From: Bernhard Reiter bernhard@intevation.de, Date: dub 22, 2021
== Do instances trust each other fully?
Shouldn't a concept about event exchange include a consideration of trust of the instances? While I believe there are very good relations between many CERT organisations, the trust of instances they or others may run is not endless. (Example: An IntelMQ server gets compromised, e.g. by an previously unknown hardware defect and the attackers want to obstruct the network. They enter bad metadata and may want to achieve that some CERTs do not get some events. Okay, far fetched.)
In my imagination it makes sense that each instance will have their own set of sources and this may have a different piece of info than the others (like a restricted national feed) and may only like to share a part of this info.
There are multiple facets of trust in this field, all with their own possible set of solutions and can of worms. :)
1, How do we trust the detection method or external source of the data? (Aka possible ratio of false positives or malfunction.)
2, How do we trust the fellow peer org for the data they produce? (Similar to 1 in fact.)
3, How do we trust the fellow peer org for the data they transfer/relay? (Here we might end up delving into signing the data, or even partial signatures, and all the related PKI stuff.)
4, How do we trust the fellow peer org it will not disclose information we have send there if we do not want to? (Aka honoring the TLP.)
-- Pavel