Comments for OpenC2 Architecture Specification v1.0 CSD02

SHA	Security Hash Algorithm

should be Secure Hash Algorithms

User Datagram Control Protocol

should be User Datagram Protocol

Consider emphasizing this statement, I know I tripped on it in some early APs:

The available set of actions for creating OpenC2 commands is limited to those defined in the Language Specification in order to encourage commonality and interoperability of implementations.

The section on authentication should be more detailed or more prescriptive; we should probably have a conformance section for it. My read of it is that authentication is an exercise left to the reader without a lot of specific guidance even though it is a MUST. Certainly, the threat model would be greatly affected by authentication. I know in the past something along the lines of using JWT was brought up.

As far as active attacks, compromise or breach of a producer system(esp.) should be noted. Leaving a producer exposed to the Internet at large (or maybe even the whole company network) would significantly increase one risk of an attacker being able to issue (or stop issuance of) commands given the pace of vulnerabilities and misconfigurations.

In B.4.2 it isnt exactly clear what constitutes out of band. Often this means a dedicated physical network solely for management requiring physical access and no remote access. If this is the idea, then maybe it should be stated.

However, that is probably not the most common implementation due to high cost and issues arising when something goes wrong such as having to drive in or support some very remote device. More often, a network is managed via a firewall with a default deny all. However, that makes the network more like any other network an organization manages and increases risk, esp. as network A has a path to network B which has a path to ...

openc2 message