diff --git a/misp-noticelist-format/raw.md b/misp-noticelist-format/raw.md
new file mode 100644
index 0000000..302290b
--- /dev/null
+++ b/misp-noticelist-format/raw.md
@@ -0,0 +1,89 @@
+% Title = "MISP noticelist format"
+% abbrev = "MISP noticelist format"
+% category = "info"
+% docName = "draft-dulaunoy-misp-noticelist-format"
+% ipr= "trust200902"
+% area = "Security"
+%
+% date = 2018-04-01T00:00:00Z
+%
+% [[author]]
+% initials="A."
+% surname="Dulaunoy"
+% fullname="Alexandre Dulaunoy"
+% abbrev="CIRCL"
+% organization = "Computer Incident Response Center Luxembourg"
+%  [author.address]
+%  email = "alexandre.dulaunoy@circl.lu"
+%  phone = "+352 247 88444"
+%   [author.address.postal]
+%   street = "16, bd d'Avranches"
+%   city = "Luxembourg"
+%   code = "L-1611"
+%   country = "Luxembourg"
+% [[author]]
+% initials="A."
+% surname="Iklody"
+% fullname="Andras Iklody"
+% abbrev="CIRCL"
+% organization = "Computer Incident Response Center Luxembourg"
+%  [author.address]
+%  email = "andras.iklody@circl.lu"
+%  phone = "+352 247 88444"
+%   [author.address.postal]
+%   street = " 16, bd d'Avranches"
+%   city = "Luxembourg"
+%   code = "L-1611"
+%   country = "Luxembourg"
+% [[author]]
+% initials="D."
+% surname="Servili"
+% fullname="Deborah Servili"
+% abbrev="CIRCL"
+% organization = "Computer Incident Response Center Luxembourg"
+%  [author.address]
+%  email = "deborah.servili@circl.lu"
+%  phone = "+352 247 88444"
+%   [author.address.postal]
+%   street = " 16, bd d'Avranches"
+%   city = "Luxembourg"
+%   code = "L-1611"
+%   country = "Luxembourg"
+
+.# Abstract
+
+This document describes the MISP noticelist format which describes a simple JSON format to represent list of elements
+
+represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository [@?MISP-G] of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.
+
+{mainmatter}
+
+# Introduction
+Sharing threat information became a fundamental requirements on the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. Therefore, there are still information that can not be shared freely to everyone, for several reasons, and it is essential for the user to have a way to know about which information he have to be cautious, as well as an easy way for administrators to give user a reminder of it.
+
+MISP noticelist is a public repository of list of notices to show to the user about the information he uses or share.
+
+##  Conventions and Terminology
+
+The key words "**MUST**", "**MUST NOT**", "**REQUIRED**", "**SHALL**", "**SHALL NOT**",
+"**SHOULD**", "**SHOULD NOT**", "**RECOMMENDED**", "**MAY**", and "**OPTIONAL**" in this
+document are to be interpreted as described in RFC 2119 [@!RFC2119].
+
+# Format
+
+Noticelist are represented as a JSON [@!RFC4627] dictionary.
+
+## Overview
+
+The MISP noticelist format uses the JSON [@!RFC4627] format. Each noticelist is represented as a JSON object with meta information including the following fields: name, expended_name, ref, geographical_area and notice.
+
+name defines the name of the noticelist. It **MUST** match the name of the folder containing the list. The name is represented as a string and **MUST** be present. expended_name defines the full name of the noticelist. The expended_name is represented by a string and **MUST** be present. ref defines the references used to create the notice list. ref is represented as an array containing one or more references and **MUST** pe present. Each reference is a string and **MUST** be present. geographical_area defines the geographical area affected by this noticelist. geographical_area is represented as an array containing one or more descriptions of geographical area ans **SHOULD** be present. Each geographical area is a string and **SHOULD** be present.
+
+notice is represented as an array containing one or more values and **MUST** be present. notice defines all values available in the noticelist.
+
+## notice
+
+The notice array contains one or more JSON objects which represent all the possible values in the noticelist. The JSON object contains five fields: scope,
+field, value, tags and message.
+
+scope is represented as an array containing one or more scopes to apply the notice ans **MUST** be present. Each scope is a string and **MUST** be present. field is represented as an array containing one or more fields to apply the notice ans **MUST** be present. Each field is a string and **MUST** be present. value is represented as an array containing one or more values and **MUST** be present. Each value is a string and **MUST** be present. tags is represented as an array containing one or more values and **MUST** be present. Each tag is a string and **MUST** be present. message is represented as a JSON dictionary containing one or more messages translated in different languages and **MUST** be present. Each element in the message dictionary is a couple name/value where the name designate a language and the value contains a string representing a message to display to the user. These elements **MUST** be present.