[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cacao-comment] comments on security-playbooks-v1.0-csd01.docx
Hi Jordan. Mi comments inline BR, ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Juan From: cacao-comment@lists.oasis-open.org <cacao-comment@lists.oasis-open.org> On Behalf Of Bret Jordan Hello Juan, Thank you for your comments and review of the document. The way you have sent your comments is great. 1) Yes, in section 2.3 it would be good to have a vocab, but we were not sure what the entries should be or if there was an existing vocab that we could just use. If you know of one, or if you know of additional entries we should include, please let us know so we can add them. [Postlbauer, Juan] . https://enterpriseintegrationlab.github.io/icity/Contact/doc/index-en.html has âhomeâ , âofficeâ and âcottageâ for addresses. And for phones it defines Home, Work, Cell, Fax and TollFree 2) Someone can correct my grammar if I am wrong, but I believe in section 2.4 it is correct when it says "MUST only contain the characters" where characters are plural, and then we define in the list the type of characters that can be used. So yes, you can have multiple underscores in a key name.[Postlbauer, Juan] ÂI would then remove the âanâ: â..numerals 0-9, and underscore (_) 3) In 2.5 for the hash type. Yes, that is a potential problem. But then there is also the problem of support a bunch of hash types that other people do not understand. It is a trade off between useability and futureproofing. I am not sure which way is right. In the STIX world we went too far in the other direction and thus made a mess of things. So here we were trying to make it easier to implement. But your point is very valid. Maybe we add a hash_type but require it to be SHA256 for this version of the spec, or SHA512. Thoughts???[Postlbauer, Juan] ÂMakes all sense to me. In ETSI specs there is also a closed of list of allowed algos 4) For 2.6, how should we fix this?[Postlbauer, Juan] ÂInclude -180.0 but exclude +180.0 (or the other way around) 5) For 5.1 yeah it might be good to keep things in the same tense and form. I am not tied to complete and completion could be a good option. Is there a better word choice? 6) For 7.8. That is great. Can you propose something that would address this? [Postlbauer, Juan] ÂI would provide a string field specifying the type of authentication (e.g Password, OAuth2, Certificate). And then a dictionary with the parameters (and the valid keys in this dictionary depend on the authentication type ). ÂSo a sample value could be: [Postlbauer, Juan] Â authentication_type=âOAUTH2â authentication_parameters: { ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ clientId=âxxxxâ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ clientPassword=âyyyyâ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ tokenEndpoint=âhttps://whatever.it.is/the/endpointâ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ } 7) For 7.9, good point. That was an oversight from a copy-paste. Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Wed, Sep 9, 2020 at 11:02 AM Postlbauer, Juan <jpc@hpe.com> wrote:
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]