OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: STIX 2.0 Proposal1 : Extend core constructs from a single base class (#148)


First, I like a lot of the ideas and concepts discussed in Proposal 1.  A few comments and questions....

1) In regards to the open question about should time stamps be required, I guess that depends on what the time stamp is telling us at this level.  I believe, at this high level, it is telling us the time in which the object was created / processed, and if that is truly the case, then I believe it should be required.   

2) Based on the JSON style guide that the CybOX group has started working on, that was donated by EclecticIQ, I would say that Timestamps should be flat not nested.  Now I understand why it may have been marked up the way you have it, based on the desire to accommodate the timestamp.precision field, but I believe this would be best done differently. Namely, from your example 1 you have:

{
    "id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
    "type": "malware-instance",
    "timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00"},
    "title": "Sakurel Malware"
}

I would suggest that be (changes in red):

{
    "id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
    "type": "malware-instance",
    "timestamp": "2015-12-21T19:59:11.000000+00:00",
    "timestamp_precision": "second",
    "title": "Sakurel Malware"
}

This is easier to process, skip, or apply default values to.  Further, having a nested object just for 2 options, when one of them will most likely never be present, is a bit messy.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]