms are unique to this specification:
Information Type A class of security automation information having Information Type A class of security automation information having
one or more associated data models. Often such security one or more associated data models. Often such security
automation information is used in the automation of a security automation information is used in the automation of a security
process. See section 7.1.2 for more information. process. See Section 7.1.2 for more information.
3. XML-related Conventions 3. XML-related Conventions
3.1. XML Namespaces 3.1. XML Namespaces
This specification uses XML Namespaces [W3C.REC-xml-names-20091208] This specification uses XML Namespaces [W3C.REC-xml-names-20091208]
to uniquely identify XML element names. It uses the following to uniquely identify XML element names. It uses the following
namespace prefix mappings for the indicated namespace URI: namespace prefix mappings for the indicated namespace URI:
"app" is used for the "http://www.w3.org/2007/app" namespace "app" is used for the "http://www.w3.org/2007/app" namespace
defined in [RFC5023]. defined in [RFC5023].
"atom" is used for the "http://www.w3.org/2005/Atom" namespace "atom" is used for the "http://www.w3.org/2005/Atom" namespace
skipping to change at page 5, line 17 skipping to change at page 5, line 12
to uniquely identify XML element names. It uses the following to uniquely identify XML element names. It uses the following
namespace prefix mappings for the indicated namespace URI: namespace prefix mappings for the indicated namespace URI:
"app" is used for the "http://www.w3.org/2007/app" namespace "app" is used for the "http://www.w3.org/2007/app" namespace
defined in [RFC5023]. defined in [RFC5023].
"atom" is used for the "http://www.w3.org/2005/Atom" namespace "atom" is used for the "http://www.w3.org/2005/Atom" namespace
defined in [RFC4287]. defined in [RFC4287].
"rolie" is used for the "urn:ietf:params:xml:ns:rolie:1.0" "rolie" is used for the "urn:ietf:params:xml:ns:rolie:1.0"
namespace defined in section 8.1 of this specification. namespace defined in Section 8.1 of this specification.
3.2. RELAX NG Compact Schema 3.2. RELAX NG Compact Schema
Some sections of this specification are illustrated with fragments of Some sections of this specification are illustrated with fragments of
a non-normative RELAX NG Compact schema [relax-NG]. The text of this a non-normative RELAX NG Compact schema [relax-NG]. The text of this
specification provides the definition of conformance. Schema for the specification provides the definition of conformance. Schema for the
"http://www.w3.org/2007/app" and "http://www.w3.org/2005/Atom" "http://www.w3.org/2007/app" and "http://www.w3.org/2005/Atom"
namespaces appear in RFC5023 appendix B [RFC5023] and RFC4287 namespaces appear in RFC5023 appendix B [RFC5023] and RFC4287
appendix B [RFC4287] respectively. appendix B [RFC4287] respectively.
skipping to change at page 8, line 27 skipping to change at page 8, line 23
In AtomPub, a Collection in a Service Document, represented by the In AtomPub, a Collection in a Service Document, represented by the
"app:collection" element, provides metadata that can be used to point "app:collection" element, provides metadata that can be used to point
to a specific Atom Feed that contains information Entries that may be to a specific Atom Feed that contains information Entries that may be
of interest to a client. The association between a Collection and a of interest to a client. The association between a Collection and a
Feed is provided by the "href" attribute of the app:collection Feed is provided by the "href" attribute of the app:collection
element. Building on the AtomPub concept of a Collection, in ROLIE a element. Building on the AtomPub concept of a Collection, in ROLIE a
Collection represents a pointer to a group of security automation Collection represents a pointer to a group of security automation
information resources pertaining to a given type of security information resources pertaining to a given type of security
automation information. Collections are represented as Atom Feeds as automation information. Collections are represented as Atom Feeds as
per RFC 5023. Atom Feed specific requirements are defined in section per RFC 5023. Atom Feed specific requirements are defined in
6.1. Section 6.1.
ROLIE defines specialized data requirements for Collections, Feeds, ROLIE defines specialized data requirements for Collections, Feeds,
and Entries containing security automation related data. The and Entries containing security automation related data. The
difference between a ROLIE and a non-ROLIE Collection defined in a difference between a ROLIE and a non-ROLIE Collection defined in a
Service Document can be determined as follows: Service Document can be determined as follows:
ROLIE Collection: An app:collection is considered a ROLIE Collection ROLIE Collection: An app:collection is considered a ROLIE Collection
when it contains an app:categories element that contains only one when it contains an app:categories element that contains only one
atom:category element with the "scheme" attribute value of atom:category element with the "scheme" attribute value of
"urn:ietf:params:rolie:category:information-type". Further, this "urn:ietf:params:rolie:category:information-type". Further, this
category has an appropriate "term" attribute value as defined in category has an appropriate "term" attribute value as defined in
section 7.1.1. This ensures that a given Collection corresponds Section 7.1.1. This ensures that a given Collection corresponds
to a specific type of security automation information. to a specific type of security automation information.
