RE: [cti-stix] Timestamps - Proposal

[Terry MacDonald <terry@soltra.com>]

I think so. As we’ve already discussed it at length I think we can make a special issue if there isn’t one already and ‘catch up’ with the process below:

• Capture issue in the tracker
  • Anyone can add comments and thoughts whenever they would like within the tracker
• Identify priority of the issue and order it within the roadmap
• Discuss the issue on the list when its appropriate time comes in the roadmap
  • Identify and discuss facets of the issue
  • Identify and discuss potential proposed solutions to the issue
    • Provide updated model snippets and examples as much as possible
    • Potentially create wiki writeups providing details for proposed solutions
  • Discuss the benefits and risk of  various proposed solutions
  • Refine and narrow down solution options
  • Achieve and agree to consensus on solution to pursue
    • If consensus cannot be reached in an appropriate amount of time consider rescheduling continuing discussion for later in the roadmap. This may not be feasible for issues with a high architectural significance.
• Capture key elements of discussion as well as details of proposed solution within the tracker
• Capture proposed to-be state of the model as a branch in the github tracker
• Move on to next issue
• Revisit and refine issue and solution as appropriate due to discussions and decisions on other issues
• In preparation for Release
  • Review issue solution and integrate to-be model changes from branch into the overall model.
  • Capture final resolution comments in tracker and close issue

Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA | An FS-ISAC and DTCC Company

+61 (407) 203 206 | terry@soltra.com

 

 

From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Wunder, John A.
Sent: Friday, 4 December 2015 6:19 AM
To: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Timestamps - Proposal

 

So it appears that we have rough consensus and IMO can move on without a vote.

 

How do we document this? Should I add an issue & a comment w/ the accepted solution?

 

On Dec 1, 2015, at 4:55 PM, Struse, Richard <Richard.Struse@HQ.DHS.GOV> wrote:

 

+1. Microseconds are enough. Let's move on.
 

From: Jordan, Bret [mailto:bret.jordan@bluecoat.com]
Sent: Tuesday, December 01, 2015 04:54 PM Eastern Standard Time
To: Terry MacDonald <terry@soltra.com>
Cc: tony@yaanatech.com <tony@yaanatech.com>; Patrick Maroney <Pmaroney@Specere.org>; cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Timestamps - Proposal
 

This is generally why we decided to place some table stakes in the ground and call it good. The proposal on the floor is for microsecond level precision, meaning 6 sub-second digits (most modern tools can and do support this, older tools may be limited).  

 

We can debate esoteric requirements and corner cases forever.  I would much rather get STIX 2.0 out the door and if we need to add something like nano seconds later, we can do that.  People that can only do millisecond level precision should just zero out the last three digits.  And given jitter in NTP it does not really matter that they are zeroed because your accuracy is only to about a second anyway.

 

The way this would look is like:

 

{

  "timestamp": "2015-12-01T14:52:12.123456-06:00"

}

 

or 

 

{

  "timestamp": "2015-12-01T14:00:00.000000-06:00",

  "timestamp-precision": "hour"

}

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Dec 1, 2015, at 14:28, Terry MacDonald <terry@soltra.com> wrote:

 

I'm sure millisecond will be good enough for now.

We will never be able to cover every governments exact specific requirements, so I don't think we should start. I'm sure that the EU, China, Japan, Australia and NZ all have their own requirements in this space, and all we can expect to do is cover the main 80%. We get into trouble trying to shoehorn the last 20% in.

Cheers

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com
 

-----Original Message-----
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Tony Rutkowski
Sent: Wednesday, 2 December 2015 8:07 AM
To: Jordan, Bret <bret.jordan@bluecoat.com>; Patrick Maroney <Pmaroney@Specere.org>
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Timestamps - Proposal

SEC Rule 613 requires millisecond or better timestamps for its event observables. See https://www.sec.gov/divisions/marketreg/rule613-info.htm

A precision is trivial.  Getting the uncertainty value underpinning the data element is more difficult.
In a NFV world, sub millisecond uncertainties are essential.
-t

On 2015-12-01 03:07 PM, Jordan, Bret wrote:

10Gig/40Gig/100Gig networks will have support for nano second, but
there did not seem to be any solid use-cases for mili second
precision.  If I am wrong, PLEASE speak up.

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php