RFC 7970
The Incident Object Description Exchange Format Version 2
<xs:element name="File">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:FileName" minOccurs="0"/>
<xs:element ref="iodef:FileSize" minOccurs="0"/>
<xs:element ref="FileType" minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:HashData" minOccurs="0"/>
<xs:element ref="iodef:SignatureData" minOccurs="0"/>
<xs:element ref="iodef:AssociatedSoftware" minOccurs="0"/>
<xs:element ref="iodef:FileProperties"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="FileName" type="xs:string"/>
<xs:element name="FileSize" type="xs:integer"/>
<xs:element name="FileType" type="xs:string"/>
<xs:element name="AssociatedSoftware" type="iodef:SoftwareType"/>
<xs:element name="FileProperties" type="iodef:ExtensionType"/>
<!--
====================================================================
== HashData class ==
====================================================================
-->
<xs:element name="HashData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HashTargetID" minOccurs="0"/>
<xs:element ref="iodef:Hash"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FuzzyHash"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="scope"
type="hashdata-scope-type" use="required"/>
<xs:attribute name="ext-scope" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="HashTargetID" type="xs:string"/>
<xs:simpleType name="hashdata-scope-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="file-contents"/>
<xs:enumeration value="file-pe-section"/>
<xs:enumeration value="file-pe-iat"/>
<xs:enumeration value="file-pe-resource"/>
<xs:enumeration value="file-pdf-object"/>
<xs:enumeration value="email-hash"/>
<xs:enumeration value="email-headers-hash"/>
<xs:enumeration value="email-body-hash"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Hash">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:DigestMethod"/>
<xs:element ref="ds:DigestValue"/>
<xs:element ref="ds:CanonicalizationMethod"
minOccurs="0"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="FuzzyHash">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:FuzzyHashValue"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="FuzzyHashValue" type="iodef:ExtensionType"/>
<!--
===================================================================
== SignatureData class ==
===================================================================
-->
<xs:element name="SignatureData">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:Signature" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
===================================================================
== CertificateData class ==
===================================================================
-->
<xs:element name="CertificateData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Certificate" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Certificate">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:X509Data"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== IndicatorData class ==
===================================================================
-->
<xs:element name="IndicatorData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Indicator"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Indicator">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IndicatorID"/>
<xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice>
<xs:element ref="iodef:Observable"/>
<xs:element ref="iodef:ObservableReference"/>
<xs:element ref="iodef:IndicatorExpression"/>
<xs:element ref="iodef:IndicatorReference"/>
</xs:choice>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AttackPhase"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorID">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:ID">
<xs:attribute name="name" type="xs:string" use="required"/>
<xs:attribute name="version"
type="xs:string" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="AlternativeIndicatorID">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IndicatorID" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Observable">
<xs:complexType>
<xs:choice>
<xs:element ref="iodef:System" minOccurs="0"/>
<xs:element ref="iodef:Address" minOccurs="0"/>
<xs:element ref="iodef:DomainData" minOccurs="0"/>
<xs:element ref="iodef:Service" minOccurs="0"/>
<xs:element ref="iodef:EmailData" minOccurs="0"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0"/>
<xs:element ref="iodef:FileData" minOccurs="0"/>
<xs:element ref="iodef:CertificateData" minOccurs="0"/>
<xs:element ref="iodef:RegistryHandle" minOccurs="0"/>
<xs:element ref="iodef:RecordData" minOccurs="0"/>
<xs:element ref="iodef:EventData" minOccurs="0"/>
<xs:element ref="iodef:Incident" minOccurs="0"/>
<xs:element ref="iodef:Expectation" minOccurs="0"/>
<xs:element ref="iodef:Reference" minOccurs="0"/>
<xs:element ref="iodef:Assessment" minOccurs="0"/>
<xs:element ref="iodef:DetectionPattern" minOccurs="0"/>
<xs:element ref="iodef:HistoryItem" minOccurs="0"/>
<xs:element ref="iodef:BulkObservable" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="BulkObservable">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:BulkObservableFormat" minOccurs="0"/>
<xs:element name="BulkObservableList"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="bulkobservable-type-type" use="required"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="bulkobservable-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="domain-name"/>
<xs:enumeration value="domain-to-ipv4"/>
<xs:enumeration value="domain-to-ipv6"/>
<xs:enumeration value="domain-to-ipv4-timestamp"/>
<xs:enumeration value="domain-to-ipv6-timestamp"/>
<xs:enumeration value="ipv4-port"/>
<xs:enumeration value="ipv6-port"/>
<xs:enumeration value="windows-reg-key"/>
<xs:enumeration value="file-hash"/>
<xs:enumeration value="email-x-mailer"/>
<xs:enumeration value="email-subject"/>
<xs:enumeration value="http-user-agent"/>
