| I disagree with requiring a consumer to store and process things that it can not understand or things that it does not know about.. That would be a near impossible order.
A standard for sharing is NOT a standard for processing. To oft we mix specification, implementation, deployment, and process in to the same discussion.
The best place for these sorts of things to be done is in your out-of-band legal frameworks that you setup between sharing groups. You know, the things that say you will honor and respect data markings and you will not reuse or sale the data someone sends you.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
The rfc states in appendix b that : When it is extremely unlikely that some parameters will ever be standardized. In this case, implementation-specific and private- use parameters could at least incorporate the organization's name (e.g., "ExampleInc-foo" or, consistent with [RFC4288], "VND.ExampleInc.foo") or primary domain name (e.g., "com.example.foo" or a Uniform Resource Identifier [RFC3986] such as "http://example.com/foo"). In my mind I would accept replacing the x_ should with a must, and saying that the custom properties must contain the domain name of the organisation that invented it. I also would like it defined that an unknown field within an object means that the unknown fields are ignored, but as much of the object data that is known is processed. At the moment it appears to be up to the implementer to decide what to do. We should mandate one way.. And my vote is that only the unknown field are ignored during processing, but are not discarded. My reasoning is that of you are a recipient of an object with an unknown field you want to extract as much information out of it that you understand as possible, and if you don't understand a little bit of it then that should be ok. The problem with this stance is that the implementers need to ensure that the whole object is retained to keep the validity of the object (especially with future cryptographic validation of authenticity) even though they may not understand some of the data they are storing. In my mind this is still OK, because of someone is acting as a community hub, you want the data to pass through them undisturbed. Cheers
Terry MacDonald
On 14/05/2016 05:39, "Allan Thomson" < athomson@lookingglasscyber.com> wrote:
Hi Eric – with respect, there are many things that vendors will do with this standard that are legitimately private and will not be shared with the broader industry. In those cases, there
will be no desire or need to have a single registry for those vendor extensions. There are also many use cases that will leverage STIX 2.0 *without* requiring a registry of vendor specific attributes. I think your suggestion on providing a registry is something the TC should consider as a separate item than the STIX2.0 specification and schema being defined right now. Regards Allan
Also, the comment on the ballot that STIX is fluid and as such does not need a registry is tantamount to saying to the industry and developers, “PLEASE do not implement STIX. We have no idea what it is or what it will be, so you might as
well go home now, wait a year or two, and look again when things get stable."
The historic reason for X- is it used to take IANA months to register a protocol parameter. The more recent (early 2000’s) reason for X- is the IETF in its infinite wisdom required an Act of G-d to register something. The IETF has learned
from its mistakes and allows for first-come, first-served parameter registration. See RFC 6648.
Stand up either a Wiki, GitHub repository, or, believe it or not, just ask IANA nicely for a FCFS registry, and we can have one.
I would humorously offer we say, “Custom properties SHOULD NOT start with X-, unless those characters are meaningful, as in ‘X-Reference’ for Cross Reference or ‘X-factor’ for an unknown factor."
That RFC is pretty clear. "X-" is so 1990s.
Why can't we have a registry? It could be as simple as a shared GitHub repository, which would have the advantage of version control. "Official" properties would probably be voted
in, but it's easy enough to show the status of a property. Also, rather than spamming the list, someone could submit a Pull Request, which is much more developer-friendly and traceable.
JSA
- Should we proceed as is and have a ballot on the current approach?
- Should we just remove the SHOULD statement that recommends the x_ prefix?
- Should we take things back to the drawing board and talk about running a property registry as indicated by RFC 6648?
My opinion: at this point in our lifecycle as a community, we probably aren’t ready for a registry. We can use the informal process we talked about on the working call, where people
can e-mail the cti-users list if there’s a property they want to make heavy use of. When we release a new version, if we want to move that to a standard we can have non-normative text deprecating the previous custom property and indicating that the new standards-based
property should be used. I could go either way on keeping the SHOULD requirement for the x_ prefix, but given we’ve had strong agreement to keep it over previous calls
I’m feeling like we should keep it as is.
Given that, I would like to proceed with the ballot either today or later tomorrow. Just wanted to call out this important topic though.
|