[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] CybOX Objects/Relationships
Kirillov, Ivan A. wrote this message on Wed, Apr 13, 2016 at 14:23 +0000: > That seems reasonable to me – I also think it doesn’t make sense that CybOX Objects would be globally unique. Therefore, what if we say something like: > > * CybOX Object IDs: are unique only to the local container in which the CybOX Object is captured. There is no assumption or expectation that such IDs are globally unique. If we do this, then I would argue that we need to make sure that we do not use IDs that could be globally unique.. i.e. an ID is a simple integer that is < 999,999,999... If we use a UUID or something similar, someone will use them as such.... > * Object Relationships: are valid only between CybOX Objects captured in the same local encapsulating container (i.e., sibling Objects). That is, relationships MUST NOT be defined between Objects that are captured in different containers (even in the same document). A small number, like the above will help enforce this... I'm still not a fan of relationships between cybox objects, but I can see their use in limited cases... We need to make sure that we make the spec so that people have to do the right thing, and not invent 20 different ways to store an IP for a simple watchlist... I'm worried that adding freeform relationships will make it difficult/impossible for one person's indicator/pattern to match another person's observations because they generated their cybox differently... If each orginization has to rewrite an indicator's pattern to match how their tool collects data, then we have failed in our mission... -- John-Mark
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]