From: firstname.lastname@example.org [mailto:email@example.com]
On Behalf Of Nicholas Hayden
Sent: Monday, October 9, 2017 8:18 PM
To: firstname.lastname@example.org; JG @ OASIS <email@example.com>
Subject: Re: [cti-stix] STIX/TAXII Vendor Self-Certification Program MOTION
Nicholas Hayden, CISSP, GICSP, CNDA, CEH, Sec+
Director of Engineering Anomali | anomali.com
808 Winslow St Redwood City, CA 94063
Phone: (650) 257-0867 | Twitter: @anomali
On Oct 9, 2017, 8:13 PM -0400, JG @ OASIS <firstname.lastname@example.org>, wrote:
I second the motion.
On 10/9/2017 2:05 PM, Allan Thomson wrote:
Dear TC Members,
I motion that the TC approve, by unanimous consent, the following regarding the vendor self-certification program for TC approval.
If you have any concerns please reply to the list. If we need to discuss any changes then we can certainly consider a discussion at the F2F next week.
1. OASIS will create official STIX and TAXII interoperability badges for exclusive use by vendors of products that have passed the online self-certification tests. ("Products" may include services as well as software, to the extent the requirements are applicable
in the test protocols named below.)
2. Products will be granted the right to use one of two available badges: a) STIX-only or b) STIX-and-TAXII. Since the TAXII test incorporates STIX, there will be no need for a TAXII-only badge and no benefit in offering multiple badges per product.
3. The interoperability badges will incorporate the STIX and TAXII logos. If possible, OASIS will update the current STIX and TAXII logo designs in a way that leverages current brand recognition but also conveys the exciting changes in 2.x. OASIS will continue
to work with DHS to resolve trademark issues regarding the logos, and under current licensing, the launch and details of this program will be contingent on advance DHS approval.
4. Only the major version number for the specifications will be used in the badges, i.e., 'STIX 2' and 'STIX+TAXII 2'. Attempting to denote minor version numbers in the badge (e.g. 'STIX 2.5') would cause extra work and risk confusion over time.
5. The badges will incorporate the STIX 2 and TAXII 2 logos along with a term that indicates the accomplishment (i.e., the product has passed the interoperability test). OASIS will use the terms 'STIX 2 Preferred' and 'STIX TAXII 2 Preferred'. We believe
'Preferred' will convey formal recognition that the product meets a higher level of quality. The proposed final design will be brought back to the TC for its feedback.
6. When used by vendors in online applications, the badges will be linked to an OASIS web page that explains the meaning of the badge, details restrictions for its use, lists all products authorized to use it, and provides instructions for how to perform the
self-assessment and attestation that earns the badge, including a link to any online test resources. The badges will be based on the following two test documents: [stix-taxii-2-interop-p1-v1-0-fd03] and [stix-taxii-2-interop-p2-v1-0].
7. OASIS will reserve use of the Preferred badges to vendors who have completed the self-assessment and attestation program. Unauthorized parties will be asked to immediately remove the badge from their collateral and advised on the proper method for attaining
8. OASIS will draft specific SLA terms appropriate for self-attestation, which will be publicly posted, and work through other key operational issues in consultation with the CTI Interoperability Subcommittee.
This is a significant step towards formalizing interoperability testing and we look forward to your input/agreement.
R. Jane Ginn, MSIA, MRP
Secretary, Cyber Threat Intelligence Technical Committee (CTI TC)