Tech-invite3GPPspecsGlossariesIETFRFCsGroupsSIPABNFsWorld Map

RFC 7970

 
 
 

The Incident Object Description Exchange Format Version 2

Part 8 of 9, p. 150 to 167
Prev Section       Next Section

 


prevText      Top      ToC       Page 150 
    <xs:element name="File">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:FileName" minOccurs="0"/>
          <xs:element ref="iodef:FileSize" minOccurs="0"/>
          <xs:element ref="FileType" minOccurs="0"/>
          <xs:element ref="iodef:URL"
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:element ref="iodef:HashData" minOccurs="0"/>
          <xs:element ref="iodef:SignatureData" minOccurs="0"/>
          <xs:element ref="iodef:AssociatedSoftware" minOccurs="0"/>
          <xs:element ref="iodef:FileProperties"
                      minOccurs="0" maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
      </xs:complexType>
    </xs:element>
    <xs:element name="FileName" type="xs:string"/>
    <xs:element name="FileSize" type="xs:integer"/>
    <xs:element name="FileType" type="xs:string"/>
    <xs:element name="AssociatedSoftware" type="iodef:SoftwareType"/>
    <xs:element name="FileProperties" type="iodef:ExtensionType"/>
    <!--
    ====================================================================
    ==  HashData class                                                ==
    ====================================================================
    -->
    <xs:element name="HashData">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:HashTargetID" minOccurs="0"/>
          <xs:element ref="iodef:Hash"
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:element ref="iodef:FuzzyHash"
                      minOccurs="0" maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="scope"
                      type="hashdata-scope-type" use="required"/>
        <xs:attribute name="ext-scope" type="xs:string" use="optional"/>
      </xs:complexType>
    </xs:element>
    <xs:element name="HashTargetID" type="xs:string"/>
    <xs:simpleType name="hashdata-scope-type">
      <xs:restriction base="xs:NMTOKEN">
        <xs:enumeration value="file-contents"/>
        <xs:enumeration value="file-pe-section"/>
        <xs:enumeration value="file-pe-iat"/>
        <xs:enumeration value="file-pe-resource"/>

Top      Up      ToC       Page 151 
        <xs:enumeration value="file-pdf-object"/>
        <xs:enumeration value="email-hash"/>
        <xs:enumeration value="email-headers-hash"/>
        <xs:enumeration value="email-body-hash"/>
        <xs:enumeration value="ext-value"/>
      </xs:restriction>
    </xs:simpleType>
    <xs:element name="Hash">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="ds:DigestMethod"/>
          <xs:element ref="ds:DigestValue"/>
          <xs:element ref="ds:CanonicalizationMethod"
                      minOccurs="0"/>
          <xs:element ref="iodef:Application" minOccurs="0"/>
        </xs:sequence>
      </xs:complexType>
    </xs:element>
    <xs:element name="FuzzyHash">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:FuzzyHashValue"
                      maxOccurs="unbounded"/>
          <xs:element ref="iodef:Application" minOccurs="0"/>
          <xs:element ref="iodef:AdditionalData"
                      minOccurs="0" maxOccurs="unbounded"/>
        </xs:sequence>
      </xs:complexType>
    </xs:element>
    <xs:element name="FuzzyHashValue" type="iodef:ExtensionType"/>
    <!--
     ===================================================================
     ==  SignatureData class                                          ==
     ===================================================================
    -->
    <xs:element name="SignatureData">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="ds:Signature" maxOccurs="unbounded"/>
        </xs:sequence>
      </xs:complexType>
    </xs:element>
    <!--
     ===================================================================
     ==  CertificateData class                                        ==
     ===================================================================
    -->
    <xs:element name="CertificateData">

