search

sacmwg / draft-ietf-sacm-terminology

SACM terminology aligned with best practice definitions, standard references, and terminology definitions of other work groups
Other
2 stars 2 forks source link

Need to clarify "attribute" vs. "posture attributes" #67

Open adammontville opened 6 years ago

adammontville commented 6 years ago

attribute: "Is a data element, as defined in RFC5209, that is atomic."

posture attributes: "Defined in RFC5209 as 'attributes describing the configuration or status (posture) of a feature of the endpoint. A Posture Attribute represents a single property of an observed state. For example, a Posture Attribute might describe the version of the operating system installed on the system.'"

Perhaps we simply make "posture attributes" singular, then define attribute as "see posture attribute"?

henkbirkholz commented 6 years ago

Another way to resolve this, is to get rid of posture attribute. I am starting to slightly favor that approach

Wrt Adam's proposal, attributes would be a synonym for posture attributes and we would have to merge the complete information element semantics into that definition (which would limit the definition of information elements to "security posture", I suppose, and that would be incorrect).

Actually, I start to think that posture attribute is an artifact from the very beginning that we did not dare to throw out yet.

adammontville commented 6 years ago

I am left wondering whether you agree or disagree with the proposal :-) And what your alternate proposal is. If I had to guess, I would say that you roughly agree with the issue, but would propose to remove posture attributes from the terminology altogether. Is that correct?

adammontville commented 6 years ago

@henkbirkholz (and others), do you have any further opinion, or at least a clarification on your most recent comment?

cmschmidt commented 6 years ago

In doing the review for SWIMA I noted that the definition of "attribute" appears internally inconsistent.

SACM states: "attribute: Is a data element, as defined in RFC5209, that is atomic. In the context of SACM, attributes are "atomic" information elements and an equivalent to attribute-value-pairs.""

RFC 5209 (the NEA Architecture) states "Attribute - Data element including any requisite meta-data describing an observed, expected, or the operational status of an endpoint feature (e.g., anti-virus software is currently in use). Attributes are exchanged as part of the NEA protocols (see section 5.2)."

The bottom lines is that, by my reading, "attribute" as used by SACM is a single piece of information, such as might be conveyed in a single name-value-pair. Attribute as used by NEA is a multi-field structure meant to convey information about a single subject via multiple related pieces of information. In particular, a SWIMA attribute can contain a couple dozen fields including timestamps, software locations, software unique ID, software record unique ID, software record, and other things. This use is consistent with the NEA use of attribute, but not with the SACM use of attribute. (At least as I understand it.)

I have no problem with SACM defining "attribute" to mean an atomic piece of information, but if we go that route we should remove the reference to RFC 5209.