Hi Eric – with respect, there are many things that vendors will do with this standard that are legitimately private and will not be shared with the broader industry. In those cases, there
will be no desire or need to have a single registry for those vendor extensions.
There are also many use cases that will leverage STIX 2.0 *without* requiring a registry of vendor specific attributes.
I think your suggestion on providing a registry is something the TC should consider as a separate item than the STIX2.0 specification and schema being defined right now.
"firstname.lastname@example.org" <email@example.com>, Eric Burger <firstname.lastname@example.org> on behalf of Eric Burger <Eric.Burger@georgetown.edu>
Date: Friday, May 13, 2016 at 12:20 PM
To: "email@example.com" <firstname.lastname@example.org>
Subject: Re: [cti-stix] Custom properties
Also, the comment on the ballot that STIX is fluid and as such does not need a registry is tantamount to saying to the industry and developers, “PLEASE do not implement STIX. We have no idea what it is or what it will be, so you might as
well go home now, wait a year or two, and look again when things get stable."
The historic reason for X- is it used to take IANA months to register a protocol parameter. The more recent (early 2000’s) reason for X- is the IETF in its infinite wisdom required an Act of G-d to register something. The IETF has learned
from its mistakes and allows for first-come, first-served parameter registration. See RFC 6648.
Stand up either a Wiki, GitHub repository, or, believe it or not, just ask IANA nicely for a FCFS registry, and we can have one.
I would humorously offer we say, “Custom properties SHOULD NOT start with X-, unless those characters are meaningful, as in ‘X-Reference’ for Cross Reference or ‘X-factor’ for an unknown factor."
That RFC is pretty clear. "X-" is so 1990s.
Why can't we have a registry? It could be as simple as a shared GitHub repository, which would have the advantage of version control. "Official" properties would probably be voted
in, but it's easy enough to show the status of a property. Also, rather than spamming the list, someone could submit a Pull Request, which is much more developer-friendly and traceable.
- Should we proceed as is and have a ballot on the current approach?
- Should we just remove the SHOULD statement that recommends the x_ prefix?
- Should we take things back to the drawing board and talk about running a property registry as indicated by RFC 6648?
My opinion: at this point in our lifecycle as a community, we probably aren’t ready for a registry. We can use the informal process we talked about on the working call, where people
can e-mail the cti-users list if there’s a property they want to make heavy use of. When we release a new version, if we want to move that to a standard we can have non-normative text deprecating the previous custom property and indicating that the new standards-based
property should be used. I could go either way on keeping the SHOULD requirement for the x_ prefix, but given we’ve had strong agreement to keep it over previous calls
I’m feeling like we should keep it as is.
Given that, I would like to proceed with the ballot either today or later tomorrow. Just wanted to call out this important topic though.