<xs:enumeration value="http-request-uri"/>
<xs:enumeration value="mutex"/>
<xs:enumeration value="file-path"/>
<xs:enumeration value="user-name"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="BulkObservableFormat">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Hash" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="BulkObservableList" type="xs:string"/>
<xs:element name="IndicatorExpression">
<xs:complexType>
<xs:sequence maxOccurs="unbounded">
<xs:choice>
<xs:element ref="iodef:IndicatorExpression"/>
<xs:element ref="iodef:Observable"/>
<xs:element ref="iodef:ObservableReference"/>
<xs:element ref="iodef:IndicatorReference"/>
</xs:choice>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="operator"
type="indicatorexpression-operator-type"
use="optional" default="and"/>
<xs:attribute name="ext-operator"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="indicatorexpression-operator-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="not"/>
<xs:enumeration value="and"/>
<xs:enumeration value="or"/>
<xs:enumeration value="xor"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="ObservableReference">
<xs:complexType>
<xs:attribute name="uid-ref" type="xs:IDREF" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorReference">
<xs:complexType>
<xs:attribute name="uid-ref" type="xs:IDREF" use="optional"/>
<xs:attribute name="euid-ref" type="xs:string" use="optional"/>
<xs:attribute name="version" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="AttackPhase">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:AttackPhaseID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AttackPhaseID" type="xs:string"/>
<!--
===================================================================
== Miscellaneous classes ==
===================================================================
-->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<xs:element name="Description" type="iodef:MLStringType"/>
<xs:element name="URL" type="xs:anyURI"/>
<!--
===================================================================
== IODEF data types ==
===================================================================
-->
<xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float">
<xs:minExclusive value="0"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="MLStringType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="translation-id"
type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:simpleType name="PortlistType">
<xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="TimezoneType">
<xs:restriction base="xs:string">
<xs:pattern
value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="ExtensionType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="name" type="xs:string" use="optional"/>
<xs:attribute name="dtype"
type="iodef:dtype-type" use="required"/>
<xs:attribute name="ext-dtype" type="xs:string" use="optional"/>
<xs:attribute name="meaning" type="xs:string" use="optional"/>
<xs:attribute name="formatid" type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
<xs:complexType name="SoftwareType">
<xs:sequence>
<xs:element ref="iodef:SoftwareReference" minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:element name="SoftwareReference">
<xs:complexType>
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="spec-name"
type="softwarereference-spec-name-type"
use="required"/>
<xs:attribute name="ext-spec-name"
type="xs:string" use="optional"/>
<xs:attribute name="dtype"
type="softwarereference-dtype-type"
use="optional"/>
<xs:attribute name="ext-dtype" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="softwarereference-spec-name-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="custom"/>
<xs:enumeration value="cpe"/>
<xs:enumeration value="swid"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="softwarereference-dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="bytes"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== Global attribute type declarations ==
===================================================================
-->
<xs:simpleType name="yes-no-unknown-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="restriction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="default"/>
<xs:enumeration value="public"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="need-to-know"/>
<xs:enumeration value="private"/>
<xs:enumeration value="white"/>
<xs:enumeration value="green"/>
<xs:enumeration value="amber"/>
<xs:enumeration value="red"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="severity-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="duration-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="second"/>
<xs:enumeration value="minute"/>
<xs:enumeration value="hour"/>
<xs:enumeration value="day"/>
<xs:enumeration value="month"/>
<xs:enumeration value="quarter"/>
<xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="action-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nothing"/>
<xs:enumeration value="contact-source-site"/>
<xs:enumeration value="contact-target-site"/>
<xs:enumeration value="contact-sender"/>
<xs:enumeration value="investigate"/>
<xs:enumeration value="block-host"/>
<xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="redirect-traffic"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="harden-asset"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="ntpstamp"/>
<xs:enumeration value="portlist"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="file"/>
<xs:enumeration value="path"/>
<xs:enumeration value="frame"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
9. Security Considerations
The IODEF data model does not directly introduce security or privacy issues. However, as the data encoded by the IODEF might be considered sensitive by the parties exchanging it or by those described by it, care needs to be taken to ensure appropriate handling during the document construction, exchange, processing, archiving, subsequent retrieval, and analysis.9.1. Security