Non-ROLIE Collection: An app:collection is considered a non-ROLIE Non-ROLIE Collection: An app:collection is considered a non-ROLIE
Collection when it does not contain an atom:category element with Collection when it does not contain an atom:category element with
a "scheme" attribute value of a "scheme" attribute value of
"urn:ietf:params:rolie:category:information-type". "urn:ietf:params:rolie:category:information-type".
By distinguishing between ROLIE and non-ROLIE Collections in this By distinguishing between ROLIE and non-ROLIE Collections in this
way, implementations supporting ROLIE can host Collections pertaining way, implementations supporting ROLIE can host Collections pertaining
to security automation information alongside Collections of other to security automation information alongside Collections of other
skipping to change at page 9, line 22 skipping to change at page 9, line 19
associated with the Collection and the associated Feed is associated with the Collection and the associated Feed is
discoverable in both of these resources. discoverable in both of these resources.
o The app:categories element in an app:collection MAY include o The app:categories element in an app:collection MAY include
additional atom:category elements using a scheme other than additional atom:category elements using a scheme other than
"urn:ietf:params:rolie:category:information-type". This allows "urn:ietf:params:rolie:category:information-type". This allows
other category metadata to be included. other category metadata to be included.
5.1.3. Service Document Discovery 5.1.3. Service Document Discovery
ROLIE repositories are largely intended to be consumed by automated The Service Document serves as the "head" of a given ROLIE
systems. While humans may be able to navigate a web page or receive repository: from the Service Document all other repository content
an email to find a link to the repository, automated systems struggle can be discovered. A client will need to determine the URL of this
with such tasks. By creating a standardized location for the Service Service Document to discover the Collections provided by the
Document, ROLIE clients need only a host name and port in order to repository. The client might determine the URL from a web page,
locate a ROLIE repository. This lower barrier to entry reduces the based on out-of-band communication, or through a "service" link
amount of human intervention required for ROLIE clients to begin relation in a Feed or Entry document that the client has already
reading Feeds. retrieved. The latter is a typical scenario if the client learns of
a specific feed or entry through an out-of-band mechanism, and wishes
An implementation MUST publish an Atom Service Document that to discover additional information provided by the repository.
describes the set of security information Collections provided by the
service. The Service Document MUST be retrievable using the
standardized URI template "https://{host:port}/.well-known/rolie/
servicedocument", where {host:port} is the authority portion of the
URI. Dereferencing this URI MAY result in a redirect based on an
appropriate HTTP 3xx status code to direct the client to the actual
Service Document. This allows clients to have a well-known location
to find a ROLIE service document, while giving implementations
flexibility over how the service is deployed.
This document registers the "rolie" well-known URI as per [RFC5785]
in Section 8.5.
A mechanism to determine which host and port to use is not specified This document does not provide a fully automated discovery mechanism.
in this document. Use of a mechanism such as DNS SRV Records A mechanism may be defined in the future that allows automated
[RFC2782] can provide a secure and reliable discovery mechanism for clients to discover the URL to use to retrieve a ROLIE Service
determining a specific host and port to use for retrieving a Service Document representing the head of the ROLIE repository.
Document for a given DNS domain. This is a feature that may be
standardized in the future.
5.2. Category Documents 5.2. Category Documents
As described in RFC5023 section 7 [RFC5023], a Category Document is As described in RFC5023 section 7 [RFC5023], a Category Document is
an XML-based document format that allows a client to dynamically an XML-based document format that allows a client to dynamically
discover the Categories used within AtomPub Service Documents, Atom discover the Categories used within AtomPub Service Documents, Atom
Syndication Feeds, and Entry documents provided by a publisher. A Syndication Feeds, and Entry documents provided by a publisher. A
Category Document consists of one app:categories element that Category Document consists of one app:categories element that
contains a number of inline atom:category elements, or a URI contains a number of inline atom:category elements, or a URI
referencing a Category Document. referencing a Category Document.
skipping to change at page 12, line 21 skipping to change at page 12, line 5
more app:collection elements. Each Feed document, represented using more app:collection elements. Each Feed document, represented using
the atom:feed element, contains a listing of zero or more Entries. the atom:feed element, contains a listing of zero or more Entries.
When applied to the problem domain of security automation information When applied to the problem domain of security automation information
sharing, an Atom Feed may be used to represent any meaningful sharing, an Atom Feed may be used to represent any meaningful
collection of security automation information resources. Each Entry collection of security automation information resources. Each Entry
in an atom:feed represents an individual resource (e.g., a specific in an atom:feed represents an individual resource (e.g., a specific
checklist, a software vulnerability record). Additional Feeds can be checklist, a software vulnerability record). Additional Feeds can be
used to represent other collections of security automation resources. used to represent other collections of security automation resources.
