I think an appendix or separate document on best practices based on specific product categories and/or workflows would be very valuable to ensuring that the standard is adopted well in
the industry.
I have a slight preference for a separate document as this could be the basis for an industry interop efforts that take place as well.
allan
From:
Terry MacDonald <terry.macdonald@cosive.com>
Date: Friday, August 12, 2016 at 12:52 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: Allan Thomson <athomson@lookingglasscyber.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "Wunder, John" <jwunder@mitre.org>, "Piazza, Rich" <rpiazza@mitre.org>, John-Mark Gurney <jmg@newcontext.com>, "Back, Greg" <gback@mitre.org>
Subject: Re: [cti-stix] RE: STIX 2.0 Specification Questions
I still think we could help with some guidance. It might not be right to go in the standard as a normative statement, but maybe we need a non normative 'guidance for implementers' doc that this sort of recommendations go into?
Cheers
Terry MacDonald
Cosive
On 13/08/2016 02:04, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:
For the record - I agree with Allan on this. We should not be attempting to define when someone should version an object. This is up to the tool implementer / producer of the intel and is highly context-specific (we will never get it right).
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Allan Thomson ---08/11/2016 07:21:03 PM---Hi John-Mark – I agree - but it’s a product/deployment question when something is considered ‘signif
From: Allan Thomson <athomson@lookingglasscyber.com>
To: John-Mark Gurney <jmg@newcontext.com>
Cc: "Piazza, Rich" <rpiazza@mitre.org>, "Back, Greg" <gback@mitre.org>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 08/11/2016 07:21 PM
Subject: Re: [cti-stix] RE: STIX 2.0 Specification Questions
Sent by: <cti-stix@lists.oasis-open.org>
Hi John-Mark – I agree - but it’s a product/deployment question when something is considered ‘significantly changed’ and hence its not a STIX issue.
On 8/11/16, 3:16 PM, "John-Mark Gurney" <jmg@newcontext.com> wrote:
Allan Thomson wrote this message on Thu, Aug 11, 2016 at 14:07 +0000:
> Here’s some examples to think about.
>
> Example #1: Relationship versioning or not.
>
> If I create a relationship R.v1 between 2 objects and the relationship was created a week ago between object A.v1 and object B.v1.
>
> Today I change B to B.v2.
>
> The relationship was created a time when it was between A.v1 -> B.v1. Not B.v2.
>
> There may be legitimate reasons why I don’t want that relationship to automatically resolve to B.v2. But it’s a product question not a STIX exchange question.
>
> Therefore, it’s the product implementer’s choice whether a relationship tracks the latest versions of the ID or not.
IMO, if B.v2 changed significantly enough that the relationship does not apply, then
B.v2 should be a new object C, and not a new version.
--
John-Mark