Re: [cti-users] âSignatureâ of STIX Objects

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

"âFor
meâ at the moment, the specific signing standard is not overly important
as long as a consumer knows where to find the upstream public signatures
for downstream/consumer validation."

FWIW, this specific problem is IMHO larger
than the canonicalization aspect, and is one of the greatest limiting factors
for STIX signatures (I've been talking about how vital this since 2015
- http://making-security-measurable.1364806.n2.nabble.com/STIX-STIX-1-2-Multiple-Descriptions-JSON-Options-tp7587294p7587336.html).

Without having any kind of defined approach
for how one is supposed to validate (a) what the signing authority was,
and (b) that a given signing authority was even allowed to sign that content,
signatures do not have much value.

I will be interested in how you approach
this problem, if you plan to advocate for a DNS based system like DANE,
some kind of a known-URI-for-producer-domain system, or a centralized model
like other systems.


-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security

"Things may come to those who wait, but only the things left by those
who hustle." - Unknown 




From:      
 Stephen Russett <stephen@digitalstate.ca>
To:      
 Bret Jordan <jordan2175@gmail.com>
Cc:      
 cti-users@lists.oasis-open.org
Date:      
 11/23/2018 03:25 PM
Subject:    
   Re: [cti-users]
âSignatureâ of STIX Objects
Sent by:    
   <cti-users@lists.oasis-open.org>

---

Thanks for the quick feedback.
So given lack of standards, in the mean
time I am going to implement a custom property that implements a signing/validating
strategy pattern and for a first pattern just use something similar to
how JWT tokens sign their content for public key validation.
Specifically so that someone can have
a signed content and verify that content with a ~public PKI listing.

âFor meâ at the moment, the specific
signing standard is not overly important as long as a consumer knows where
to find the upstream public signatures for downstream/consumer validation.

something like âx_signature: â â,
which can be easily implemented with helpers in a libraryâs implementation.

Would you say that a standard is ânearâ?
or 2020+ type of thing?





From: Bret Jordan <jordan2175@gmail.com>
Reply: Bret Jordan <jordan2175@gmail.com>
Date: November 23, 2018 at 2:14:45 PM
To: Stephen Russett <stephen@digitalstate.ca>
Cc: cti-users@lists.oasis-open.org<cti-users@lists.oasis-open.org>
Subject:  Re: [cti-users] âSignatureâ of STIX Objects 

Stephen, 

Thanks for the question.  Yes, this
is a known issue that the TC needs to address.  One of the major problems
is that IETF JOSE working group has yet to define a canonical representation
of JSON data. This makes signing the STIX objects difficult, as there is
not yet any RFC for doing what we need. We have talked about a few different
options internal to our CTI TC for how this could be done, but the solution
would be limited to STIX and TAXII, rather than an industry wide standard. 

To this end I have been bringing up this
issue in the IETF JOSE WG mailing list, and trying to get a work item started
during the Prague IETF meeting to address this.  If you are interested
in signed JSON content, either for STIX or something else, I would highly
encourage you to join the discussion at jose@ietf.org.
 There seems to be a few people on the JOSE mailing list that, like
me, want to see this work get done.  However, as you may know, all
standards work (even here in OASIS) is consensus based. Meaning, the more
people that want something done, the more likely it will get done. 
 
Thanks,
Bret
PGP Fingerprint: 63B4
FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography
vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled
is an egg."

On Nov 23, 2018, at 11:44 AM, Stephen
Russett <stephen@digitalstate.ca>
wrote:

Hey all

I am looking for some experiences working
with âsigningâ objects (SDOs, SROs, Data Marking Definitions, etc). 
I am looking at using a custom property, but wanted to get some feedback
if others are doing this?

use case: As bundles are passed around
in STIX, There are different actors/identities that are consuming this
information.  Has there been thought on a common standard for signing
bundles and each item within a bundle (in the case where a bundleâs objects
were provided by different actors, but was bundled by someone else).

Thanks!
Steve


Stephen Russett
@stephenrussett