Much depends on the answer to (2), but I will give you your requested Use Case requirement for Millisecond precision: many common used Time/Date Utility libraries only support Milliseconds vs. full RFC compliant forms ( "time-secfrac
= "." 1*DIGIT").
This was discussed in our original extended discussions on Time Representation on the original Lists if you need specific references to accept the assertion.
http://making-security-measurable.1364806.n2.nabble.com/template/NamlServlet.jtp?macro=search_page&node=1364806&query=%22time-secfrac%22&i=12
Note that in the effort to drive this to closure, "TimeStamps" have been discussed extensively in 3 contexts: (1) TAXII, (2) _expression_ of "When" something occurred, and (3) _expression_ of intervals in patterns.
So in support of the "One Way of Doing Things" philosophy, and in the interests of driving to closure, it would be useful to clarify which contexts the current decision applies to.
Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
President
Integrated Networking Technologies, Inc.
PO Box 569
Marlton, NJ 08053
From: Bret Jordan <bret.jordan@bluecoat.com>
Date: Tuesday, December 1, 2015 at 3:07 PM
To: Patrick Maroney <Pmaroney@Specere.org>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Timestamps - Proposal
Date: Tuesday, December 1, 2015 at 3:07 PM
To: Patrick Maroney <Pmaroney@Specere.org>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Timestamps - Proposal
Good questions.... For (2) I would hope that where relevant STIX will support multiple time stamps to accomplish this need. But at the current rate, that will probably be 9 months of debate... :(
For (3), it is always easier to add stuff than take stuff away. And the group kind of felt like you either know to the microsecond or not. Now some 10Gig/40Gig/100Gig networks will have support for nano second, but there did not seem to be any
solid use-cases for mili second precision. If I am wrong, PLEASE speak up.
We need to drive this to consensus. We need to show that we can decide something... So if you think we need milliseconds, and there are a broad range of tools that only support 3 sub-digit seconds, then please speak up.
From my standpoint, I really do not see the value in precision. Or I should say, I only see value to a "day" and to greater than an "hour". Anything outside of those windows is basically useless from an actionable stand point. But I am coming
to middle ground in order to get something done in STIX.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Dec 1, 2015, at 12:57, Patrick Maroney <Pmaroney@Specere.org> wrote:
Bret,
Presume you will be collecting, coordinating and documenting these so I'll respond directly to your initial message vs. jumping into the the Thread:
2) Timestamps MUST use the timezone offset
Question: Does this mean there will be another Time Specification for _expression_ of relative time, periodicity and intervals?
4) There will be an optional precision field (timestamp-precision) with the following string values: year, month, day, hour, minute, second. If precision is omitted, the default value of precision is "microsecond"
Question: Since extending beyond RFC 3339, why can't this option precision type enumeration include millisecond, microsecond, and nanosecond?
Patrick MaroneyOffice: (856)983-0001Cell: (609)841-5104
<C690F973-64C5-4C00-889B-C1A5BB4A2A0B[13].png>
PresidentIntegrated Networking Technologies, Inc.PO Box 569Marlton, NJ 08053