I miss typed in my last email, I meant to say micro seconds not milliseconds, aka 6 digits of precision not 3 digits of precision. Wireshark and other networking / security tools are able to work with and provide 6 digits of precision. That is
VERY common. What is not really common today is 9 digits of precision.
I propose that STIX / CybOX / TAXII use the following RFC3339/ISO8601 timestamp format:
yyyy-mm-ddThh:mm:ss.mmmmmm where all times are recorded in UTC format. A UI tool can display and should display the time in a format that works for the end user.
Open Questions for manual creation of timestamps of when you think something took place.
1) How do you define a time of just a date? Meaning, I do not know what time of day it took place? I am documenting this event retrospectively.
2) What if I only know the month and year?
3) What if I do not know the seconds but know the hour and minute?
2015-11-23T11:06:00.000000 ???? This can be weird as you would not know
I just want us to all be on the same page.
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On 23.11.2015 17:22:16, Trey Darley wrote:
I don't insist on nanoseconds. I thought there was demand and since
the bits are cheap, why not futureproof? Since it seems I misread the
general consensus, let's standardize on nanoseconds and be done with
it. The point is a) let's have one clear way to do it and b) let's
take a decision so we can move on to other topics.
Sorry, fumblefingers, s/standardize on nanoseconds/standardize on milliseconds/g
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
"There's never enough time. Thank you for yours." --Dan Geer