Hi Bret,
I'm rarely a fan of MAY in standards, unless it is absolutely necessary. Is it possible to tweak Option 1 so that it becomes:
Option 1: A compliant TAXII server MUST implement either the message broker solution, the cyber information repository solution, or both.
Then it would get my vote. I envisage some TAXII servers just acting as a distribution mechanism to share the threat intelligence around (e.g. within threat intel sharing trustgroups, just like their mailing list servers do now) and others acting as threat intel repository (e.g. Soltra and EclecticIQ) and others being both. But I also want to ensure that at least one of them MUST be implemented in order for the TAXII Server to call itself a compliant TAXII Server.
Cheers
Terry MacDonald