OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] Custom properties

On May 14, 2016, at 9:55 PM, Jordan, Bret <bret.jordan@bluecoat.com> wrote:

I disagree with requiring a consumer to store and process things that it can not understand or things that it does not know about..  That would be a near impossible order.  

Agreed. Unless OASIS or someone else wants to setup a STIX Police, with fines and punishments, dictating what a consumer must or must not do makes Don Quixote look like a rational actor.

A standard for sharing is NOT a standard for processing.  To oft we mix specification, implementation, deployment, and process in to the same discussion.  

Precisely! We can be helpful and give implementors hints, but we are not Apple, which does have the Implementation Police.

The best place for these sorts of things to be done is in your out-of-band legal frameworks that you setup between sharing groups.  You know, the things that say you will honor and respect data markings and you will not reuse or sale the data someone sends you.  


As far as Terry’s sentiment:

In my mind I would accept replacing the x_ should with a must, and saying that the custom properties must contain the domain name of the organisation that invented it.

In a lighter mood:
Since companies come and go, this is a fantastic way of memorializing history. Would it not be neat for students of application history to be asked if they could trace the lineage of com.lotus.123.spreadsheet.attribute.foo, why it refers to com.rational.123.spreadsheet.atribute.bar, and why they show up in Microsoft Excel and nowhere else yet both are specified by IBM? If history is the goal, go for it. Also note this mechanism is not foolproof for historical purposes: com.whitehouse today is a very different beast than ten years ago.



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On May 14, 2016, at 17:39, Terry MacDonald <terry.macdonald@cosive.com> wrote:

The rfc states in appendix b that :

When it is extremely unlikely that some parameters will ever be standardized. In this case, implementation-specific and private- use parameters could at least incorporate the organization's name (e.g., "ExampleInc-foo" or, consistent with [RFC4288], "VND.ExampleInc.foo") or primary domain name (e.g., "com.example.foo" or a Uniform Resource Identifier [RFC3986] such as "http://example.com/foo").

In my mind I would accept replacing the x_ should with a must, and saying that the custom properties must contain the domain name of the organisation that invented it.

I also would like it defined that an unknown field within an object means that the unknown fields are ignored, but as much of the object data that is known is processed. At the moment it appears to be up to the implementer to decide what to do. We should mandate one way.. And my vote is that only the unknown field are ignored during processing, but are not discarded. My reasoning is that of you are a recipient of an object with an unknown field you want to extract as much information out of it that you understand as possible, and if you don't understand a little bit of it then that should be ok.

The problem with this stance is that the implementers need to ensure that the whole object is retained to keep the validity of the object (especially with future cryptographic validation of authenticity) even though they may not understand some of the data they are storing. In my mind this is still OK, because of someone is acting as a community hub, you want the data to pass through them undisturbed.

Terry MacDonald

On 14/05/2016 05:39, "Allan Thomson" <athomson@lookingglasscyber.com> wrote:

Hi Eric – with respect, there are many things that vendors will do with this standard that are legitimately private and will not be shared with the broader industry. In those cases, there will be no desire or need to have a single registry for those vendor extensions.


There are also many use cases that will leverage STIX 2.0 *without* requiring a registry of vendor specific attributes.


I think your suggestion on providing a registry is something the TC should consider as a separate item than the STIX2.0 specification and schema being defined right now.






From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, Eric Burger <ewb25@georgetown.edu> on behalf of Eric Burger <Eric.Burger@georgetown.edu>
Date: Friday, May 13, 2016 at 12:20 PM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Custom properties


Also, the comment on the ballot that STIX is fluid and as such does not need a registry is tantamount to saying to the industry and developers, “PLEASE do not implement STIX. We have no idea what it is or what it will be, so you might as well go home now, wait a year or two, and look again when things get stable."


On May 13, 2016, at 3:17 PM, Eric Burger <Eric.Burger@georgetown.edu> wrote:


The historic reason for X- is it used to take IANA months to register a protocol parameter. The more recent (early 2000’s) reason for X- is the IETF in its infinite wisdom required an Act of G-d to register something. The IETF has learned from its mistakes and allows for first-come, first-served parameter registration. See RFC 6648.


We have neither problem.


Stand up either a Wiki, GitHub repository, or, believe it or not, just ask IANA nicely for a FCFS registry, and we can have one.


I would humorously offer we say, “Custom properties SHOULD NOT start with X-, unless those characters are meaningful, as in ‘X-Reference’ for Cross Reference or ‘X-factor’ for an unknown factor."


On May 12, 2016, at 1:11 PM, John Anderson <janderson@soltra.com> wrote:


That RFC is pretty clear. "X-" is so 1990s.


Why can't we have a registry? It could be as simple as a shared GitHub repository, which would have the advantage of version control. "Official" properties would probably be voted in, but it's easy enough to show the status of a property. Also, rather than spamming the list, someone could submit a Pull Request, which is much more developer-friendly and traceable.


</end 2cents>


From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org>
Sent: Thursday, May 12, 2016 12:37 PM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Custom properties


Hey everyone,


As you know, custom properties is currently moving the approval process (text: https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.8072zpptza86). We’ve had a couple objections, from Mark Davidson and Eric Burger, to the use of the x_ prefix. Mark pointed us to https://tools.ietf.org/html/rfc6648


My questions are:


- Should we proceed as is and have a ballot on the current approach?

- Should we just remove the SHOULD statement that recommends the x_ prefix?

- Should we take things back to the drawing board and talk about running a property registry as indicated by RFC 6648?


My opinion: at this point in our lifecycle as a community, we probably aren’t ready for a registry. We can use the informal process we talked about on the working call, where people can e-mail the cti-users list if there’s a property they want to make heavy use of. When we release a new version, if we want to move that to a standard we can have non-normative text deprecating the previous custom property and indicating that the new standards-based property should be used. I could go either way on keeping the SHOULD requirement for the x_ prefix, but given we’ve had strong agreement to keep it over previous calls I’m feeling like we should keep it as is.


Given that, I would like to proceed with the ballot either today or later tomorrow. Just wanted to call out this important topic though.





Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]