[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] STIX 2.1 Proposal: IEP v2.0
In the IEP Reference container, I think you need to use the STIX Hashes type, like what we did with External References. This way you know that the think you are linking to has not changed.
a) the marking definition object examples in Section 9.1.7 still have version in the JSON. That field is no longer in STIX 2.0. Suggest removing that attribute from the examples.
b) STIX uses created/modified/deleted as timestamp fields. The IEP JSON schema appears to use “start_date” and “end_date”. Any reason why this could not be consistent with STIX naming and use “start” and “end” without the _date in the name?
c) The id in the IEP policy object does not have a type-name in it like other STIX objects would. Why not? Would we not want the ids to be created using the same id creation policy as STIX?
d) The version field represents what version? IEP? For ease of integration it might be best if we name that field “iep_version” to avoid other uses of the common name ‘version’
Hi Terry – Some minor tweaks.
a) the marking definition object examples in Section 9.1.7 still have version in the JSON. That field is no longer in STIX 2.0. Suggest removing that attribute from the examples.
b) STIX uses created/modified/deleted as timestamp fields. The IEP JSON schema appears to use “start_date” and “end_date”. Any reason why this could not be consistent with STIX naming and use “start” and “end” without the _date in the name?
c) The id in the IEP policy object does not have a type-name in it like other STIX objects would. Why not? Would we not want the ids to be created using the same id creation policy as STIX?
d) The version field represents what version? IEP? For ease of integration it might be best if we name that field “iep_version” to avoid other uses of the common name ‘version’
allan
From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date: Monday, May 15, 2017 at 1:22 PM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org >, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] STIX 2.1 Proposal: IEP v2.0
Hi All,
I'd like to propose that we add an IEP Data Marking object to STIX 2.1 to allow object creators the option of marking their data using IEP v2.0. More information about the proposal is in the STIX2.1Proposal-
InformationExchangePolicyMarki ngType.pdf. I've also included background information about the IEP Framework, and the IEP JSON Specification if you're interested. There two documents have been updated based on feedback from CTI members to better align IEP with STIX.
The FIRST Information Exchange Policy (IEP) Framework enables threat intelligence providers to inform recipients of how they may use the threat intelligence they receive. IEP ensures that both parties are aware of any restrictions on the use of the shared threat intelligence, and reduces the likelihood of misunderstandings.
Think of it as TLP that also describes Handling, Action, Sharing and Licensing restrictions. In other words it answers "What am I allowed to do with this intel?"
The real power of IEP is in the ability for content producers to reference the same IEP policy. IEP allows communities to create and reference one or more shared IEP policies that members can choose from and reference. The FIRST IEP-SIG will be creating and hosting some common IEP policies that anyone will be free to use, in the interest of making threat intelligence sharing easier.
Cheers
Terry MacDonald | Chief Product Officer
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]