Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

I am getting mixed messages in this thread - because if a document has an entry in it that the consumer can't cross-reference or validate, then all that document actually has a plain-jane string, and it is not actually a controlled vocabulary anymore.

This is a vital distinction... the Indicator Type can be only one of two things.. it is either a free-form string that I can stick anything in, or it is a vocabulary. This is vital is because implementations will need to know the difference - if the data member is a simple string, or a member of an enumeration.

@Cory Asks "I would hope that an extended vocabulary is at least known or curated in some way, just like a schema. "

I would agree, in general. The current main problem is our curated vocabulary is far too brief and is internally inconsistent with STIX itself (redundancies)... I am taking an effort to append to it and make it internally consistent, however, I still think that various people will need to be able to define their own indicator types / vocabularies. As you mentioned, "My hierarchy is not your hierarchy. "

@Sean states "The only way I can see that STIX could try to overcome this issue is providing structures enabling the producer to transmit their full vocab definition as part of the content itself. "

I think this is the only viable long-term solution. I as a producer, should be able to include my vocabulary in the document... and/or, reference a vocabulary I sent in a PREVIOUS document. IE - I need to be able to send a vocabulary with my document without relying on XSI external references.

@Patrick - https://avro.apache.org/docs/current/

Avro is a nice technology and was in the list along with ProtoBuf and others when serialization techniques were debated earlier in the year.... and should probably be another consideration for STIX 2.0.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


John-Mark Gurney ---2015/10/23 03:21:35 PM---On Fri, Oct 23, 2015 at 7:42 AM, Jason Keirstead <Jason.Keirstead@ca.ibm.com > wrote:

From: John-Mark Gurney <jmg@newcontext.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "Barnum, Sean D." <sbarnum@mitre.org>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/10/23 03:21 PM
Subject: Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
Sent by: <cti-stix@lists.oasis-open.org>

---

On Fri, Oct 23, 2015 at 7:42 AM, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

The twofold problem with this approach however is what I mentioned previously

- Many STIX consuming systems do not have internet access, and thus can not download arbitrary vocabularies created by others

- Entities producing STIX documents may also not have any access to a reasonable place to post a vocabulary for the public.

The tool doesn't need access to the vocabulary to use the document.  Yes, the tool might not know if the string is valid, but that doesn't mean that the tool cannot still use the document.  I would also hope that you trust who ever is producing and providing the document in these cases.

I will admit I haven't figured out how hard it is for validating XML parsers to selectively ignore this error.