I have been involved in several discussions about OpenC2 and this is an attempt to organize some thoughts, document them, and solicit feedback from the wider community.
One issue we need to address is documenting the overall structure of the documentation for OpenC2. I don't know if this is a separate document, a webpage, or included in each document.
I'm not sure of the correct words to propose so I'm going to explain by giving examples as background and then I'll discuss the document structure issue.
Example 1:
Let's say I would like to develop some open source software (which I do) for the first use case I submitted (
https://github.com/oasis-tcs/openc2-usecases/blob/master/sFractalConsulting/01.another_user.md) and I would like to send an openc2 command from SO3 to FW5. For my example I would like FW5 to be an AWS NACL stateless packet filter and I would like SO3 to interface using a HTTPS API. I would like to write the software that would terminate on the Amazon side of the interface. It would start out 'just mine' but would be submitted to be part of the AWS opensource projects to provide an 'official' OpenC2 interface to AWS NACL's should Amazon agree to the pull request.
I believe there are 3 different specifications we are drafting that are applicable.
- the OpenC2 Language Specification
- the OpenC2 HTTPS API Transport Specification
- the OpenC2 stateless packet filter Actuator Profile Specification.
Example 2:
As further background to point I'll eventually make, let's assume AT&T wants to do similar with the second use case they submitted (
https://github.com/oasis-tcs/openc2-usecases/blob/master/ATT/02.allow.md) also for AWS NACL's, but in their case using OpenDxl pub/sub transport and assume we were to create a OpenDxl transport specification (I'll cover the case where we don't later). For their example the 3 specifications would be:
- the Language Specification
- the OpenC2 OpenDxl Transport Specification
- the stateless packet filter Actuator Profile Specification.
Example 3:
Example 3 is just Example 2 where AT&T uses OpenDxl but the OpenC2 TC decides that there can only be one OpenC2 pubsub transport (I hope they don't, but this is for illustrative purposes) and TC chose OpenDDS over OpenDxl because McAfee hasn't actually made OpenDxl 'open'. In this case the software could be compatible with:
- the Language Specification
- the stateless packet filter Actuator Profile Specification
but would not be compatible with a transport specification.
Examples 4 & 5:
I apologize but I have not filled in
https://github.com/oasis-tcs/openc2-usecases/blob/master/sFractalConsulting/11.deception.md but I will. In this case several security functions are involved and the technology (either cymmetria or attivo) has one OpenC2 Consumer that integrates several OpenC2 Actuator Profiles. Assume for illustrative purposes that we'd standardized all the actuator profiles for Attivo (example 4) and some, but not all, of the actuator profiles for Cymmetria (example 5).
The example 4 specifications are:
- the OpenC2 Language Specification
- the OpenC2 HTTPS API Transport Specification
- the OpenC2 deception1 (assume we have real functions) Actuator Profile Specification
- the OpenC2 deception2 Actuator Profile Specification
- the OpenC2 deception3 Actuator Profile Specification
The example 5 specifications are:
- the OpenC2 Language Specification
- the OpenC2 HTTPS API Transport Specification
- the OpenC2 deception1 Actuator Profile Specification
- the OpenC2 deception4 Actuator Profile Specification
- an Cymmetria-provided deception5 Actuator Profile Specification that "extends" a new security function
If I put myself in the shoes of someone not as involved as I've been, I do not think we do a good job of explaining how the documents interact and that all these examples are valid. It's also not clear to me whether we need another document that is provided by the implementer of the device in each example (an device profile?) that specifies what transport and actuator profiles (including extensions) a given device (using term to mean either physical or virtual device) supports. I think this is a very important issue because (1) there are more security professionals that are NOT intimately involved in OpenC2 and (2) for the foreseeable future there will be more 'extensions' than there are 'standard' actuator profiles.
The questions for discussion are:
1) does the above make sense as valid examples of how the specifications go together?
2) should there be something explaining the overall structure? If so, webpage or separate document or in each document?
3) does concept of 'device profile' make sense? If so, do we (ie Implementation SC) need to make a document on what an implementer needs to include (ie how to make a device profile)? Should we write a spec on 'formatting' a device profile (eg it's a json data structure ...)
Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize