36th IETF, Montreal, Canada. - June 1996
Guidelines and Recommendations for Incident Processing (GRIP)
The GRIP working group met once during the Montreal IETF.
The group began by reviewing the Stoughton comments. The discussion
notes for each comment are given below.
The group next discussed the comments from Peter Kossakowski.
- Distinguish between SIRTs and government organizations such as
compute crime units
The purpose of the document will be clarified so that it is clear
this document in not intended for law enforcement organizations such
as the computer crime unit.
- Include a completed template as an example
There was concern expressed that if we write an example template it
must not become outdated quickly. Anne Bennett will approach her
management and determine if they will support her developing the
- Other changes suggested:
- Replace the wording in the introduction: The group decided to
keep the original wording instead of using the suggested
- The definition of constituency was questioned: The group decided
to keep the existing wording but add "users" within the text
in addition to terms such as clients and site.
- The definition of a security incident was questioned: The
definition was expanded to include threats (unsuccessful
attacks) as well as actual compromises.
- Consider adding additional text concerning law enforcement
agencies: The group considered the proposed text but decided
that it should not be added.
It was noted that we need to ping Jeff Schiller for the text he promised.
This text concerns a method of securely publicizing which other response teams
you (the described response team) are working with and trust.
- Public policy or operation: This text was modified to use "services
provided by" instead of "operation."
- Selection of SIRT: This was replaced with "interacting with" because
an organization may not have a choice which SIRT it works with. Text
was added to point out that this information should be useful in making
- The names of the topics and their order within the body need to be
made consistent with their names and order within the template.
- The use of the term "integrity" was questioned. The text will be
modified to make it clearer and to eliminate the controversy.
- It was noted that a number of editorial changes will be handled
directly by the document editor.
- It was noted that a central repository for templates may not be
practical. A pointer to the appendix will be added.
General comments which were made during the meeting
- The template may include more information than a site is willing to
give away. Eric Guttman will rewrite portions of text to make a
distinction between what the team "may" do and what they "should" do.
- The term "PGP" will be replaced with a more generic reference to
secure e-mail. Other references to PGP within the text will be
- It was noted that the document needs to distinguish between how to
securely communicate with the SIRT and which response team you trust.
- Generalize "PGP Public Key" with a term which is appropriate for
other public key mechanisms.
- Make it clear that listing the names of team members is an option.
It may not be wise to give out information about team members because
it could bring them unwanted attention.
- The disclosure of information on the template was discussed. The
template should be expanded to make it clear what will be exposed to
whom. For example, what information will be given to the victim and
what information will be given to others. Change the term "sites" to
- The internal reference to the document title will be removed.
- paragraph 4.2.2 was deemed an operational detail and will be removed
from the document.
Anne Bennett will determine if she can create the updated template. Ann
will provide the chair, Barb Fraser, with an answer within 2 weeks.
Members of the mailing list should review the documents from the point
of view of the constituency. Comments should be submitted to the list
no later than October 1.
The group discussed creating other documents (a guide for ISPs) but the
tasks was deferred because the group may not have the time or energy to
The mailing list is:
Archives are setup in the US and Europe:
Access to the GRIP charter and minutes is possible via World Wide Web, too.
- Subscription: email@example.com
Please send questions, comments, and/or suggestions regarding the
GRIP working group to the open mailing list
All issues regarding these web pages should be directed to
These pages are hosted on http://www.kossakowski.de
and are provided on an "AS IS" basis without any explicite or implicite
responsibility, liability, etc. (For a more fully understanding please refer
to the legal statements within the Impressum,
which is only available in German.)