Hi All,
I'd like to propose that TAXII and STIX querying abilities are reviewed and checked to make sure that a client is able to request an object based on its ID, and be returned it (if it is authorised by the producer). This must directly support proposal to allow a top-level relationship object. It would mean that if a user received just the relationship object they would know that there was a relationship with an object with a certain ID, but they wouldn't necessarily have the object itself. This functionality would allow a client to then subsequently request which ever data nodes' it wishes at either end of the relationship.
Note: This has the knock on effect of forcing the ID namespace to be tied back to the organisations domain name. If we did that, and mandated what services need to be provided by TAXII at what location, then it would be easy for a client to know how to request get from the relationship to actually contacting a TAXII server to request the actual object from the original source.
This would also work if an organisation wanted to be anonymous. It would need to provide the details through a 'broker' service which would translate the original ID sent by the anonymous producer to an ID within the broker's namespace. Then if any external consumers wanted more information then they would contact the broker, who would then forward that request to the original consumer. If the original producer says yes they can have it, then the broker says yes, and the consumer gets the information. Its a win/win.
I am aware that TAXII/STIX can do this already, but this is really about making sure that this use case is noted and supported.
Cheers
Terry MacDonald | STIX, TAXII, CybOX Consultant
Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers.