Hi,
thoughts about https://github.com/certtools/ieps/tree/main/004
== which events are equal?
As this is about an exchange format between IntelMQ instances, someone could define how a hash about the event data is calculated easily (as it is the identical code everywhere). This is the same as defining what equality means.
This way no "universally unique identifier" needs to be invented or transfered. Thereby avoiding the danger that the same events gets several fresh random ids, because of race conditions. (Example two IntelMQ instances have the same feed and both receive the same event before having talked about it.)
(If you actually end up use a hash, don't call it UUID. :) ) BTW: The concept of hierarchy (like the hash trees in SCMs) is not entirely clear to me. Is this about one instance stating that it has seen this part of meta data from the other instance?
== Do instances trust each other fully?
Shouldn't a concept about event exchange include a consideration of trust of the instances? While I believe there are very good relations between many CERT organisations, the trust of instances they or others may run is not endless. (Example: An IntelMQ server gets compromised, e.g. by an previously unknown hardware defect and the attackers want to obstruct the network. They enter bad metadata and may want to achieve that some CERTs do not get some events. Okay, far fetched.)
In my imagination it makes sense that each instance will have their own set of sources and this may have a different piece of info than the others (like a restricted national feed) and may only like to share a part of this info.
Regards, Bernhard ps.: Thanks for putting the IEPs up with markdown rendering, reads much better. :)