I generally agree but one thing to think about is future proofing in case we decide that the limit has to change from 256 to 256+X.
How will a legacy (TAXII 2.0 implementation) work with TAXII servers of the future that have different limits?
i.e.
a TAXII server that can support 512 resource names but the client only supports 256 names?
Is that determined as part of the initial version negotiation and then resource names/api that are longer than 256 are not used by the older TAXII implementations?
Something to ponder.
allan
From:
<cti-taxii@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date: Saturday, October 8, 2016 at 12:37 PM
To: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Cc: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Subject: Re: [cti-taxii] Restrictions on resource names
This seems like a good idea. I say keep the restrictions.
Cheers
Terry MacDonald
Cosive
On 9 Oct. 2016 04:00, "Bret Jordan (CS)" <Bret_Jordan@symantec.com> wrote:
All,
Previously in the TAXII SC we had talked about and agreed to have some restrictions to the names and lengths of API-Bases and Resource names like "channel names" and "collection names".
In STIX we do not have restrictions for the contents of a "string" property. However, we do have very tight restrictions for property names and custom properties / custom objects.
The current restrictions we have in place and nearly a copy-n-paste from what we do in STIX today, they are:
* An API Base MUST be in ASCII and are limited to characters a–z (lowercase ASCII) and dash (-).
* An API Base SHOULD be no longer than 30 ASCII characters in length.
* An API Base MUST have a minimum length of three ASCII characters.
* An API Base MUST be no longer than 256 ASCII characters in length.
* Resource names MUST be in ASCII and are limited to characters a–z (lowercase ASCII) and underscore (_).
* Resource names SHOULD be no longer than 30 ASCII characters in length.
* Resource names MUST have a minimum length of three ASCII characters.
* Resource names MUST be no longer than 256 ASCII characters in length.
Personally I really like this approach, I believe there to be value in restricting these. I am, however, curious to know if the SC still feels this is the best way to go.