As discussed in section 5.1.2, ROLIE defines specialized data As discussed in Section 5.1.2, ROLIE defines specialized data
requirements for Feeds containing security automation related data. requirements for Feeds containing security automation related data.
The difference between a ROLIE and a non-ROLIE Feed can be determined The difference between a ROLIE and a non-ROLIE Feed can be determined
as follows: as follows:
ROLIE Feed: For an atom:feed to be considered a ROLIE Feed, the ROLIE Feed: For an atom:feed to be considered a ROLIE Feed, the
atom:feed MUST contain only one child atom:category element with atom:feed MUST contain only one child atom:category element with
the "scheme" attribute value of the "scheme" attribute value of
"urn:ietf:params:rolie:category:information-type". This category "urn:ietf:params:rolie:category:information-type". This category
MUST have an appropriate "term" attribute value as defined in MUST have an appropriate "term" attribute value as defined in
section 7.1.1. This ensures that a given Feed corresponds to a Section 7.1.1. This ensures that a given Feed corresponds to a
specific type of security automation information. specific type of security automation information.
Non-ROLIE Feed: For an atom:feed to be considered a non-ROLIE Feed, Non-ROLIE Feed: For an atom:feed to be considered a non-ROLIE Feed,
the atom:feed MUST NOT contain an atom:category element with a the atom:feed MUST NOT contain an atom:category element with a
"scheme" attribute value of "scheme" attribute value of
"urn:ietf:params:rolie:category:information-type". "urn:ietf:params:rolie:category:information-type".
By distinguishing between ROLIE and non-ROLIE Feeds in this way, By distinguishing between ROLIE and non-ROLIE Feeds in this way,
implementations supporting ROLIE can host Feeds pertaining to implementations supporting ROLIE can host Feeds pertaining to
security automation information alongside Feeds of other non-ROLIE security automation information alongside Feeds of other non-ROLIE
information within the same AtomPub instance. This is parallel to information within the same AtomPub instance. This is parallel to
the handling of collections ealier in this specification in section the handling of collections ealier in this specification in
5.1.2. Section 5.1.2.
The following Atom Feed definition represents a stricter definition The following Atom Feed definition represents a stricter definition
of the atom:feed element defined in RFC 4287 when used as a ROLIE of the atom:feed element defined in RFC 4287 when used as a ROLIE
Feed. Any element not specified here inherits its definition and Feed. Any element not specified here inherits its definition and
requirements from [RFC4287]. requirements from [RFC4287].
atomFeed = atomFeed =
element atom:feed { element atom:feed {
atomCommonAttributes, atomCommonAttributes,
(atomAuthor* (atomAuthor*
skipping to change at page 15, line 16 skipping to change at page 14, line 46
may need to be divided into a series of defined epochs. may need to be divided into a series of defined epochs.
Implementations SHOULD support the mechanisms described in RFC5005 Implementations SHOULD support the mechanisms described in RFC5005
section 4 [RFC5005] to provide link-based state transitions for section 4 [RFC5005] to provide link-based state transitions for
maintaining archiving of Feeds. maintaining archiving of Feeds.
An atom:feed MAY include additional link relationships not specified An atom:feed MAY include additional link relationships not specified
in this document. If a client encounters an unknown link in this document. If a client encounters an unknown link
relationship type, the client MUST ignore the unrecognized link and relationship type, the client MUST ignore the unrecognized link and
continue processing as if the unrecognized link element did not continue processing as if the unrecognized link element did not
appear. The definition of new Link relations that provide additional appear. The definition of new Link relations that provide additional
state transition extensions is discussed in section 7.3. state transition extensions is discussed in Section 7.3.
6.1.3. Use of the "atom:updated" Element 6.1.3. Use of the "atom:updated" Element
The atom:updated element identifies the date and time that a Feed was The atom:updated element identifies the date and time that a Feed was
last updated. last updated.
The atom:updated element MUST be populated with the current time at The atom:updated element MUST be populated with the current time at
the instant the Feed was last updated by adding, updating, or the instant the Feed was last updated by adding, updating, or
deleting an Entry; or changing any metadata for the Feed. deleting an Entry; or changing any metadata for the Feed.
