Meetings:
30th IETF, 31st IETF, 32nd IETF, 33rd IETF, 34th IETF, 35th IETF, 36th IETF, 38th IETF, 39th IETF,
40th IETF, 41st IETF, 43rd IETF, 44th IETF, 45th IETF and 46th IETF

36th IETF, Montreal, Canada. - June 1996

Guidelines and Recommendations for Incident Processing (GRIP)

The GRIP working group met once during the Montreal IETF.

Discussion

The group began by reviewing the Stoughton comments. The discussion notes for each comment are given below.

Distinguish between SIRTs and government organizations such as compute crime units
The purpose of the document will be clarified so that it is clear this document in not intended for law enforcement organizations such as the computer crime unit.
Include a completed template as an example
There was concern expressed that if we write an example template it must not become outdated quickly. Anne Bennett will approach her management and determine if they will support her developing the example template.
Other changes suggested:
- Replace the wording in the introduction: The group decided to keep the original wording instead of using the suggested replacement text.
- The definition of constituency was questioned: The group decided to keep the existing wording but add "users" within the text in addition to terms such as clients and site.
- The definition of a security incident was questioned: The definition was expanded to include threats (unsuccessful attacks) as well as actual compromises.
- Consider adding additional text concerning law enforcement agencies: The group considered the proposed text but decided that it should not be added.

The group next discussed the comments from Peter Kossakowski.

Public policy or operation: This text was modified to use "services provided by" instead of "operation."
Selection of SIRT: This was replaced with "interacting with" because an organization may not have a choice which SIRT it works with. Text was added to point out that this information should be useful in making a selection.
The names of the topics and their order within the body need to be made consistent with their names and order within the template.
The use of the term "integrity" was questioned. The text will be modified to make it clearer and to eliminate the controversy.
It was noted that a number of editorial changes will be handled directly by the document editor.
It was noted that a central repository for templates may not be practical. A pointer to the appendix will be added.

It was noted that we need to ping Jeff Schiller for the text he promised. This text concerns a method of securely publicizing which other response teams you (the described response team) are working with and trust.

General comments which were made during the meeting

The template may include more information than a site is willing to give away. Eric Guttman will rewrite portions of text to make a distinction between what the team "may" do and what they "should" do.
The term "PGP" will be replaced with a more generic reference to secure e-mail. Other references to PGP within the text will be modified.
It was noted that the document needs to distinguish between how to securely communicate with the SIRT and which response team you trust.
Generalize "PGP Public Key" with a term which is appropriate for other public key mechanisms.
Make it clear that listing the names of team members is an option. It may not be wise to give out information about team members because it could bring them unwanted attention.
The disclosure of information on the template was discussed. The template should be expanded to make it clear what will be exposed to whom. For example, what information will be given to the victim and what information will be given to others. Change the term "sites" to "parties."
The internal reference to the document title will be removed.
paragraph 4.2.2 was deemed an operational detail and will be removed from the document.

Next Steps

Anne Bennett will determine if she can create the updated template. Ann will provide the chair, Barb Fraser, with an answer within 2 weeks.

Members of the mailing list should review the documents from the point of view of the constituency. Comments should be submitted to the list no later than October 1.

The group discussed creating other documents (a guide for ISPs) but the tasks was deferred because the group may not have the time or energy to complete them.

Administrivia

The mailing list is:

grip-wg
Subscription: grip-wg-request@uu.net

Archives are setup in the US and Europe:

US: ftp://info.cert.org/pub/ietf/grip/
Europe: ftp://ftp.cert.dfn.de/pub/ietf/grip/

Access to the GRIP charter and minutes is possible via World Wide Web, too.

http://www.cert.dfn.de/eng/resource/ietf/grip/

Please send questions, comments, and/or suggestions regarding the GRIP working group to the open mailing list grip-wg@uu.net.

All issues regarding these web pages should be directed to klaus-peter@kossakowski.de.

These pages are hosted on http://www.kossakowski.de and are provided on an "AS IS" basis without any explicite or implicite responsibility, liability, etc. (For a more fully understanding please refer to the legal statements within the Impressum, which is only available in German.)