The underlying messaging format and protocol used to exchange instances of the IODEF MUST provide appropriate guarantees of confidentiality, integrity, and authenticity. The use of a standardized security protocol is encouraged. The Real-time Inter- network Defense (RID) protocol [RFC6545] and its associated transport binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. An IODEF implementation may act on the data in the document. These actions might be explicitly requested in the document or the result of analytical logic that triggered on data in the document. For this reason, care must be taken by IODEF implementations to properly authenticate the sender and receiver of the document. The sender needs confidence that sensitive information and timely requests for action are sent to the correct recipient. The recipient may interpret the contents of the document differently based on who sent it or vary actions based on the sender. While the sender of the document may explicitly convey confidence in the data in a granular way using the Confidence class, the recipient is free to ignore or refine this information to make its own assessment. Ambiguous Confidence elements (where it is unclear to which of a set of other elements the Confidence element relates) in a document MUST be ignored by the recipient. Certain classes may require out-of-band coordination to agree upon their semantics (e.g., Confidence@rating="low" or DefinedCOA). This coordination MUST occur prior to operational data exchange to prevent the incorrect interpretation of these select data elements. When parsing these data elements, implementations should validate, when possible, that they conform to the agreed upon semantics. These semantics may need to be periodically reevaluated. Executable content of various forms could be embedded into the IODEF document directly or through an extension. Implementation MUST handle this content with care to prevent unintentional automated execution. The following classes are explicitly intended to represent content that might be executable:
o All classes of type iodef:ExtensionType and the RecordPattern
class can represent arbitrary binary strings such as legitimate
software programs or malware.
o The EmailMessage and EmailBody classes can represent email
attachments that can contain arbitrary content.
o The DetectionPattern class could specify a machine-readable
configuration that directs the execution of the corresponding
tool.
Per Section 4.3, IODEF implementations will need to periodically
consult the IANA registries specified in Section 10.2 to discover
newly registered enumerated attribute values. These implementations
MUST communicate with IANA in a way that ensures the integrity of the
values and the authenticity of the source. HTTPS over TLS
[RFC2818][RFC5246] provides such security.
9.2. Privacy
The IODEF contains numerous fields that are identifiers that could be
linked to an individual or organization. IODEF documents may contain
sensitive information about these identified parties; repeated
document exchanges about the same and related parties may enable the
correlation of data about them. Likewise, a party may report on
another to a third party without their knowledge.
When creating an IODEF document, careful consideration must be given
to what information is shared. Personal identifiers and attributable
sensitive information should only be shared when necessary.
When exchanging documents, transport security MUST provide document-
level confidentiality. XML element-level confidentiality can also be
provided by using [W3C.XMLENC].
In order to suggest data processing and handling guidelines of the
encoded information, the IODEF allows a document sender to convey a
privacy policy using the restriction attribute. The various
instances of this attribute allow different data elements of the
document to be covered by dissimilar policies. While flexible, it
must be stressed that this approach only serves as a guideline from
the sender, as the recipient is free to ignore it.
Although outside of the scope of an IODEF implementation, the
contents of IODEF documents and any derived analysis should be
archived with appropriate confidentiality controls. Likewise, access
to retrieve and analyze this data should be restricted to authorized
users.
10. IANA Considerations
This document registers a namespace, an XML schema, and a number of registries that map to enumerated values defined in the data model. It also defines an Expert Review process for IODEF-related XML registry entries.10.1. Namespace and Schema
This document uses URNs to describe an XML namespace and schema conforming to a registry mechanism described in [RFC3688]. Registration for the IODEF namespace: o URI: urn:ietf:params:xml:ns:iodef-2.0 o Registrant Contact: See the author in the "Author's Address" section of this document. o XML: None. Namespace URIs do not represent an XML specification. Registration for the IODEF XML schema: o URI: urn:ietf:params:xml:schema:iodef-2.0 o Registrant Contact: See the first author of the "Author's Address" section of this document. o XML: See Section 8 of this document.10.2. Enumerated Value Registries
This document creates 34 identically structured registries to be managed by IANA: o Name of the parent registry: "Incident Object Description Exchange Format v2 (IODEF)" o URL of the registry: <http://www.iana.org/assignments/iodef2> o Namespace format: A registry entry consists of: * Value. A value for a given IODEF attribute. It MUST conform to the formatting specified by the IODEF ENUM data type which is implemented as an "xs:NMTOKEN" type per Section 3.3.4 of [W3C.SCHEMA.DTYPES]. The value SHOULD conform to the convention specified in Section 5.2.
* Description. A short description of the enumerated value.