Top      Up      ToC       Page 152 
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:Certificate" maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="restriction"
                      type="iodef:restriction-type" use="optional"/>
        <xs:attribute name="ext-restriction"
                      type="xs:string" use="optional"/>
        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
      </xs:complexType>
    </xs:element>
    <xs:element name="Certificate">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="ds:X509Data"/>
          <xs:element ref="iodef:Description"
                      minOccurs="0" maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
      </xs:complexType>
    </xs:element>
    <!--
     ===================================================================
     == IndicatorData class                                           ==
     ===================================================================
    -->
    <xs:element name="IndicatorData">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:Indicator"
                      minOccurs="1" maxOccurs="unbounded"/>
        </xs:sequence>
      </xs:complexType>
    </xs:element>
    <xs:element name="Indicator">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:IndicatorID"/>
          <xs:element ref="iodef:AlternativeIndicatorID"
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:element ref="iodef:Description"
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:element ref="iodef:StartTime" minOccurs="0"/>
          <xs:element ref="iodef:EndTime" minOccurs="0"/>
          <xs:element ref="iodef:Confidence" minOccurs="0"/>
          <xs:element ref="iodef:Contact"
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:choice>

Top      Up      ToC       Page 153 
            <xs:element ref="iodef:Observable"/>
            <xs:element ref="iodef:ObservableReference"/>
            <xs:element ref="iodef:IndicatorExpression"/>
            <xs:element ref="iodef:IndicatorReference"/>
          </xs:choice>
          <xs:element ref="iodef:NodeRole"
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:element ref="iodef:AttackPhase"
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:element ref="iodef:Reference"
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:element ref="iodef:AdditionalData"
                      minOccurs="0" maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="restriction"
                      type="iodef:restriction-type" use="optional"/>
        <xs:attribute name="ext-restriction"
                      type="xs:string" use="optional"/>
      </xs:complexType>
    </xs:element>
    <xs:element name="IndicatorID">
      <xs:complexType>
        <xs:simpleContent>
          <xs:extension base="xs:ID">
            <xs:attribute name="name" type="xs:string" use="required"/>
            <xs:attribute name="version"
                          type="xs:string" use="required"/>
          </xs:extension>
        </xs:simpleContent>
      </xs:complexType>
    </xs:element>
    <xs:element name="AlternativeIndicatorID">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:IndicatorID" maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="restriction"
                      type="iodef:restriction-type" use="optional"/>
        <xs:attribute name="ext-restriction"
                      type="xs:string" use="optional"/>
      </xs:complexType>
    </xs:element>
    <xs:element name="Observable">
      <xs:complexType>
        <xs:choice>
          <xs:element ref="iodef:System" minOccurs="0"/>
          <xs:element ref="iodef:Address" minOccurs="0"/>
          <xs:element ref="iodef:DomainData" minOccurs="0"/>

Top      Up      ToC       Page 154 
          <xs:element ref="iodef:Service" minOccurs="0"/>
          <xs:element ref="iodef:EmailData" minOccurs="0"/>
          <xs:element ref="iodef:WindowsRegistryKeysModified"
                           minOccurs="0"/>
          <xs:element ref="iodef:FileData" minOccurs="0"/>
          <xs:element ref="iodef:CertificateData" minOccurs="0"/>
          <xs:element ref="iodef:RegistryHandle" minOccurs="0"/>
          <xs:element ref="iodef:RecordData" minOccurs="0"/>
          <xs:element ref="iodef:EventData" minOccurs="0"/>
          <xs:element ref="iodef:Incident" minOccurs="0"/>
          <xs:element ref="iodef:Expectation" minOccurs="0"/>
          <xs:element ref="iodef:Reference" minOccurs="0"/>
          <xs:element ref="iodef:Assessment" minOccurs="0"/>
          <xs:element ref="iodef:DetectionPattern" minOccurs="0"/>
          <xs:element ref="iodef:HistoryItem" minOccurs="0"/>
          <xs:element ref="iodef:BulkObservable" minOccurs="0"/>
          <xs:element ref="iodef:AdditionalData"
                      minOccurs="0" maxOccurs="unbounded"/>
        </xs:choice>
        <xs:attribute name="restriction"
                      type="iodef:restriction-type" use="optional"/>
        <xs:attribute name="ext-restriction"
                      type="xs:string" use="optional"/>
      </xs:complexType>
    </xs:element>
    <xs:element name="BulkObservable">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:BulkObservableFormat" minOccurs="0"/>
          <xs:element name="BulkObservableList"/>
          <xs:element ref="iodef:AdditionalData"
                      minOccurs="0" maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="type"
                      type="bulkobservable-type-type" use="required"/>
        <xs:attribute name="ext-type" type="xs:string" use="optional"/>
      </xs:complexType>
    </xs:element>
    <xs:simpleType name="bulkobservable-type-type">
      <xs:restriction base="xs:NMTOKEN">
        <xs:enumeration value="asn"/>
        <xs:enumeration value="atm"/>
        <xs:enumeration value="e-mail"/>
        <xs:enumeration value="ipv4-addr"/>
        <xs:enumeration value="ipv4-net"/>
        <xs:enumeration value="ipv4-net-mask"/>
        <xs:enumeration value="ipv6-addr"/>
        <xs:enumeration value="ipv6-net"/>

