I added my comments - I agreed with Jason’s issue with, e.g., DANE. I think I’ve got language (in the document in comments) that might work.
As for “let’s not put it in the standard but put it in the conformance section,” I can agree with it, because if someone built a TAXII server that did not comply with the conformance section, they cannot call it a TAXII server and they cannot expect it to work with all TAXII clients. In plain English, the conformance section is a normative part of the standard.
I added the same comments in the document.
My suggest to fix it, as echoed by many at the face to face, is to entirely delete this section... I feel it is unnecessary in its entirety and is only going to cause implementation issues. I did not want to make this change however.
-- Sent from my mobile device, please excuse any typos.Bret Jordan --- Re: [cti-taxii] Tuesday's Working Call --- Jason,
Thanks for pointing that out. Please make suggestions in the document that will fix this.
Bret
My main questions on the doc as it stands right now... added the same comments directly to the doc.Here is a copy/paste from the doc - red emphasis mine (apologies to anyone on a plain-text email client)6.4.1 Certificate AuthenticationA TAXII 2.0 Server MAY support certificate authentication. Software claiming to support certificate authentication MUST follow the normative requirements listed in this section.What is the normative definition of "claiming to support" ? Am I allowed to build software that supports pinned certificates, but does not support CRLs? Because by my reading, I could not do that. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security| www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown From: Bret Jordan <Bret_Jordan@symantec.com>To: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>Date: 01/28/2017 02:04 PMSubject: [cti-taxii] Tuesday's Working CallSent by: <cti-taxii@lists.oasis-open.org> I would like to discuss the authentication and certificate pieces on this Tuesday's working call. We seem to have a divide in the community about what to do here. Some are saying we should be completely silent, others are saying we should define it because otherwise the only interoperability we will have is a "best practice". The group seems to be divided nearly 50/50. What I am going to propose is that we put things like the certificate authentication and certificate handing parts in the "Optional Features" part of the Conformance Section. This would allow us to specify exactly how it should be done, if you decide to implement it. We need to make sure we take in to account cloud services that may not give you a lot of flexibility over the stack that you are using. But I think we can solve this.So if you have opinions on this topic, please join us on this weeks working call.ThanksBret
|