* Reference. An optional list of URIs to further describe the
value.
o Allocation policy: Expert Review per [RFC5226]. This reviewer
will ensure that the requested registry entry conforms to the
prescribed formatting. The reviewer will also ensure that the
entry is an appropriate value for the attribute per the
information model (Section 3).
The registries to be created are named in the "Registry Name" column
of Table 1. Each registry is initially populated with values and
descriptions that come from an attribute specified in the IODEF
schema (Section 8) whose description is found in a sub-section of the
information model (Section 3). The initial values for the Value and
Description fields of a given registry are listed in the "IV (Value)"
and "IV (Desc.)" columns, respectively. The "IV (Value)" points to a
given schema type per Section 8. Each enumerated value in the schema
gets a corresponding entry in a given registry. The "IV (Desc.)"
points to a section in the text of this document that describes each
enumerated value. The initial value of the Reference field of every
registry entry described below should be this document.
+-------------------------+-----------------------------+-----------+
| Registry Name | IV (Value) | IV |
| | | (Desc.) |
+-------------------------+-----------------------------+-----------+
| Restriction | iodef-restriction-type | 3.3.1 |
| | | |
| Incident-purpose | incident-purpose-type | 3.2 |
| | | |
| Incident-status | incident-status-type | 3.2 |
| | | |
| Contact-role | contact-role-type | 3.9 |
| | | |
| Contact-type | contact-type-type | 3.9 |
| | | |
| RegistryHandle-registry | registryhandle-registry- | 3.9.1 |
| | type | |
| | | |
| PostalAddress-type | postaladdress-type-type | 3.9.2 |
| | | |
| Telephone-type | telephone-type-type | 3.9.4 |
| | | |
| Email-type | email-type-type | 3.9.3 |
| | | |
| Expectation-action | action-type | 3.15 |
| | | |
| Discovery-source | discovery-source-type | 3.10 |
| | | |
| SystemImpact-type | systemimpact-type-type | 3.12.1 |
| | | |
| BusinessImpact-severity | businessimpact-severity- | 3.12.2 |
| | type | |
| | | |
| BusinessImpact-type | businessimpact-type-type | 3.12.2 |
| | | |
| TimeImpact-metric | timeimpact-metric-type | 3.12.3 |
| | | |
| TimeImpact-duration | duration-type | 3.12.3 |
| | | |
| Confidence-rating | confidence-rating-type | 3.12.5 |
| | | |
| NodeRole-category | noderole-category-type | 3.18.2 |
| | | |
| System-category | system-category-type | 3.17 |
| | | |
| System-ownership | system-ownership-type | 3.17 |
| | | |
| Address-category | address-category-type | 3.18.1 |
| | | |
| Counter-type | counter-type-type | 3.18.3 | | | | | | Counter-unit | counter-unit-type | 3.18.3 | | | | | | DomainData-system- | domaindata-system-status- | 3.19 | | status | type | | | | | | | DomainData-domain- | domaindata-domain-status- | 3.19 | | status | type | | | | | | | RecordPattern-type | recordpattern-type-type | 3.22.2 | | | | | | RecordPattern- | recordpattern-offsetunit- | 3.22.2 | | offsetunit | type | | | | | | | Key-registryaction | key-registryaction-type | 3.23.1 | | | | | | HashData-scope | hashdata-scope-type | 3.26 | | | | | | BulkObservable-type | bulkobservable-type-type | 3.29.3.1 | | | | | | IndicatorExpression- | indicatorexpression- | 3.29.4 | | operator | operator-type | | | | | | | ExtensionType-dtype | dtype-type | 2.16 | | | | | | SoftwareReference-spec- | softwarereference-spec-id- | 2.15.1 | | id | type | | | | | | | SoftwareReference-dtype | softwarereference-dtype- | 2.15.1 | | | type | | +-------------------------+-----------------------------+-----------+ Table 1: IANA Enumerated Value Registries10.3. Expert Review of IODEF-Related XML Registry Entries
IODEF class extensions, per Section 5.2, could register their namespaces and schemas with the IANA XML namespace ("ns" on <http://www.iana.org/assignments/xml-registry/>) and schema registries ("schema" on <http://www.iana.org/assignments/ xml-registry/>) described in [RFC3688]. In addition to any reviews required by IANA, changes to the XML "schema" registry for schema names beginning with "urn:ietf:params:xml:schema:iodef" are subject to an additional IODEF Expert Review [RFC5226] to ensure compatibility with IODEF and other existing IODEF extensions.
The IODEF expert(s) for these reviews will be designated by the IETF Security Area Directors. This document obsoletes [RFC6685].
(page 167 continued on part 9)