Top      Up      ToC       Page 155 
        <xs:enumeration value="ipv6-net-mask"/>
        <xs:enumeration value="mac"/>
        <xs:enumeration value="site-uri"/>
        <xs:enumeration value="domain-name"/>
        <xs:enumeration value="domain-to-ipv4"/>
        <xs:enumeration value="domain-to-ipv6"/>
        <xs:enumeration value="domain-to-ipv4-timestamp"/>
        <xs:enumeration value="domain-to-ipv6-timestamp"/>
        <xs:enumeration value="ipv4-port"/>
        <xs:enumeration value="ipv6-port"/>
        <xs:enumeration value="windows-reg-key"/>
        <xs:enumeration value="file-hash"/>
        <xs:enumeration value="email-x-mailer"/>
        <xs:enumeration value="email-subject"/>
        <xs:enumeration value="http-user-agent"/>
        <xs:enumeration value="http-request-uri"/>
        <xs:enumeration value="mutex"/>
        <xs:enumeration value="file-path"/>
        <xs:enumeration value="user-name"/>
      </xs:restriction>
    </xs:simpleType>
    <xs:element name="BulkObservableFormat">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:Hash" minOccurs="0"/>
          <xs:element ref="iodef:AdditionalData"
                      minOccurs="0" maxOccurs="unbounded"/>
        </xs:sequence>
      </xs:complexType>
    </xs:element>
    <xs:element name="BulkObservableList" type="xs:string"/>
    <xs:element name="IndicatorExpression">
      <xs:complexType>
        <xs:sequence maxOccurs="unbounded">
          <xs:choice>
            <xs:element ref="iodef:IndicatorExpression"/>
            <xs:element ref="iodef:Observable"/>
            <xs:element ref="iodef:ObservableReference"/>
            <xs:element ref="iodef:IndicatorReference"/>
          </xs:choice>
          <xs:element ref="iodef:Confidence" minOccurs="0"/>
          <xs:element ref="iodef:AdditionalData"
                      minOccurs="0" maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="operator"
                      type="indicatorexpression-operator-type"
                      use="optional" default="and"/>
        <xs:attribute name="ext-operator"

Top      Up      ToC       Page 156 
                      type="xs:string" use="optional"/>
      </xs:complexType>
    </xs:element>
    <xs:simpleType name="indicatorexpression-operator-type">
      <xs:restriction base="xs:NMTOKEN">
        <xs:enumeration value="not"/>
        <xs:enumeration value="and"/>
        <xs:enumeration value="or"/>
        <xs:enumeration value="xor"/>
      </xs:restriction>
    </xs:simpleType>
    <xs:element name="ObservableReference">
      <xs:complexType>
        <xs:attribute name="uid-ref" type="xs:IDREF" use="required"/>
      </xs:complexType>
    </xs:element>
    <xs:element name="IndicatorReference">
      <xs:complexType>
        <xs:attribute name="uid-ref" type="xs:IDREF" use="optional"/>
        <xs:attribute name="euid-ref" type="xs:string" use="optional"/>
        <xs:attribute name="version" type="xs:string" use="optional"/>
      </xs:complexType>
    </xs:element>
    <xs:element name="AttackPhase">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:AttackPhaseID"
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:element ref="iodef:URL" maxOccurs="unbounded"/>
          <xs:element ref="iodef:Description"
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:element ref="iodef:AdditionalData"
                      minOccurs="0" maxOccurs="unbounded"/>
        </xs:sequence>
      </xs:complexType>
    </xs:element>
    <xs:element name="AttackPhaseID" type="xs:string"/>
    <!--
     ===================================================================
     == Miscellaneous classes                                         ==
     ===================================================================
    -->
    <xs:element name="AdditionalData" type="iodef:ExtensionType"/>
    <xs:element name="Description" type="iodef:MLStringType"/>
    <xs:element name="URL" type="xs:anyURI"/>

