Potential Use Case 1 for a hypothetical [Govt] organization: An organization is under some kind of regulatory, legal, compliance constraints such that
they cannot "store" the information - they can merely deliver it. In this situation, they may"cache" the information for some period of time if the consumers are not currently listening
but it's more like the post-office vacation-hold than query/storage. Result: TAXII does pub/sub only.
Potential Use Case 2 for some hypothetical Govt organization: Some information is classified with all kinds of different need-to-know caveats in the same STIX document. The decision on which fields are available to a particular
consumer is on an entity-by-entity basis. This is impossible to implement in a pub/sub model because you might have -say- 10 types of attributes of a person in terms of their need-to-know. A given document can have fields that have require between 1-10
of those need-to-knows. (that's 10! combinations or something factorial - I forget the equation) So you can't create a 10! different feeds for each of those 10! need-to-knows. Result: TAXII does query only and forms the response based on the need-to-know
attributes of the entity making the query.
I'm going to argue that the TAXII tool that is optimized for Use Case 1 is 100% designed differently than one optimized for Use Case 2. If you have to do both, I posit that's a waste of time and you may compromise and end up
with something that isn't optimized well for either one of these.
I'm sorry that I'm a late arrival to this discussion. But are you going to talk about the potential for a TAXII implementation that is more focused on real-time control, say within an organization, where some real time intelligent controller uses TAXII to
send just STIX COA primitives (i.e. block-this-IP-address) to a particular router. That's not really pub/sub but more a directed control communication. Or is this out of scope for TAXII?