Re: [cti-stix] Focusing our active discussions a little

[Jerome Athias <athiasjerome@gmail.com>]

Greetings,

1) I would like to suggest to focus our efforts on the
RelationshipStatement construct first. (Tier1)
imho, it would help clarifying/resolving multiple 'issues' by offering
new perspectives (including Sighting and 5))

2) I would like to suggest to put on hold the Marking/Handling
discussions until release of the FIRST Information Exchange Policy
Format SIG (Tier2)

3) I would like to suggest that we come to a short-term conclusion on
the Incident vs Investigation constructs.
Suggested (quick win) (Tier1):
Review of the IncidentStatus enumeration*
https://stixproject.github.io/data-model/1.2/stixVocabs/IncidentStatusVocab-1.0/
Addition of a new "New - Investigating" (or similar) entry

Long term: (Tier2)
Identification of few individuals for working on a concrete detailed
RFC/Proposal regarding a new Investigation construct

4) * Identification/Creation of a Working Group (WG) for the review
and enhancement of the Default Controlled Vocabularies enumerations.
(Tier1)

5) Schedule a presentation by a CTI Conceptual
Representation/Abstraction/top-level/semantic WG to envision potential
refactoring, simplification, enhancement, expansion of the current
models. (Tier1)

6) Work on the use cases (Tier2)

7) Work on the requirements (Tier1)

8) Work on the methodology, process, workflows to enhance/optimize the
collaboration/comments (Tier1)
Suggested: identification of tools for visual representation and
exchange/collaborative work of concepts and workflows for the use
cases or issues.


Thank you
Best regards
/JA





2015-11-09 18:51 GMT+03:00 Barnum, Sean D. <sbarnum@mitre.org>:
> All,
>
> I wanted to thank everyone for a lot of the great conversation that has been
> occurring over the last couple of weeks.
> That is the good news.
> On the not as good news front we haven’t really been able to drive to
> consensus on any specific concrete proposals yet.
>
> I think that while these various conversations are great and seem to have
> some good exchange we are currently trying to keep up with and contribute to
> around 1/2 dozen issue topics rather than the two that we agreed to focus
> on. I have already heard from some parties that this level of diverse
> activity is difficult to keep up with in a well thought out way. I think
> this dilution is likely part (though certainly not all) of the reason we are
> still talking about things on some of these issues rather than having driven
> towards consensus solutions. I would also hate to have a situation where
> there is so much active conversation on so many different topics that people
> not working on this full time with enough cycles to keep up with everything
> are forced to choose only specific topics to be involved in and simply do
> not follow or contribute on others based on time.
>
> May I suggest that we attempt to refocus on 1-2 issue topics, drive them to
> ground and then move to the others?
>
> The two topics that we had agreed to be discussing are sightings and
> relationships. I think we have had some good discussion on sightings and if
> we can focus there without distraction for a bit we can hopefully drive to
> some consensus. If there is community desire to have the second active topic
> be one of these other issues being discussed (data marking application
> approach, data marking structure, ID format, request/response, etc.) rather
> than relationships please let us know and we can select one of these other
> topics and focus there.
>
> Once again, thank you for your active contributions.
>
> sean