Incident Handling BOF (inch)

Thursday, March 21 at 0900-1130
================================

CHAIR:	Roman Danyliw <rdd@cert.org>

MAILING LIST
===========================
Post: inch@nic.surfnet.nl
Archive: http://listserv.surfnet.nl/archives/inch.html
Subscribe: send mail to listserv@nic.surfnet.nl
          with "subscribe inch <first name> <last name>" in the body



AGENDA
===========================


1. Agenda Bashing, Introduction, Minutes Taker - Roman Danyliw - 5 min.


2. INCH Status Report - Roman - 5 min.


3. Terena IODEF Working Group Status Report - Jan Meijer - 15 min


4. Discuss requirement document (RFC 3067, new requirements) - 30 min


5. Discuss data model document (IODEF, high-level data elements) - 45 min


6. Discussions and Plans for the Future - 15 min



DESCRIPTION
===========================


== Introduction


Computer security incidents occur across administrative domains often spanning different organizations and national borders.  Therefore, the free exchange of incident information and statistics among involved parties 
and the responsible Computer Security Incident Response Teams (CSIRTs) is crucial for both reactionary analysis of current intruder activity and proactive identification of trends that can lead to incident prevention.


The purpose of the proposed Incident Handling (inch) working group is to define data formats for communication between


 * a CSIRT and its constituency (e.g., users, customers, trusted
   reporters) which reports system misuse;


 * a CSIRT and parties involved in an incident investigation (e.g., law
   enforcement, attacking site); and


 * collaborating CSIRTs sharing information.


== Output of the (proposed) WG


The are several outputs of the proposed working group:


 1. A document describing the high-level functional requirements of a data
    format for collaboration between CSIRTs and parties involved when
    handling computer security incidents.


 2. A specification of the extensible, incident data language that
    describes the data formats that satisfy the requirements.


 3. Guidelines for implementing the WG data format (Output #2 of the WG).


 4. A set of sample incident reports and their associate representation in
    the incident data language.


== BOF Purpose


After IETF 52, consensus was reached on a charter for the scope of an INCH working group, and this document has been submitted to the AD (and the IESG).  The minutes of the IETF 52 INCH BOF can be found here:


 <http://listserv.surfnet.nl/scripts/wa.exe?A2=ind01&L=inch&F=&S=&P=142>


The full text of this charter can be found here:


 <http://listserv.surfnet.nl/scripts/wa.exe?A2=ind02&L=inch&F=&S=&P=44>


IETF 53 is the second INCH BOF during which the related work of the Terena IODEF-WG (see [1] [2]) will be evaluated as the starting point for the INCH 
deliverables.



REFERENCES
===========================


[1] <http://www.ietf.org/rfc/rfc3067.txt>


[2] <http://www.terena.nl/task-forces/tf-csirt/iodef/docs/draft-terena-iodef-
xml-005-final.txt>