Top      Up      ToC       Page 157 
    <!--
     ===================================================================
     == IODEF data types                                              ==
     ===================================================================
    -->
    <xs:simpleType name="PositiveFloatType">
      <xs:restriction base="xs:float">
        <xs:minExclusive value="0"/>
      </xs:restriction>
    </xs:simpleType>
    <xs:complexType name="MLStringType">
      <xs:simpleContent>
        <xs:extension base="xs:string">
          <xs:attribute name="translation-id"
                        type="xs:string" use="optional"/>
          <xs:attribute ref="xml:lang"/>
        </xs:extension>
      </xs:simpleContent>
    </xs:complexType>
    <xs:simpleType name="PortlistType">
      <xs:restriction base="xs:string">
        <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
      </xs:restriction>
    </xs:simpleType>
    <xs:simpleType name="TimezoneType">
      <xs:restriction base="xs:string">
        <xs:pattern
         value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
      </xs:restriction>
    </xs:simpleType>
    <xs:complexType name="ExtensionType" mixed="true">
      <xs:sequence>
        <xs:any namespace="##any" processContents="lax"
                minOccurs="0" maxOccurs="unbounded"/>
      </xs:sequence>

      <xs:attribute name="name" type="xs:string" use="optional"/>
      <xs:attribute name="dtype"
                    type="iodef:dtype-type" use="required"/>
      <xs:attribute name="ext-dtype" type="xs:string" use="optional"/>
      <xs:attribute name="meaning" type="xs:string" use="optional"/>
      <xs:attribute name="formatid" type="xs:string" use="optional"/>
      <xs:attribute name="restriction"
                    type="iodef:restriction-type" use="optional"/>
      <xs:attribute name="ext-restriction"
                    type="xs:string" use="optional"/>
      <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
    </xs:complexType>

Top      Up      ToC       Page 158 
    <xs:complexType name="SoftwareType">
      <xs:sequence>
        <xs:element ref="iodef:SoftwareReference" minOccurs="0"/>
        <xs:element ref="iodef:URL"
                    minOccurs="0" maxOccurs="unbounded"/>
        <xs:element ref="iodef:Description"
                    minOccurs="0" maxOccurs="unbounded"/>
      </xs:sequence>
    </xs:complexType>
    <xs:element name="SoftwareReference">
      <xs:complexType>
        <xs:sequence>
          <xs:any namespace="##any" processContents="lax"
                  minOccurs="0" maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="spec-name"
                      type="softwarereference-spec-name-type"
                      use="required"/>
        <xs:attribute name="ext-spec-name"
                      type="xs:string" use="optional"/>
        <xs:attribute name="dtype"
                      type="softwarereference-dtype-type"
                      use="optional"/>
        <xs:attribute name="ext-dtype" type="xs:string" use="optional"/>
      </xs:complexType>
    </xs:element>
    <xs:simpleType name="softwarereference-spec-name-type">
      <xs:restriction base="xs:NMTOKEN">
        <xs:enumeration value="custom"/>
        <xs:enumeration value="cpe"/>
        <xs:enumeration value="swid"/>
        <xs:enumeration value="ext-value"/>
      </xs:restriction>
    </xs:simpleType>
    <xs:simpleType name="softwarereference-dtype-type">
      <xs:restriction base="xs:NMTOKEN">
        <xs:enumeration value="bytes"/>
        <xs:enumeration value="integer"/>
        <xs:enumeration value="real"/>
        <xs:enumeration value="string"/>
        <xs:enumeration value="xml"/>
        <xs:enumeration value="ext-value"/>
      </xs:restriction>
    </xs:simpleType>
    <!--
     ===================================================================
     == Global attribute type declarations                            ==
     ===================================================================

