Dear all,
We are please ton announce IDMEFv2 V08 Draft with a lot of improvement.
https://datatracker.ietf.org/doc/draft-lehmann-idmefv2
(V07 was submitted last month but to buggy so please jump to V08)
Major changes:
- We ultimately abandoned the vector class. Following feedback from ENG, we tried to clarify the difference between vector and source, and in several cases, especially for physical incidents, it’s complicated. Furthermore, the vector is often used for analysis, not detection.
- Complete redesign of most enumerations, especially alert.type with lots of new categories.
- Long enumeration have been moved in appendix to ease draft reading
- Few modifications for incident reporting use cases with new incident status (open, closed, falsepositive and reported), source and target categories, EntitySector attribute and a new ReportTime attribute
- Minor modifications: Some ID changed to optional, typos, etc.
Next modifications:
- Add message Signature attributes (based on RFC 7515 : JSON Web Signature (JWS)
- Defining a way to deal with K8S incidents Source and Target identification (without new attributes …)
- Defining a new extension method mechanism inspired from public and private MIBs (first one should be to externalize some Report attributes and create “Report” extension)
Next steps:
- 2026 May-June: A massive communication is starting to inform potential end users: Defence, Regulation, CERTs, etc.
- 2026 End of July: We plan to be present at IETF 126 in Viennato start talking about submission (so we need some sponsoring before)
- 2026 September: We plan to submit the draft in September so there will probably be several version before
Keep testing and experimenting!
IDMEFv2 Task Force