[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Object Level Markings
|
To explain a bit more, doing markings by reference was something that was requested by some US government folks who wanted to avoid representing duplicative markings over and over again.
While things like TLP are very short and can easily be duplicated over and over, other marking statements (copyrights, government markings, and likely whatever the FIRST SIG creates) will be larger and more complicated and so being able to reference those
from 1000 indicators rather than duplicate them seems to make sense. As Bret said, we added normative text to make sure we covered this case. As for precedence, it’s a bit of a hard topic. In some cases (TLP) you really only have one marking that can apply…it doesn’t make sense for an object to have both TLP:GREEN and TLP:RED.
In other cases, like terms of use, you have several that apply. In other cases, like more complicated structured markings, it’s possible for multiple to apply and override parts of the other. We didn’t want to address this in STIX so simply defined what it
meant for markings to have precedence and will let the marking definitions themselves figure out what that means. Note that, as you said, it’s definitely true that markings of different types will not override each other. This is why we said that precedence
rules only apply to markings of the same type. When first designing data markings in 1.x and discussing them for 2.0 we had very good participation from people in government who mark things every day and that led us to the reference
approach (among other things). We did discuss other approaches, in particular NIEM…I also did a quick search and it looks like you actually brought up XEP-0258 at the time. You can review here:
https://lists.oasis-open.org/archives/cti-users/201511/msg00002.html. The conversation was a bit different than applying markings, it was about the markings that get applied
themselves, and I think is what led to our following the FIRST SIG on Information Sharing. Anyway, how would you like me to treat this comment? Should I assume it’s an objection to the motion for unanimous consent that I made on Friday? If so, as a community we need to decide
whether we want to open a data markings discussion or just hold a ballot to accept what we have. John From:
<cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com> Dave, Great comments and questions..... Let me try and fill in some of the gaps.... Yes, in STIX 2.0 we will have two types of relationships.... And as a general rule most everything will
use a relationship in STIX 2.0. Nested content in STIX 1.x proved to be a bad design in the wild. 1) Embedded references (like created_by_ref and object_markings_ref). These references are "facts" that will be known to the TLO. However, like you said, a consumer may not have the
reference yet, or may not have access to the referenced object. For data markings we say, that if you do not have the object_markings_ref object, and you can not get it via another TAXII call, than you MUST stop processing the TLO. In the real-world, you
will have out-of-band gates that prevent you from ever sharing threat intelligence with someone that does not have access to the same the data-markings that you have access to. 2) Relationship Objects. These relationships are used for assertions or opinions about things. So if you link an Observation to a Campaign, or an Incident to an IntrusionSet, you would
use one of these external relationships to link it together. This will allow you, in the future, to place a confidence score on your assertion that these two things are related. It will also allow in the future for others to potentially down-vote your assertions.
Bret From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on
behalf of Dave Cridland <dave.cridland@surevine.com> Hi folks, I'm a newcomer to this TC (and indeed OASIS), so you'll have to forgive me if I'm missing something, or retracing your steps, or going about things to wrong way. The current section 6.5 appears to discuss aspects of object level markings, and suggests these might cover both legal permissioning (such as Copyright), and MAC systems (such as security
labelling). Mixing the two is interesting - I hadn't considered this but it makes sense. Also, the system operates by reference. This is going to be very difficult to manage, and is traditionally avoided in most cases. This is especially true if the referenced label data
for the marking is not present within the same transmission, since automated tooling for MAC will become extremely complex (and complexity begets unhappy accreditors). Has the group considered prior art in this space? I'm thinking particularly of XMPP's XEP-0258, but others may also apply. I'm particularly keen to ensure that multipolicy systems will
work effectively, since I see that as being very likely in the CTI world shortly. As for multiple orthogonal rules - I don't understand where precedence comes into this. Taking Copyright as an example, if one derives a work from an existing work, the copyright changes,
and the license may also change - I don't see the benefit in including a list of previous copyright notices, and then having the systems decide which one applies. I would expect that every marking present would need to be adhered to (some might not be practical to adhere to programmatically, of course). But you can't share something, say, UK SECRET,
no matter what the copyright notice says - and vice-versa, an unclassified document cannot be shared if the copyright license is not available. Happy to discuss this further, or or out of any particuar call. Dave. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]