|
We should probably get people together to talk about and discuss. This will help us know for sure if a change is needed and to what extent that change is needed.
What we really need is people that have started writing code for this. This discussion is not about theory, or perceived goodness or badness, but what have people seen in working code.
Bret
Sent from my Commodore 128D
PGP
Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415
0050
Jason Keirstead wrote this message on Tue, Nov 14, 2017 at 16:48 +0000:
I have yet to see someone present a concrete use case for why we should
make cyber observables a TLO. It has been proposed multiple times in the
past and debated to death - it is perhaps the second-most debated subject
in the TC (after timestamps). I am all for the idea of "fixing what is
broken" in STIX, as Brett says, but to me if we are going to re-open
topics that have been extensively debated and yet voted on in another
direction, there is a significant burden on the proposer as to why it
should be re-opened. I don't see that burden being met here.
What are the specific modeling problem(s) that would be solved by making
cyber observables top level objects, that can not be solved in any other
fashion?
I agree. There is lots of talk, but little documentation on why the
change should be done, what it will look like, how it will be used, etc.
Yes, people have bits and pieces throughout emails, but there is not a
document that even a majority of the proponets of the concept even agree
upon things should look like.
--
John-Mark
|