Hi Brian, and welcome to the CTI!
A lot of this has to do with some architectural decisions made for TAXII2. There was a long discussion about a year and a half ago about making TAXII a distributed messaging bus type model, rather than a point to point model as it was. Various different technologies we're discussed, including binary protocols such as prorobuf2, and other specific messaging queue/bus protocols such as AMQP. The community agreed at that time that an HTTPS based system was easier for people to comprehend and would be more likely to traverse web proxy servers.
TAXII 2 will be able to 'broadcast' threat intel messages out to recipients in a community. At present this is done from within one single server, but with some enhancements we could make this community broadcast be shared across multiple TAXII servers.
This then opens up asking broadcast questions of the community and getting broadcast answers in return.
If we wish to restrict these answers and add the ability for private responses then there are two ways I can see this working:
1. When STIX objects support being encrypted, and Identity objects contain public keys, we could encrypt the answers so that when they are distributed to the community only the recipients with the right private keys can open them (but everyone still gets an encrypted copy)
2. We leverage the TAXII DNS service record and allow the answering TAXII server to directly contact the TAXII server that asked the STIX question. Or we add a field into the STIX question that points to the TAXII server address that asked the STIX question. In either case the answering TAXII server needs the ability to locate the TAXII server that asked the question and be able to provide it with an answer.
Cheers
Terry MacDonald
Cosive