OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [cti-stix] Applying data markings

For some context, there are significant users of STIX, especially within the public sector, that require finer-grained marking than what Level 1 markings provide.  The whole point of having two levels of marking defined is to allow implementations that are not concerned with that finer-grained capability to implement just Level 1 markings.   My guess is that support for Level 1 would be MTI with support for Level 2 (in addition to Level 1 of course) being optional.

 

From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jordan, Bret
Sent: Thursday, December 03, 2015 8:46 PM
To: Wunder, John A.
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Applying data markings

 

So I really like what you have done for Level 1 markings, and I can get behind that.  A few nits/comments though:

 

1) you have defined marking_definitions and marking_refs.  I am guessing you are using an abbreviated form of references because of the legacy "idref" field.  I would prefer that we adopt a general style guide for the field names.  

 

Options to be discussed:

a) use underscores || camel casing

b) all lower case || camel casing

c) spell words out || try to use abbreviated forms when possible

 

My preferences:

I prefer underscores even though the JSON uses camel casing

I personally prefer all lower case

I would prefer abbreviations when possible.  So marking_defs and marking_refs  (this might be hotly debated by this group)

 

 

2) EclecticIQ published a great style guide for JSON STIX when they did theirs.  One thing that I did not like at first, but came to love in code was their use of a "type" field.  For example:

 

{

  "type": "six_package",

  "indicators": [

    {

      "type": "indicator",

      "id": "indicator-1234"

    }

  ]

}

 

It might be good to do this in your marking objects as well.  Something like "type": "marking" or something. Please the attached PDF of their email to the STIX list from long ago.  

 

 

3) Can you give some examples of a Level 2 marking structure that is valid?  I am still not sold on the Level 2, but am willing to work with you, so you can enlighten me.  

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]