STIX 2.0 CSD vs. CS

["Wunder, John A." <jwunder@mitre.org>]

Hey all,

 

On the working call yesterday we had a discussion about the path forward for STIX 2 (2.0, 2.1, etc.), especially as it relates to publishing a Committee Specification. You may have been following the thread on the mailing lists where we discussed the pros and cons, but Allan brought up the fact that it’s hard to make a decision until we have a document we can look at and evaluate. Therefore, we think it’s premature to open a ballot at this stage for whether we should pursue a CS for STIX 2.0 RC3. Instead, we’ll:

 

-          Complete the patterning discussion, conformance clauses, and other open issues

-          Finalize the documents formatted as official OASIS specifications, including adding normative references and moving to their templates

-          Vote on whether STIX 2.0 RC3 should become a CSD

-          Decide whether we as a TC feel that the CSD is of sufficient quality to become a CS, via a ballot to open the public comment period required before approving a CS  

 

Unless we have any unexpected delays we should have final documents that you can review and that we can vote on in a couple weeks. The main open issues we need to resolve first are:

 

-          Patterning, which Ivan, Trey, JMG, and Jason are working furiously to finish. PLEASE REVIEW and provide suggestions (suggestions > comments) if you get a chance. Patterning is CRITICAL to get right…in my opinion nothing is more important to the MVP release than patterning and indicators.

-          Whether or not we want to support Snort and Yara in STIX 2.0. Bret recently re-opened that discussion in the context of the merge of STIX and CybOX.

-          Location – Allan is working on a proposal to create a separate Location SDO that leverages GeoJSON to give you the ability to do both coordinate-based locations (draw points, lines, polygons) and civic addresses/regions. That proposal seems like it will take a bit of time to work through though so at this point I would like to suggest we defer it to STIX 2.1 and remove the location support we have now to avoid going in the wrong direction. At this point I don’t want to have a broad discussion about how location should work (until we see Allan’s proposal), but if you feel that location is too critical to remove from 2.0 to the extent that we should delay the release by minimally a few weeks to get it in now is the time to speak up.

-          Conformance clauses for STIX Observable Core/Objects, and Patterning (I believe proposals exist for all of them, but they need to be reviewed)

-          I believe we’ve got good agreement on how observed data will work for 2.x, at least enough that we don't think anything now in 2.0 is broken. So that topic should be finished unless anyone has any issues with what we’ve done for 2.0.

 

As a reminder, you can see the current versions (working RC3 drafts) of the document here:

 

STIX Core: https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw

STIX Objects: https://docs.google.com/document/d/1S5XhY6F5OT599b0OuHtUf8IBzFvNY8RysFHIj93DgsY

STIX Observable Core: https://docs.google.com/document/d/1PSGv6Uvo3YyrK354cH0cvdn7gGedbhYJkgNVzwW9E6A

STIX Observable Objects (Host): https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs

STIX Observable Objects (Network): https://docs.google.com/document/d/1oPAHN6nitdVF60RuDlajq0VuN6S_p_RP3ZE48yOBBfQ

STIX Patterning: https://docs.google.com/document/d/1suvd7z7YjNKWOwgko-vJ84jfGuxSYZjOQlw5leCswPY

 

If any of the open topics are interesting to you and you want to get involved, please reach out to a co-chair or editor (myself, Trey, Ivan, Bret, Rich P., or Aharon) and we can point you to the right place.

 

Thanks,

John