6.2. Use of the "atom:entry" Element 6.2. Use of the "atom:entry" Element
Each Entry in an Atom Feed, represented by the atom:entry element, Each Entry in an Atom Feed, represented by the atom:entry element,
describes a single referenced information record, along with describes a single referenced information record, along with
descriptive information about its format, media type, and other descriptive information about its format, media type, and other
publication metadata. The following atom:entry schema definition publication metadata. The following atom:entry schema definition
represents a stricter representation of the atom:entry element represents a stricter representation of the atom:entry element
defined in [RFC4287] for use in a ROLIE-based Atom Feed as defined in defined in [RFC4287] for use in a ROLIE-based Atom Feed as defined in
section 6.1.1. Section 6.1.1.
atomEntry = atomEntry =
element atom:entry { element atom:entry {
atomCommonAttributes, atomCommonAttributes,
(atomAuthor* (atomAuthor*
& atomCategory* & atomCategory*
& atomContent & atomContent
& atomContributor* & atomContributor*
& atomId & atomId
& atomLink* & atomLink*
skipping to change at page 17, line 25 skipping to change at page 16, line 39
models and/or serialization formats, separate Entry instances can be models and/or serialization formats, separate Entry instances can be
included in the same or a different Feed. Such an alternate content included in the same or a different Feed. Such an alternate content
representation can be indicated using an atom:link having a rel representation can be indicated using an atom:link having a rel
attribute with the value "alternate". attribute with the value "alternate".
An atom:feed MAY include additional link relationships not specified An atom:feed MAY include additional link relationships not specified
in this document. If a client encounters an unknown link in this document. If a client encounters an unknown link
relationship type, the client MUST ignore the unrecognized link and relationship type, the client MUST ignore the unrecognized link and
continue processing as if the unrecognized link element did not continue processing as if the unrecognized link element did not
appear. The definition of new Link relations that provide additional appear. The definition of new Link relations that provide additional
state transition extensions is discussed in section 7.3. state transition extensions is discussed in Section 7.3.
6.2.3. Use of the "rolie:format" Element 6.2.3. Use of the "rolie:format" Element
As mentioned earlier, a key goal of this specification is to allow a As mentioned earlier, a key goal of this specification is to allow a
consumer to review a set of published security automation information consumer to review a set of published security automation information
resources, and then identify and retrieve any resources of interest. resources, and then identify and retrieve any resources of interest.
The format of the data is a key criteria to consider when deciding The format of the data is a key criteria to consider when deciding
what information to retrieve. For a given type of security what information to retrieve. For a given type of security
automation information, it is expected that a number of different automation information, it is expected that a number of different
formats may be used to represent this information. To support this formats may be used to represent this information. To support this
skipping to change at page 21, line 20 skipping to change at page 20, line 31
value, and a "scheme" attribute that provides an identifier for the value, and a "scheme" attribute that provides an identifier for the
category type. The "scheme" provides a means to describe how a set category type. The "scheme" provides a means to describe how a set
of category terms should be used and provides a namespace that can be of category terms should be used and provides a namespace that can be
used to differentiate terms provided by multiple organizations with used to differentiate terms provided by multiple organizations with
different semantic meaning. different semantic meaning.
To further differentiate category types used in ROLIE, an IANA sub- To further differentiate category types used in ROLIE, an IANA sub-
registry has been established for ROLIE protocol parameters to registry has been established for ROLIE protocol parameters to
support the registration of new category "scheme" attribute values by support the registration of new category "scheme" attribute values by
ROLIE extension specifications. Use of this extension point is ROLIE extension specifications. Use of this extension point is
discussed in section 8.3 using the name field with a type parameter discussed in Section 8.3 using the name field with a type parameter
of "category" to indicate a category extension. of "category" to indicate a category extension.
7.1.2. Identification of Security Automation Information Types 7.1.2. Identification of Security Automation Information Types
A ROLIE specific extension point is provided through the A ROLIE specific extension point is provided through the
atom:category "scheme" value atom:category "scheme" value
"urn:ietf:params:rolie:category:information-type". This value is a "urn:ietf:params:rolie:category:information-type". This value is a
Uniform Resource Name (URN) [RFC8141] that is registered with IANA as Uniform Resource Name (URN) [RFC8141] that is registered with IANA as
described in section 8.3. When used as the "scheme" attribute in described in Section 8.3. When used as the "scheme" attribute in
this way, the "term" attribute is expected to be a registered value this way, the "term" attribute is expected to be a registered value
as defined in section Section 8.4. Through this mechanism a given as defined in Section 8.4. Through this mechanism a given security
security automation information type can be used to: automation information type can be used to:
1. identify that an "app:collection" element in a Service Document 1. identify that an "app:collection" element in a Service Document
points to an Atom Feed that contains Entries pertaining to a points to an Atom Feed that contains Entries pertaining to a
specific type of security automation information (see section specific type of security automation information (see
5.1.2), or Section 5.1.2), or
2. identify that an "atom:feed" element in an Atom Feed contains 2. identify that an "atom:feed" element in an Atom Feed contains
Entries pertaining to a specific type of security automation Entries pertaining to a specific type of security automation
information (see section 6.1.1). information (see Section 6.1.1).
3. identify the information type of a standalone Resource (see 3. identify the information type of a standalone Resource (see
section 6.2.5). Section 6.2.5).