Top      Up      ToC       Page 159 
    -->
    <xs:simpleType name="yes-no-unknown-type">
      <xs:restriction base="xs:NMTOKEN">
        <xs:enumeration value="yes"/>
        <xs:enumeration value="no"/>
        <xs:enumeration value="unknown"/>
      </xs:restriction>
    </xs:simpleType>
    <xs:simpleType name="restriction-type">
      <xs:restriction base="xs:NMTOKEN">
        <xs:enumeration value="default"/>
        <xs:enumeration value="public"/>
        <xs:enumeration value="partner"/>
        <xs:enumeration value="need-to-know"/>
        <xs:enumeration value="private"/>
        <xs:enumeration value="white"/>
        <xs:enumeration value="green"/>
        <xs:enumeration value="amber"/>
        <xs:enumeration value="red"/>
        <xs:enumeration value="ext-value"/>
      </xs:restriction>
    </xs:simpleType>
    <xs:simpleType name="severity-type">
      <xs:restriction base="xs:NMTOKEN">
        <xs:enumeration value="low"/>
        <xs:enumeration value="medium"/>
        <xs:enumeration value="high"/>
      </xs:restriction>
    </xs:simpleType>
    <xs:simpleType name="duration-type">
      <xs:restriction base="xs:NMTOKEN">
        <xs:enumeration value="second"/>
        <xs:enumeration value="minute"/>
        <xs:enumeration value="hour"/>
        <xs:enumeration value="day"/>
        <xs:enumeration value="month"/>
        <xs:enumeration value="quarter"/>
        <xs:enumeration value="year"/>
        <xs:enumeration value="ext-value"/>
      </xs:restriction>
    </xs:simpleType>
    <xs:simpleType name="action-type">
      <xs:restriction base="xs:NMTOKEN">
        <xs:enumeration value="nothing"/>
        <xs:enumeration value="contact-source-site"/>
        <xs:enumeration value="contact-target-site"/>
        <xs:enumeration value="contact-sender"/>
        <xs:enumeration value="investigate"/>

Top      Up      ToC       Page 160 
        <xs:enumeration value="block-host"/>
        <xs:enumeration value="block-network"/>
        <xs:enumeration value="block-port"/>
        <xs:enumeration value="rate-limit-host"/>
        <xs:enumeration value="rate-limit-network"/>
        <xs:enumeration value="rate-limit-port"/>
        <xs:enumeration value="redirect-traffic"/>
        <xs:enumeration value="honeypot"/>
        <xs:enumeration value="upgrade-software"/>
        <xs:enumeration value="rebuild-asset"/>
        <xs:enumeration value="harden-asset"/>
        <xs:enumeration value="remediate-other"/>
        <xs:enumeration value="status-triage"/>
        <xs:enumeration value="status-new-info"/>
        <xs:enumeration value="watch-and-report"/>
        <xs:enumeration value="defined-coa"/>
        <xs:enumeration value="other"/>
        <xs:enumeration value="ext-value"/>
      </xs:restriction>
    </xs:simpleType>
    <xs:simpleType name="dtype-type">
      <xs:restriction base="xs:NMTOKEN">
        <xs:enumeration value="boolean"/>
        <xs:enumeration value="byte"/>
        <xs:enumeration value="bytes"/>
        <xs:enumeration value="character"/>
        <xs:enumeration value="date-time"/>
        <xs:enumeration value="integer"/>
        <xs:enumeration value="ntpstamp"/>
        <xs:enumeration value="portlist"/>
        <xs:enumeration value="real"/>
        <xs:enumeration value="string"/>
        <xs:enumeration value="file"/>
        <xs:enumeration value="path"/>
        <xs:enumeration value="frame"/>
        <xs:enumeration value="packet"/>
        <xs:enumeration value="ipv4-packet"/>
        <xs:enumeration value="ipv6-packet"/>
        <xs:enumeration value="url"/>
        <xs:enumeration value="csv"/>
        <xs:enumeration value="winreg"/>
        <xs:enumeration value="xml"/>
        <xs:enumeration value="ext-value"/>
      </xs:restriction>
    </xs:simpleType>
  </xs:schema>

