Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0

["Barnum, Sean D." <sbarnum@mitre.org>]

:-)

That is basically what we have currently for IDs. A Qname is basically just a namespace prefix and a unique identifier postfix. The only specific difference with our current approach is that our suggested practices recommend adding a string descriptor of what type of object is being identified before the UUID in the postscript (e.g. Indicator-e061903a-7e42-11e5-8bcf-feff819cdc9f). But this is not required and users would be able to use the exact form you describe.

If the form you show ends up being what people want then any migration would be pretty simple. We could just define this form ourselves and move away from using the official XML-centric Qname specification for it.

Again, I am not arguing for any specific format at this point. Just observing opinions. :-)

sean

From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Thursday, October 29, 2015 at 9:23 AM
To: Terry MacDonald <terry@soltra.com>
Cc: "Barnum, Sean D." <sbarnum@mitre.org>, Jerome Athias <athiasjerome@gmail.com>, "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>, John Wunder <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: RE: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0

+1

<namespace>:<RFC 4122 UUID> seems to be what most people use in practice.


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Terry MacDonald ---2015/10/29 03:15:16 AM---Yes :D. Terry MacDonald

From: Terry MacDonald <terry@soltra.com>
To: "Barnum, Sean D." <sbarnum@mitre.org>, Jerome Athias <athiasjerome@gmail.com>
Cc: "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/10/29 03:15 AM
Subject: RE: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
Sent by: <cti-stix@lists.oasis-open.org>

---

Yes :D.

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com


From: Barnum, Sean D. [mailto:sbarnum@mitre.org]
Sent: Thursday, 29 October 2015 4:49 PM
To: Jerome Athias <athiasjerome@gmail.com>
Cc: Terry MacDonald <terry@soltra.com>; Taylor, Marlon <Marlon.Taylor@hq.dhs.gov>; Wunder, John A. <jwunder@mitre.org>; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0

Ah. That makes sense.

What I meant when I included “ID format” in the list of topics was that there have been community members who have complained about the use of Qualified Names as the STIX ID format and that discussion around this question and possible alternative options could occur. Now that we have abstracted from just XSD it likely makes sense to look into whether there are other more preferable forms.

I think the key is just to try to support the basic capabilities we have in Qnames (the ability to specify some sort of sub-identifier for the producer of the ID and some sort of sub-identifier that is globally unique within the producer sub-identifier context).
I think the option that I heard being mentioned before was to look into URIs containing a domain name (and possibly path) as the producer sub-identifier and then the globally unique identifier (e.g., GUID/UUID) as either the end of the path or as a fragment. I don’t recall any opinions being expressed on appropriate schemes to use or if that mattered.
I am not arguing for or against this approach but definitely think it should be part of any discussion around exploring new ID format options.

So, I guess the answer to Terry’s question is yes. ;-)