[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
I am getting mixed messages in this thread - because if a document has an entry in it that the consumer can't cross-reference or validate, then all that document actually has a plain-jane string, and it is not actually a controlled vocabulary anymore.
This is a vital distinction... the Indicator Type can be only one of two things.. it is either a free-form string that I can stick anything in, or it is a vocabulary. This is vital is because implementations will need to know the difference - if the data member is a simple string, or a member of an enumeration.
@Cory Asks "I would hope that an extended vocabulary is at least known or curated in some way, just like a schema. "
I would agree, in general. The current main problem is our curated vocabulary is far too brief and is internally inconsistent with STIX itself (redundancies)... I am taking an effort to append to it and make it internally consistent, however, I still think that various people will need to be able to define their own indicator types / vocabularies. As you mentioned, "My hierarchy is not your hierarchy. "
@Sean states "The only way I can see that STIX could try to overcome this issue is providing structures enabling the producer to transmit their full vocab definition as part of the content itself. "
I think this is the only viable long-term solution. I as a producer, should be able to include my vocabulary in the document... and/or, reference a vocabulary I sent in a PREVIOUS document. IE - I need to be able to send a vocabulary with my document without relying on XSI external references.
@Patrick - https://avro.apache.org/docs/current/
Avro is a nice technology and was in the list along with ProtoBuf and others when serialization techniques were debated earlier in the year.... and should probably be another consideration for STIX 2.0.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
John-Mark Gurney ---2015/10/23 03:21:35 PM---On Fri, Oct 23, 2015 at 7:42 AM, Jason Keirstead <Jason.Keirstead@ca.ibm.com > wrote:
From: John-Mark Gurney <jmg@newcontext.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "Barnum, Sean D." <sbarnum@mitre.org>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/10/23 03:21 PM
Subject: Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
Sent by: <cti-stix@lists.oasis-open.org>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]