[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Sighting + Observation in STIX
Thanks for doing these John.... Originally I thought that Option 1 would be a good solution, this was back at the F2F in DC... But over the past month or so, I have really being questioning that design. Something just felt "wrong" about it.. So I started leaning to Option 2 as a compromise between them, because I still could not figure out what was "wrong" with the design. This weekend, as you all know, I cleaned up all of the relationship tables (verified with John that we had all known relationships listed), reworded all of the descriptions, and then built visual diagrams to help us see more clearly what it was we are building. Then it hit me, the thing that has been festering just out of reach... We have broken one of our main design principles, that is "one-way" of doing this with Observations and Sightings... We have created a solution that allows you to "sight" something by either linking an Observation with something else via an external relationships of "evidence-of" or "sighting" something via the Sighting object that links an Observation with something else. Two ways to do the same thing. I am now of the opinion that we should remove all of the "evidence-of" external relationships from the Observation object and just use the Sighting object to "sight" things. This will guarantee that we have one semantic way of doing it. Now, once we do this, it really does not make sense to have the "count" field on the Observation.... It really does not fit there anymore. So the only logical place for it, would be the Sighting object. So in summary I would propose: 1) We remove all external relationships FROM the Observation object with a type of "evidence-of" 2) We move the Count field from Observation to Sighting This should fix the problems we have all been seeing and talking around, but have not fully put our finger on. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
|
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]