For example, the notional security automation information type For example, the notional security automation information type
"incident" would be identified as follows: "incident" would be identified as follows:
<atom:category <atom:category
scheme="urn:ietf:params:rolie:category:information-type" scheme="urn:ietf:params:rolie:category:information-type"
term="incident"/> term="incident"/>
A security automation information type represents a class of A security automation information type represents a class of
information that represents the same or similar information model information that represents the same or similar information model
skipping to change at page 22, line 40 skipping to change at page 22, line 5
This document does not specify any information types. Instead, This document does not specify any information types. Instead,
information types in ROLIE are expected to be registered in extension information types in ROLIE are expected to be registered in extension
documents that describe one or more new information types. This documents that describe one or more new information types. This
allows the information types used by ROLIE implementations to grow allows the information types used by ROLIE implementations to grow
over time to support new security automation use cases. These over time to support new security automation use cases. These
extension documents may also enhance ROLIE Service, Category, Feed, extension documents may also enhance ROLIE Service, Category, Feed,
and Entry documents by defining link relations, other categories, and and Entry documents by defining link relations, other categories, and
Format data model extensions to address the representational needs of Format data model extensions to address the representational needs of
these specific information types. New information types are added to these specific information types. New information types are added to
ROLIE through registrations to the IANA ROLIE Security Resource ROLIE through registrations to the IANA ROLIE Security Resource
Information Type registry defined in section 8.4. Information Type registry defined in Section 8.4.
7.2. The "rolie:format" Extension Point 7.2. The "rolie:format" Extension Point
Security automation data pertaining to a given information type may Security automation data pertaining to a given information type may
be expressed using a number of supported formats. As described in be expressed using a number of supported formats. As described in
section 6.2.3, the rolie:format element is used to describe the Section 6.2.3, the rolie:format element is used to describe the
specific data model used to represent the resource referenced by a specific data model used to represent the resource referenced by a
given "atom:entry". The structure provided by the rolie:format given "atom:entry". The structure provided by the rolie:format
element, provides a mechanism for extension within the atom:entry element, provides a mechanism for extension within the atom:entry
model. ROLIE extensions MAY further restrict which data models are model. ROLIE extensions MAY further restrict which data models are
allowed to be used for a given information type. allowed to be used for a given information type.
By declaring the data model used for a given Resource, a consumer can By declaring the data model used for a given Resource, a consumer can
choose to download or ignore the Resource, or look for alternate choose to download or ignore the Resource, or look for alternate
formats. This saves the consumer from downloading and parsing formats. This saves the consumer from downloading and parsing
resources that the consumer is not interested in or resources resources that the consumer is not interested in or resources
skipping to change at page 25, line 43 skipping to change at page 25, line 11
Specification Required policy [RFC8126]. Registration requests must Specification Required policy [RFC8126]. Registration requests must
be sent to both the MILE WG mailing list (mile@ietf.org) and IANA. be sent to both the MILE WG mailing list (mile@ietf.org) and IANA.
IANA will forward registration requests to the Designated Expert. IANA will forward registration requests to the Designated Expert.
Each entry in this sub-registry must record the following fields: Each entry in this sub-registry must record the following fields:
Name: A URN segment that adheres to the pattern {type}:{label}. Name: A URN segment that adheres to the pattern {type}:{label}.
The keywords are defined as follows: The keywords are defined as follows:
{type}: The parameter type. The allowed values are "category" {type}: The parameter type. The allowed values are "category"
or "property". "category" denotes a category extension as or "property". "category" denotes a category extension as
discussed in Section 7.1. "property" denotes a property discussed in Section 7.1. "property" denotes a property
extension as discussed in Section 7.4. extension as discussed in Section 7.4.
{label}: A required US-ASCII string that conforms to the URN {label}: A required US-ASCII string that conforms to the URN
syntax requirements (see [RFC8141]). This string must be syntax requirements (see [RFC8141]). This string must be
unique within the namespace defined by the {type} keyword. The unique within the namespace defined by the {type} keyword. The
"local" label for both the "category" and "property" types has "local" label for both the "category" and "property" types has
been reserved for private use. been reserved for private use.
Extension URI: The identifier to use within ROLIE, which is the Extension URI: The identifier to use within ROLIE, which is the
skipping to change at page 28, line 32 skipping to change at page 27, line 32
registry uses the value 1, and this value is incremented for registry uses the value 1, and this value is incremented for
each subsequent entry added to the registry. each subsequent entry added to the registry.
reference: A list of one or more URIs [RFC3986] from which the reference: A list of one or more URIs [RFC3986] from which the
registered specification can be obtained. The registered registered specification can be obtained. The registered
specification MUST be readily and publicly available from that specification MUST be readily and publicly available from that
URI. The URI SHOULD be a stable reference. URI. The URI SHOULD be a stable reference.
