[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] Re: [cti-stix] Re: [cti-cybox] Re: [EXT] [cti-cybox] Agenda for August 8 Working Call
Mark, Excellent point. Just to clarify, when you speak of “consumers”, do you mean software/systems that a recipient of threat intelligence is using? That is, if Bank A uses Product X and their ISAC sends them IEP-marked STIX, if Product X
does not have the capability to interpret IEP markings and (present them to the user for example), that Product X should reject that content? There is a separate question as to whether or not Bank A has agreed to be bound by IEP in its agreement with the
ISAC but that’s out of scope for us. Am I getting this right? Thanks, Rich From: <cti-cybox@lists.oasis-open.org> on behalf of Mark Davidson <Mark.Davidson@nc4.com> I realize I’m a late entrant to this discussion, but – IEP support must be a requirement in STIX. Otherwise, a producer can place IEP markings that the consumer happily ignores, creating an information leakage
That said, I do not think that consumers need to have IEP capability. Rather, they must be able to detect whether IEP markings exist and, if a consumer does not support IEP, refuse to process the document further. If we do not specify this
minimum level of requirement, the IEP object will essentially be inert unless every single consuming implementation chooses to support it. As one method for achieving this, SOAP Headers (yes, the early 2000’s rear their ugly head) has a general “must understand” concept. Producers can specify arbitrary headers; and within those headers, policies. If the “mustUnderstand” header
is set to true, the recipient must produce a fault if they cannot process the header. If the “mustUnderstand” header is set to false, processing the header is optional.
I would liken IEP support to a “mustUnderstand=true”. You are not required to support it, but if you do not support it you are required to reject documents that have it. As a producer, I’d like confidence that the markings I place will be respected, and I would like that confidence to be placed something other than convention. Thank you. -Mark From: <cti-cybox@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com> Those are good questions. The specification will not mandate, or I hope will not mandate, the use of IEP, but is the interop SC going to mandate it in their profiles? Bret
Disclaimer: This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential, proprietary, or exempt from disclosure under applicable law. If you
are not the intended recipient or the person responsible for delivering the message to the intended recipient, you are strictly prohibited from disclosing, distributing, copying, or in any way using this message. If you have received this communication in
error, please notify the sender and destroy and delete any copies you may have received.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]