[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-taxii] TAXII Architecture
Here is a thought I'll throw out there. There will be TAXII Servers that implement the broker and repository functionality. I see these systems as the ones that will be attempting to facilitate exchange of information across systems/organizations. I can’t think of any “brokers” that wouldn’t reasonably also be a “repository”. On the other hand, I can picture repositories that are hampered by broker requirements. A Threat Analyst workbench or SIEM might want to expose their threat information using the TAXII repository concept (and perhaps even interact with a broker), but have no desire to facilitate the exchange of information across other systems/organizations via the broker concept. To that end, maybe there are (notionally) two conformance clauses? 1. A TAXII Server implements both the broker and repository functionality. 2. A TAXII Repository implements only the repository functionality (we’d have to have some rule that maybe the broker side gives back an HTTP 501 - Not Implemented) If this approach is taken, I would like to consider requiring or suggesting that only TAXII Servers are advertised in DNS and that TAXII Repositories are not. This does go slightly against my desire to have a ‘TAXII' mean a single rigid thing, but I think there are systems out there that will want to offer a TAXII interface and not be a broker, and I view those systems as important to the overall threat sharing ecosystem. Thoughts? Thank you. -Mark On 12/16/15, 6:14 AM, "Trey Darley" <cti-taxii@lists.oasis-open.org on behalf of trey@soltra.com> wrote: >On 15.12.2015 18:39:33, Jordan, Bret wrote: >> >> Question: Which of the following statements do you prefer? Or do you >> prefer something all together different? >> >> >> Option 1: A compliant TAXII server MAY implement the message broker >> solution, the cyber information repository solution, or both. >> >> Option 2: A compliant TAXII server MUST implement the message broker >> solution and the cyber information repository solution. >> > >I would suggest a third option: > >"A compliant TAXII server MUST implement the message broker solution >and SHOULD implement the cyber information repository solution." > >-- >Cheers, >Trey >-- >Trey Darley >Senior Security Engineer >4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 >Soltra | An FS-ISAC & DTCC Company >www.soltra.com >-- >"In protocol design, perfection has been reached not when there is >nothing left to add, but when there is nothing left to take away." >--RFC 1925
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]