Allocation Policy: Specification required as per [RFC8126] Allocation Policy: Specification required as per [RFC8126]
8.5. Well-Known URI Registration
This document makes the follow two registrations to the Well-Known
URI Registry at https://www.iana.org/assignments/well-known-uris/
well-known-uris.xhtml.
Service Document registration:
URI suffix: rolie
Change controller: IETF
Specification document: This document, Section 5.1.3
Related information: None
9. Security Considerations 9. Security Considerations
This document defines a resource-oriented approach for lightweight This document defines a resource-oriented approach for lightweight
information exchange using HTTP over TLS, the Atom Syndication information exchange using HTTP over TLS, the Atom Syndication
Format, and the Atom Publishing Protocol. As such, implementers must Format, and the Atom Publishing Protocol. As such, implementers must
understand the security considerations described in those understand the security considerations described in those
specifications. All that follows is guidance, more specific specifications. All that follows is guidance, more specific
instruction is out of scope for this document. instruction is out of scope for this document.
To protect the confidentiality of a given resource provided by a To protect the confidentiality of a given resource provided by a
ROLIE implementation, requests for retrieval of the resource need to ROLIE implementation, requests for retrieval of the resource need to
be authenticated to prevent unauthorized users from accessing the be authenticated to prevent unauthorized users from accessing the
resource (see section 5.4). It can also be useful to log and audit resource (see Section 5.4). It can also be useful to log and audit
access to sensitive resources to verify that proper access controls access to sensitive resources to verify that proper access controls
remain in place over time. remain in place over time.
Access control to information published using ROLIE should use Access control to information published using ROLIE should use
mechanisms that are appropriate to the sensitivity of the mechanisms that are appropriate to the sensitivity of the
information. Primitive authentication mechanisms like HTTP Basic information. Primitive authentication mechanisms like HTTP Basic
Authentication [RFC7617] are rarely appropriate for sensitive Authentication [RFC7617] are rarely appropriate for sensitive
information. A number of authentication schemes are defined in the information. A number of authentication schemes are defined in the
HTTP Authentication Schemes Registry [3]. Of these, HOBA [RFC7486] HTTP Authentication Schemes Registry [3]. Of these, HOBA [RFC7486]
and SCRAM-SHA-256 [RFC7804] provide improved security properties over and SCRAM-SHA-256 [RFC7804] provide improved security properties over
skipping to change at page 29, line 43 skipping to change at page 28, line 27
organizational single sign-on. Dependency on a trusted third party organizational single sign-on. Dependency on a trusted third party
identity provider implies that appropriate care must be exercised to identity provider implies that appropriate care must be exercised to
sufficiently secure the Identity provider. Any attacks on the sufficiently secure the Identity provider. Any attacks on the
federated identity system would present a risk to the consortium, as federated identity system would present a risk to the consortium, as
a relying party. Potential mitigations include deployment of a a relying party. Potential mitigations include deployment of a
federation-aware identity provider that is under the control of the federation-aware identity provider that is under the control of the
information sharing consortium, with suitably stringent technical and information sharing consortium, with suitably stringent technical and
management controls. management controls.
Authorization of resource representations is the responsibility of Authorization of resource representations is the responsibility of
the source system, i.e. based on the authenticated user identity the source system, i.e. based on the authenticated user identity
associated with an HTTP(S) request. The required authorization associated with an HTTP(S) request. The required authorization
policies that are to be enforced must therefore be managed by the policies that are to be enforced must therefore be managed by the
security administrators of the source system. Various authorization security administrators of the source system. Various authorization
architectures would be suitable for this purpose, such as RBAC [4] architectures would be suitable for this purpose, such as RBAC [4]
and/or ABAC, as embodied in XACML [XACML]. In particular, and/or ABAC, as embodied in XACML [XACML]. In particular,
implementers adopting XACML may benefit from the capability to implementers adopting XACML may benefit from the capability to
represent their authorization policies in a standardized, represent their authorization policies in a standardized,
interoperable format. Note that implementers are free to choose any interoperable format. Note that implementers are free to choose any
suitable authorization mechanism that is capable of fulfilling the suitable authorization mechanism that is capable of fulfilling the
policy enforcement requirements relevant to their consortium and/or policy enforcement requirements relevant to their consortium and/or
skipping to change at page 32, line 41 skipping to change at page 31, line 27
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>. <https://www.rfc-editor.org/info/rfc3986>.
[RFC4287] Nottingham, M., Ed. and R. Sayre, Ed., "The Atom [RFC4287] Nottingham, M., Ed. and R. Sayre, Ed., "The Atom
Syndication Format", RFC 4287, DOI 10.17487/RFC4287, Syndication Format", RFC 4287, DOI 10.17487/RFC4287,
December 2005, <https://www.rfc-editor.org/info/rfc4287>. December 2005, <https://www.rfc-editor.org/info/rfc4287>.
