| We are open to changing some of those ideals in TAXII 2.0.. And there are some real reasons to make that sort of change.
One thing we have talked about, but have not really decided either way on, is the idea of applying "helper" labels to a TAXII header to help the end client know what to do with the data.
Example..... Yes, I fully know and understand the weakness of TLP, but use this as some mental juice to think about possibilities.
Imagine if you have a STIX document that has some TLP Green and TLP Red (yes you could argue about not including them both in the same package, but that is an argument for another day). Imagine if you could give a hint to the TAXII client/server in a TAXII header that some of the content in the payload was TLP Red... This could GREATLY assist in processing of the data.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
Jason,
I see many discussions that seem to conflate and confuse a number of topics like "Data Markings" as well. A
core tenet of the TAXII Standard has always been the following:
5.2.1 TAXII is Content Agnostic
The TAXII specifications do not provide details about the underlying content formats of records within TAXII. All content formats are a "black-box" as far as TAXII is concerned - none
of the behaviors required to process TAXII at the message level require inspection of any information stored within message content. While TAXII Back-ends can have very different processing paths and requirements for different
types of information, TAXII Services, Messages, and Exchanges are agnostic as to the information they convey. This allows TAXII to be usable for a wide array of sharing scenarios.
Discussions around "Back-Ends" and STIX "Repositories" are very much implementation specific details from my perspective.
Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
<C690F973-64C5-4C00-889B-C1A5BB4A2A0B[11].png>
President
Integrated Networking Technologies, Inc.
PO Box 569
Marlton, NJ 08053
There is something I still to this day don't grock about partial makings, especially the ill-defined "TLP". I feel like not enough thought is placed into how the consumer, specifically a TAXII server, is supposed to implement support for the markings.
If I have a STIX document and it is marked in such a way that I can see 1/2 of that document but not the other, when that document is published to a TAXII channel that I am privy to, what do I receive as a consumer? Do I receive a partial document? Do I not
receive the document at all?
If it is the former, then what is the point of having Level 2 markings, and furthermore, how can we ensure the document is not incomplete (for example what if an Indicator I have access to has an observable reference that I do not)?
If it is the latter, how can that be done by the TAXII server without changing the digital signature of the document?
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
|