OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-taxii] Question about multiple trust group support

First I think that speaking from the perspective of ‘server’ would require some additional specification. Logical, physical, service, daemon, process?

Conceptually it definitely should. I can’t think of almost any pattern that we see in the wild that would not have a requirement to have multiple authorizations on different ‘buckets’ of data;
- threat management team in large enterprise, distributing to downstream teams
- fusion center 
- multi-consituency CERTs
- national detection networks
- security appliance vendors
- mssp
- content distribution network 
- intelligence supplier
- those servicing communities (communities rarely host their own)

If we think about one physical group of companies (orgs), but multitude of “buckets” with different aurhotizations on people (inside orgs) its even more diverse..

I’d almost have difficulty understanding when you would run a TAXII server that wouldn’t.


From: "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Wednesday, September 23, 2015 at 9:18 PM
To: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Subject: [cti-taxii] Question about multiple trust group support


There has been a very lively discussion on the TAXII Slack channel today, some 1,000+ messages going back and forth.  And what I have realized is a lot of the arguments back and forth are based around a very basic question that we might not be in alignment on.  So I am bringing this question to the email list do discuss and decide on.  My hope is that we can get some solid requirements around this idea or solid reasons why it is NOT a good idea.  Please contribute pros or cons and rational for your answer.  


Should TAXII 2.0 support multiple Trust Groups on a single TAXII instance?   Meaning should TAXII allow multiple Indicator channels on a single instance of TAXII and restrict access to them based on who a user is, meaning is the user part of a certain Trust Groups or Groups of Interest?  

It is common in the threat sharing landscape today that researchers will share specific CTI over email or IM with a small group of people, often access to these email lists is highly restricted.  Those same researchers may also share more generalized versions of that CTI with an even larger group of people or may post it on a blog or make it available via an RSS feed.  So should TAXII support the idea of having different Trust Groups on the same TAXII server?



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]