[RFC4642] Murchison, K., Vinocur, J., and C. Newman, "Using
Transport Layer Security (TLS) with Network News Transfer
Protocol (NNTP)", RFC 4642, DOI 10.17487/RFC4642, October
2006, <https://www.rfc-editor.org/info/rfc4642>.
[RFC5005] Nottingham, M., "Feed Paging and Archiving", RFC 5005, [RFC5005] Nottingham, M., "Feed Paging and Archiving", RFC 5005,
DOI 10.17487/RFC5005, September 2007, DOI 10.17487/RFC5005, September 2007,
<https://www.rfc-editor.org/info/rfc5005>. <https://www.rfc-editor.org/info/rfc5005>.
[RFC5023] Gregorio, J., Ed. and B. de hOra, Ed., "The Atom [RFC5023] Gregorio, J., Ed. and B. de hOra, Ed., "The Atom
Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023, Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023,
October 2007, <https://www.rfc-editor.org/info/rfc5023>. October 2007, <https://www.rfc-editor.org/info/rfc5023>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>.
[RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known
Uniform Resource Identifiers (URIs)", RFC 5785,
DOI 10.17487/RFC5785, April 2010,
<https://www.rfc-editor.org/info/rfc5785>.
[RFC6546] Trammell, B., "Transport of Real-time Inter-network [RFC6546] Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS", RFC 6546, Defense (RID) Messages over HTTP/TLS", RFC 6546,
DOI 10.17487/RFC6546, April 2012, DOI 10.17487/RFC6546, April 2012,
<https://www.rfc-editor.org/info/rfc6546>. <https://www.rfc-editor.org/info/rfc6546>.
[RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre,
"Recommendations for Secure Use of Transport Layer "Recommendations for Secure Use of Transport Layer
Security (TLS) and Datagram Transport Layer Security Security (TLS) and Datagram Transport Layer Security
(DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May
2015, <https://www.rfc-editor.org/info/rfc7525>. 2015, <https://www.rfc-editor.org/info/rfc7525>.
[RFC7589] Badra, M., Luchuk, A., and J. Schoenwaelder, "Using the
NETCONF Protocol over Transport Layer Security (TLS) with
Mutual X.509 Authentication", RFC 7589,
DOI 10.17487/RFC7589, June 2015,
<https://www.rfc-editor.org/info/rfc7589>.
[RFC7970] Danyliw, R., "The Incident Object Description Exchange [RFC7970] Danyliw, R., "The Incident Object Description Exchange
Format Version 2", RFC 7970, DOI 10.17487/RFC7970, Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
November 2016, <https://www.rfc-editor.org/info/rfc7970>. November 2016, <https://www.rfc-editor.org/info/rfc7970>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
skipping to change at page 34, line 17 skipping to change at page 32, line 33
[I-D.ietf-tls-tls13] [I-D.ietf-tls-tls13]
Rescorla, E., "The Transport Layer Security (TLS) Protocol Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", draft-ietf-tls-tls13-21 (work in progress), Version 1.3", draft-ietf-tls-tls13-21 (work in progress),
July 2017. July 2017.
[REST] Fielding, R., "Architectural Styles and the Design of [REST] Fielding, R., "Architectural Styles and the Design of
Network-based Software Architectures", 2000, Network-based Software Architectures", 2000,
<http://www.ics.uci.edu/~fielding/pubs/dissertation/ <http://www.ics.uci.edu/~fielding/pubs/dissertation/
top.htm>. top.htm>.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
DOI 10.17487/RFC2782, February 2000,
<https://www.rfc-editor.org/info/rfc2782>.
[RFC3275] Eastlake 3rd, D., Reagle, J., and D. Solo, "(Extensible [RFC3275] Eastlake 3rd, D., Reagle, J., and D. Solo, "(Extensible
Markup Language) XML-Signature Syntax and Processing", Markup Language) XML-Signature Syntax and Processing",
RFC 3275, DOI 10.17487/RFC3275, March 2002, RFC 3275, DOI 10.17487/RFC3275, March 2002,
<https://www.rfc-editor.org/info/rfc3275>. <https://www.rfc-editor.org/info/rfc3275>.
[RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between
Information Models and Data Models", RFC 3444, Information Models and Data Models", RFC 3444,
DOI 10.17487/RFC3444, January 2003, DOI 10.17487/RFC3444, January 2003,
<https://www.rfc-editor.org/info/rfc3444>. <https://www.rfc-editor.org/info/rfc3444>.
skipping to change at page 36, line 24 skipping to change at page 35, line 5
authschemes.xhtml authschemes.xhtml
[4] http://csrc.nist.gov/groups/SNS/rbac/ [4] http://csrc.nist.gov/groups/SNS/rbac/
Appendix A. Relax NG Compact Schema for ROLIE Appendix A. Relax NG Compact Schema for ROLIE
This appendix is informative. This appendix is informative.