Top      Up      ToC       Page 161 
9.  Security Considerations

   The IODEF data model does not directly introduce security or privacy
   issues.  However, as the data encoded by the IODEF might be
   considered sensitive by the parties exchanging it or by those
   described by it, care needs to be taken to ensure appropriate
   handling during the document construction, exchange, processing,
   archiving, subsequent retrieval, and analysis.

9.1.  Security

   The underlying messaging format and protocol used to exchange
   instances of the IODEF MUST provide appropriate guarantees of
   confidentiality, integrity, and authenticity.  The use of a
   standardized security protocol is encouraged.  The Real-time Inter-
   network Defense (RID) protocol [RFC6545] and its associated transport
   binding IODEF/RID over HTTP/TLS [RFC6546] provide such security.

   An IODEF implementation may act on the data in the document.  These
   actions might be explicitly requested in the document or the result
   of analytical logic that triggered on data in the document.  For this
   reason, care must be taken by IODEF implementations to properly
   authenticate the sender and receiver of the document.  The sender
   needs confidence that sensitive information and timely requests for
   action are sent to the correct recipient.  The recipient may
   interpret the contents of the document differently based on who sent
   it or vary actions based on the sender.  While the sender of the
   document may explicitly convey confidence in the data in a granular
   way using the Confidence class, the recipient is free to ignore or
   refine this information to make its own assessment.  Ambiguous
   Confidence elements (where it is unclear to which of a set of other
   elements the Confidence element relates) in a document MUST be
   ignored by the recipient.

   Certain classes may require out-of-band coordination to agree upon
   their semantics (e.g., Confidence@rating="low" or DefinedCOA).  This
   coordination MUST occur prior to operational data exchange to prevent
   the incorrect interpretation of these select data elements.  When
   parsing these data elements, implementations should validate, when
   possible, that they conform to the agreed upon semantics.  These
   semantics may need to be periodically reevaluated.

   Executable content of various forms could be embedded into the IODEF
   document directly or through an extension.  Implementation MUST
   handle this content with care to prevent unintentional automated
   execution.  The following classes are explicitly intended to
   represent content that might be executable:

Top      Up      ToC       Page 162 
   o  All classes of type iodef:ExtensionType and the RecordPattern
      class can represent arbitrary binary strings such as legitimate
      software programs or malware.

   o  The EmailMessage and EmailBody classes can represent email
      attachments that can contain arbitrary content.

   o  The DetectionPattern class could specify a machine-readable
      configuration that directs the execution of the corresponding
      tool.

   Per Section 4.3, IODEF implementations will need to periodically
   consult the IANA registries specified in Section 10.2 to discover
   newly registered enumerated attribute values.  These implementations
   MUST communicate with IANA in a way that ensures the integrity of the
   values and the authenticity of the source.  HTTPS over TLS
   [RFC2818][RFC5246] provides such security.

9.2.  Privacy

   The IODEF contains numerous fields that are identifiers that could be
   linked to an individual or organization.  IODEF documents may contain
   sensitive information about these identified parties; repeated
   document exchanges about the same and related parties may enable the
   correlation of data about them.  Likewise, a party may report on
   another to a third party without their knowledge.

   When creating an IODEF document, careful consideration must be given
   to what information is shared.  Personal identifiers and attributable
   sensitive information should only be shared when necessary.

   When exchanging documents, transport security MUST provide document-
   level confidentiality.  XML element-level confidentiality can also be
   provided by using [W3C.XMLENC].

