What about:
[object type]::[UUID]::[ID Domain Authority OR URL] and this last part could be optional. This would solve everyone's concern?
Anon Use Case 1: Intel Group Foo shares an Indicator "indicator::UUID" with ISAO Bar. When Bar sends you a relationship object they can tack on their ID Domain to the end, so that people know they MIGHT be able to go back to ISAO Bar and get more information.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
The problem with burying the URL inside the object is it does not really support many of the use cases being discussed.
The point is that the ID for the content can be used in an unambiguous resolvable way without having to parse into the object which for many use cases (e.g. A relationship without both end objects) you won’t have that object to parse into.
I agree with a fixed format codified into the spec.
My opinion is that the fixed format should be [ID authority domain name]/[object type]/[UUID] in such a way to support URI/URL use.
sean
I would really prefer the ID be a fixed format codified in the spec, and any URL be moved to an optional "external_reference" property. Or utilize the "external_ID" property discussed previously.
Or, Brett's #2 suggestion and just have a relationship to a "collection" object.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>"Jordan,
Bret" ---01/21/2016 02:32:18 PM---So the real question is, do we want to use a URI/URL or a [namespace]:[object-type]:[UUID]? What if
From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: Paul Patrick <ppatrick@isightpartners.com>
Cc: "Barnum, Sean D." <sbarnum@mitre.org>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>
Date: 01/21/2016 02:32 PM
Subject: Re: [cti-stix] Object ID format
Sent by: <cti-stix@lists.oasis-open.org>
So the real question is, do we want to use a URI/URL or a [namespace]:[object-type]:[UUID]? What if we did both? Like maybe this:
All discreet objects in CTI MUST include an ID that defined as an object-type plus a version 4 UUID, example "indicator:104abc69-509e-4bf9-b64c-81255292c433". You MAY also include an optional URL at the end of the ID if you want to map this object
back to an actual resource found on a TAXII server, example "indicator:104abc69-509e-4bf9-b64c-81255292c433:https://taxii.somecompany.com/taxii2/collections/neat-indicators/id/104abc69-509e-4bf9-b64c-81255292c433"
OR even better.. We pull this ID UUID stuff in to TAXII land and make sure that objects can be found by their ID. Then you do not need to include a full URL, but just collection location, example "https://taxii.somecompany.com/taxii2/collections/neat-indicators/"
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Jan 21, 2016, at 09:16, Paul Patrick <ppatrick@isightpartners.com> wrote:
I’m supportive of standardizing Object ID format to be based on the form [producer-namespace]:[object-type]:[UUID], especially if that doesn’t prevent the use of URI.
I think Terry correct captured many of the concerns that I had with the F2F proposed solution and I definitely in agreement with John A. about the value of being able to use URLs.
Paul Patrick
iSIGHT Partners
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]
<graycol.gif>
|