[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Re: [cti-cybox] Re: [cti-stix] Re: [cti-cybox] Re: [cti-stix] Re: [cti-cybox] Re: [cti-stix] Re: [cti-cybox] Re: [EXT] [cti-cybox] Agenda for August 8 Working Call
Maybe this is the core of the issue: At an interoperability level – how does software that supports IEP understand whether “other” software supports IEP, and supports it correctly? If I’m understanding the points being made by Jason and Dave, it’s that this is solved at the configuration/deployment level and not at the implementation level. I may be missing something,
but I don’t know how to write software that understands what the receiver is actually going to do. The only way I see to guarantee what the receiver is going to do – at an ecosystem level – is to require it in the specification. IMHO, solving it at the configuration/deployment level
is pushing the responsibility of understanding IEP to the end user. This lays a trap for the security team that is not an expert in STIX 2.0 or IEP. Assuming widespread deployment of STIX 2 w/ IEP, we will see a scenario where the recipient did not honor IEP markings and did something incorrect. By making this a clearly articulated
requirement in the spec, the “fault” will lie at the non-conformant implementer, and not at the feet of the entire STIX/TAXII ecosystem. Thank you. -Mark From:
Jason Keirstead <Jason.Keirstead@ca.ibm.com> Agree Dave; this is the point I was making. Whenever dealing with markings, the sender and reciever have to have some level of trust and understanding of what the reciever
is actually going to do with the marking. This isn't something we can solve in STIX, unless IEP becomes much more complicated than it currently is.
> But even just a simple binary switch on *sending* IEP-marked data seems more sensible than relying on the receiver to filter out thing they shouldn't have received in the first place. This is feasible from an ACL perspective, but not from a software capability perspective. As a sender of information, I know which user accounts have which permissions, and can control access accordingly.
I have no way of knowing if the receiving software will honor the IEP markings, unless it is mandated in the spec. Maybe we are talking about the same thing. I agree with only sending marked data to those who have permission to get it. However, how will I
know if the person/org with permission has _software_ that’s capable of processing what I’m sending? I know of two ways – content negotiation and rules in the spec.
Dave Cridland phone +448454681066 Participate | Collaborate | Innovate Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]