   In order to suggest data processing and handling guidelines of the
   encoded information, the IODEF allows a document sender to convey a
   privacy policy using the restriction attribute.  The various
   instances of this attribute allow different data elements of the
   document to be covered by dissimilar policies.  While flexible, it
   must be stressed that this approach only serves as a guideline from
   the sender, as the recipient is free to ignore it.

   Although outside of the scope of an IODEF implementation, the
   contents of IODEF documents and any derived analysis should be
   archived with appropriate confidentiality controls.  Likewise, access
   to retrieve and analyze this data should be restricted to authorized
   users.

Top      Up      ToC       Page 163 
10.  IANA Considerations

   This document registers a namespace, an XML schema, and a number of
   registries that map to enumerated values defined in the data model.
   It also defines an Expert Review process for IODEF-related XML
   registry entries.

10.1.  Namespace and Schema

   This document uses URNs to describe an XML namespace and schema
   conforming to a registry mechanism described in [RFC3688].

   Registration for the IODEF namespace:

   o  URI: urn:ietf:params:xml:ns:iodef-2.0

   o  Registrant Contact: See the author in the "Author's Address"
      section of this document.

   o  XML: None.  Namespace URIs do not represent an XML specification.

   Registration for the IODEF XML schema:

   o  URI: urn:ietf:params:xml:schema:iodef-2.0

   o  Registrant Contact: See the first author of the "Author's Address"
      section of this document.

   o  XML: See Section 8 of this document.

10.2.  Enumerated Value Registries

   This document creates 34 identically structured registries to be
   managed by IANA:

   o  Name of the parent registry: "Incident Object Description Exchange
      Format v2 (IODEF)"

   o  URL of the registry: <http://www.iana.org/assignments/iodef2>

   o  Namespace format: A registry entry consists of:

      *  Value.  A value for a given IODEF attribute.  It MUST conform
         to the formatting specified by the IODEF ENUM data type which
         is implemented as an "xs:NMTOKEN" type per Section 3.3.4 of
         [W3C.SCHEMA.DTYPES].  The value SHOULD conform to the
         convention specified in Section 5.2.

Top      Up      ToC       Page 164 
      *  Description.  A short description of the enumerated value.

      *  Reference.  An optional list of URIs to further describe the
         value.

   o  Allocation policy: Expert Review per [RFC5226].  This reviewer
      will ensure that the requested registry entry conforms to the
      prescribed formatting.  The reviewer will also ensure that the
      entry is an appropriate value for the attribute per the
      information model (Section 3).

   The registries to be created are named in the "Registry Name" column
   of Table 1.  Each registry is initially populated with values and
   descriptions that come from an attribute specified in the IODEF
   schema (Section 8) whose description is found in a sub-section of the
   information model (Section 3).  The initial values for the Value and
   Description fields of a given registry are listed in the "IV (Value)"
   and "IV (Desc.)" columns, respectively.  The "IV (Value)" points to a
   given schema type per Section 8.  Each enumerated value in the schema
   gets a corresponding entry in a given registry.  The "IV (Desc.)"
   points to a section in the text of this document that describes each
   enumerated value.  The initial value of the Reference field of every
   registry entry described below should be this document.