The Relax NG schema below defines the rolie:format element. The Relax NG schema below defines the rolie:format element.
# -*- rnc -*- # -*- rnc -*-
# RELAX NG Compact Syntax Grammar for the rolie ns # RELAX NG Compact Syntax Grammar for the rolie ns
namespace rolie = "urn:ietf:params:xml:ns:rolie-1.0" namespace rolie = "urn:ietf:params:xml:ns:rolie-1.0"
namespace atom = "http://www.w3.org/2005/Atom"
namespace app = "http://www.w3.org/2007/app"
# rolie:format # import the ATOM Syndication RELAX NG Compact Syntax Grammar
include "atomsynd.rnc"
rolieFormat = # rolie:format
element rolie:format { rolieFormat =
app:appCommonAttributes, element rolie:format {
attribute ns { atom:atomURI }, atomCommonAttributes,
attribute version { text } ?, attribute ns { atomUri },
attribute schema-location { atom:atomURI } ?, attribute version { text } ?,
attribute schema-type { atom:atomMediaType } ?, attribute schema-location { atomUri } ?,
empty attribute schema-type { atomMediaType } ?,
} empty
}
# rolie:property # rolie:property
rolieProperty =
element rolie:property {
atomCommonAttributes,
attribute name { atomUri },
attribute value { text },
empty
}
rolieProperty =
element rolie:property {
app:appCommonAttributes,
attribute name { atom:atomURI },
attribute value { text }
empty
} }
Appendix B. Examples of Use Appendix B. Examples of Use
B.1. Service Discovery B.1. Service Discovery
This section provides a non-normative example of a client doing This section provides a non-normative example of a client doing
service discovery. service discovery.
An Atom Service Document enables a client to dynamically discover An Atom Service Document enables a client to dynamically discover
what Feeds a particular publisher makes available. Thus, a provider what Feeds a particular publisher makes available. Thus, a provider
uses an Atom Service Document to enable authorized clients to uses an Atom Service Document to enable authorized clients to
determine what specific information the provider makes available to determine what specific information the provider makes available to
the community. While the Service Document is accessible at a pre- the community. The Service Document should be made accessible from a
determined location, the Service Document can also be made accessible easily found location, such as a link from the producer's home page.
from any well known location, such as via a link from the producer's
home page.
A client may format an HTTP GET request to retrieve the service A client may format an HTTP GET request to retrieve the service
document from the specified location: document from the specified location:
GET /.well-known/rolie/servicedocument GET /rolie/servicedocument
Host: www.example.org Host: www.example.org
Accept: application/atomsvc+xml Accept: application/atomsvc+xml
Notice the use of the HTTP Accept: request header, indicating the Notice the use of the HTTP Accept: request header, indicating the
MIME type for Atom service discovery. The response to this GET MIME type for Atom service discovery. The response to this GET
request will be an XML document that contains information on the request will be an XML document that contains information on the
specific Collections that are provided. specific Collections that are provided.
Example HTTP GET response: Example HTTP GET response:
skipping to change at page 43, line 7 skipping to change at page 41, line 7
src="https://example.org/provider/vulns/123456/data"> src="https://example.org/provider/vulns/123456/data">
</content> </content>
</entry> </entry>
The example response above shows an XML document referenced by the The example response above shows an XML document referenced by the
"src" attribute of the atom:content element. The client may retrieve "src" attribute of the atom:content element. The client may retrieve
the document using this URL. the document using this URL.
Appendix C. Change History Appendix C. Change History
Changes in draft-ietf-mile-rolie-12 since draft-ietf-mile-rolie-11 Changes in draft-ietf-mile-rolie-14 since draft-ietf-mile-rolie-13
revision: revision:
Addressed comments from IESG review. Removed /.well-known registration and updated Discovery text.
Fixed small namespacing error in RNC schema.
Changes in draft-ietf-mile-rolie-13 since draft-ietf-mile-rolie-12
revision:
Adjusted .well-known registration.
Updated IANA Consideration text.
Changes in draft-ietf-mile-rolie-11 since draft-ietf-mile-rolie-09 Changes in draft-ietf-mile-rolie-11 since draft-ietf-mile-rolie-09
revision: revision:
Incorporated ART last call review and AD review changes. Incorporated ART last call review and AD review changes.
Changes in draft-ietf-mile-rolie-09 since draft-ietf-mile-rolie-08 Changes in draft-ietf-mile-rolie-09 since draft-ietf-mile-rolie-08
revision: revision:
TLS requirements changed to clarify TLS versioning and TLS requirements changed to clarify TLS versioning and
 End of changes. 54 change blocks. 
166 lines changed or deleted 118 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/