Re: [cti-stix] Unicode, strings, and STIX

[Terry MacDonald <terry.macdonald@cosive.com>]

Yes. I believe it forces implementers to implement different levels of restriction and different ways to control it, and that non standardisation will open up exploitation vectors which will come and bite us in the a%& in the future.

I would like a vote.

Cheers
Terry MacDonald

On 8/06/2016 3:03 AM, "Wunder, John A." <jwunder@mitre.org> wrote:

We had some more discussion of this on the working call (very brief, at the very end) and the conversation seems to have shifted back to just removing all of the normative statements regarding length.

 

So, at this point, let’s do this:

 

1.       Are there any objections to removing all of the normative statements regarding string field lengths from the specification? Please respond to this e-mail on the list if you object.

2.       Assuming we hear objections, let’s open a ballot on the topic. I’ll work with JMG and others to get the ballot text and make the motion to open it.

 

John

 

From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Friday, June 3, 2016 at 2:33 PM
To: Mark Davidson <mdavidson@soltra.com>
Cc: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, John-Mark Gurney <jmg@newcontext.com>, "Eric.Burger@georgetown.edu" <Eric.Burger@georgetown.edu>, Terry MacDonald <terry.macdonald@cosive.com>, Rich Piazza <rpiazza@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Unicode, strings, and STIX

 

Based on a conversation we have had on slack, I would propose some text like this:

 

 

Title fields SHOULD be between 1-256 characters.  Title fields MAY be longer than 256 characters.  For non-English languages you SHOULD measure characters as code-points.

 

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Jun 3, 2016, at 08:57, Mark Davidson <mdavidson@soltra.com> wrote:

 

If we have no limits and a Soltra Edge user creates a 100GB title and $compatible-product falls over – how does that get resolved? If I was being snotty I would say “well, $compatible-product isn’t fully standards compliant”, even though I think that would be against the spirit of the spec.

 

I do think we should specify limits somehow. Either through a required minimum, a recommended maximum, or something. IMO, the purpose is to give implementers _something_ to work with without having to make wild guesses about what will be available in the ecosystem. The ability to specify the maximum (e.g., code points, graphemes, and other things I don’t understand well) is IMO a separate conversation.

 

I think step #1 is whether we as a group think specifying limits (one way or another) make sense. I would in general say yes, and the arguments to the contrary haven’t swayed me. However, if we don’t want limits, we should just have a piece of informative text stating that there are no limits and why we chose that.

 

Thank you.

-Mark

 

From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Friday, June 3, 2016 at 8:00 AM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>
Cc: John-Mark Gurney <jmg@newcontext.com>, "Eric.Burger@georgetown.edu" <Eric.Burger@georgetown.edu>, Terry MacDonald <terry.macdonald@cosive.com>, Rich Piazza <rpiazza@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Unicode, strings, and STIX

 

My question is - what are you supposed to do with that information?

- You can't take that limit and turn it into a byte limit for buffer purposes - it is not possible. You can't even guess because it depends both on the character encoding as well as the language. Since the character encoding is not part of STIX but part of the serialization binding, trying to figure out the number of bytes a given number of code points will consume is a bit of a fools errand.

- You also can't take that limit and use it in your GUI in any way, because you can't enforce length limits of input fields based on code points - you have to do it based on graphemes/glyphs.

So.. what are people planning to use this limit for?

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown 


<image001.gif>"Jordan, Bret" ---06/02/2016 08:35:22 PM---To me it just feels wrong or dirty to not have some sort of guidance or some sort of upper limit. I

From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: John-Mark Gurney <jmg@newcontext.com>, "Eric.Burger@georgetown.edu" <Eric.Burger@georgetown.edu>
Cc: Jason Keirstead/CanEast/IBM@IBMCA, Terry MacDonald <terry.macdonald@cosive.com>, Rich Piazza <rpiazza@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 06/02/2016 08:35 PM
Subject: Re: [cti-stix] Unicode, strings, and STIX
Sent by: <cti-stix@lists.oasis-open.org>

---

To me it just feels wrong or dirty to not have some sort of guidance or some sort of upper limit. I am not saying the lengths have to be really short.... We could say a title can have up to 256 code points or 512 code points, but the fact is, we should define something, I think...

I have asked Eric, our resident academic to chime in, and he will give us some guidance hopefully tomorrow. 


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]