Top      Up      ToC       Page 165 
   +-------------------------+-----------------------------+-----------+
   |      Registry Name      |          IV (Value)         |     IV    |
   |                         |                             |  (Desc.)  |
   +-------------------------+-----------------------------+-----------+
   |       Restriction       |    iodef-restriction-type   |   3.3.1   |
   |                         |                             |           |
   |     Incident-purpose    |    incident-purpose-type    |    3.2    |
   |                         |                             |           |
   |     Incident-status     |     incident-status-type    |    3.2    |
   |                         |                             |           |
   |       Contact-role      |      contact-role-type      |    3.9    |
   |                         |                             |           |
   |       Contact-type      |      contact-type-type      |    3.9    |
   |                         |                             |           |
   | RegistryHandle-registry |   registryhandle-registry-  |   3.9.1   |
   |                         |             type            |           |
   |                         |                             |           |
   |    PostalAddress-type   |   postaladdress-type-type   |   3.9.2   |
   |                         |                             |           |
   |      Telephone-type     |     telephone-type-type     |   3.9.4   |
   |                         |                             |           |
   |        Email-type       |       email-type-type       |   3.9.3   |
   |                         |                             |           |
   |    Expectation-action   |         action-type         |    3.15   |
   |                         |                             |           |
   |     Discovery-source    |    discovery-source-type    |    3.10   |
   |                         |                             |           |
   |    SystemImpact-type    |    systemimpact-type-type   |   3.12.1  |
   |                         |                             |           |
   | BusinessImpact-severity |   businessimpact-severity-  |   3.12.2  |
   |                         |             type            |           |
   |                         |                             |           |
   |   BusinessImpact-type   |   businessimpact-type-type  |   3.12.2  |
   |                         |                             |           |
   |    TimeImpact-metric    |    timeimpact-metric-type   |   3.12.3  |
   |                         |                             |           |
   |   TimeImpact-duration   |        duration-type        |   3.12.3  |
   |                         |                             |           |
   |    Confidence-rating    |    confidence-rating-type   |   3.12.5  |
   |                         |                             |           |
   |    NodeRole-category    |    noderole-category-type   |   3.18.2  |
   |                         |                             |           |
   |     System-category     |     system-category-type    |    3.17   |
   |                         |                             |           |
   |     System-ownership    |    system-ownership-type    |    3.17   |
   |                         |                             |           |
   |     Address-category    |    address-category-type    |   3.18.1  |
   |                         |                             |           |

Top      Up      ToC       Page 166 
   |       Counter-type      |      counter-type-type      |   3.18.3  |
   |                         |                             |           |
   |       Counter-unit      |      counter-unit-type      |   3.18.3  |
   |                         |                             |           |
   |    DomainData-system-   |  domaindata-system-status-  |    3.19   |
   |          status         |             type            |           |
   |                         |                             |           |
   |    DomainData-domain-   |  domaindata-domain-status-  |    3.19   |
   |          status         |             type            |           |
   |                         |                             |           |
   |    RecordPattern-type   |   recordpattern-type-type   |   3.22.2  |
   |                         |                             |           |
   |      RecordPattern-     |  recordpattern-offsetunit-  |   3.22.2  |
   |        offsetunit       |             type            |           |
   |                         |                             |           |
   |    Key-registryaction   |   key-registryaction-type   |   3.23.1  |
   |                         |                             |           |
   |      HashData-scope     |     hashdata-scope-type     |    3.26   |
   |                         |                             |           |
   |   BulkObservable-type   |   bulkobservable-type-type  |  3.29.3.1 |
   |                         |                             |           |
   |   IndicatorExpression-  |     indicatorexpression-    |   3.29.4  |
   |         operator        |        operator-type        |           |
   |                         |                             |           |
   |   ExtensionType-dtype   |          dtype-type         |    2.16   |
   |                         |                             |           |
   | SoftwareReference-spec- |  softwarereference-spec-id- |   2.15.1  |
   |            id           |             type            |           |
   |                         |                             |           |
   | SoftwareReference-dtype |   softwarereference-dtype-  |   2.15.1  |
   |                         |             type            |           |
   +-------------------------+-----------------------------+-----------+

                 Table 1: IANA Enumerated Value Registries

10.3.  Expert Review of IODEF-Related XML Registry Entries

   IODEF class extensions, per Section 5.2, could register their
   namespaces and schemas with the IANA XML namespace ("ns" on
   <http://www.iana.org/assignments/xml-registry/>) and schema
   registries ("schema" on <http://www.iana.org/assignments/
   xml-registry/>) described in [RFC3688].  In addition to any reviews
   required by IANA, changes to the XML "schema" registry for schema
   names beginning with "urn:ietf:params:xml:schema:iodef" are subject
   to an additional IODEF Expert Review [RFC5226] to ensure
   compatibility with IODEF and other existing IODEF extensions.

Top      Up      ToC       Page 167 
   The IODEF expert(s) for these reviews will be designated by the IETF
   Security Area Directors.

   This document obsoletes [RFC6685].



(page 167 continued on part 9)

Next Section