Good question Allan!. We need to figure out how best to have a TAXII client tell the TAXII server which version it is using and have the TAXII server be able to tell the client what version is is getting.
There has been some talk about doing this in the native HTTP headers, we will just need to make sure we find a good way of doing this. If anyone has any suggestions, please let us know.
The use cases:
1) The client needs to tell the TAXII server which version of TAXII it is using. This need to be present in every GET, POST, PUT, DELETE etc.
2) The client needs to be able to tell the TAXII server the type of content it is sending or that it wants and its version (if applicable). For example, STIX 2.1
3) The server needs to be able to tell the client not only which version it is using, but also tell it about the content it is getting.
Bret
I generally agree but one thing to think about is future proofing in case we decide that the limit has to change from 256 to 256+X.
How will a legacy (TAXII 2.0 implementation) work with TAXII servers of the future that have different limits?
i.e.
a TAXII server that can support 512 resource names but the client only supports 256 names?
Is that determined as part of the initial version negotiation and then resource names/api that are longer than 256 are not used by the older TAXII implementations?
Something to ponder.
allan
From:
<cti-taxii@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date: Saturday, October 8, 2016 at 12:37 PM
To: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Cc: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Subject: Re: [cti-taxii] Restrictions on resource names
This seems like a good idea. I say keep the restrictions.
Cheers
Terry MacDonald
Cosive
On 9 Oct. 2016 04:00, "Bret Jordan (CS)" <Bret_Jordan@symantec.com> wrote:
All,
Previously in the TAXII SC we had talked about and agreed to have some restrictions to the names and lengths of API-Bases and Resource names like "channel names" and "collection names".
In STIX we do not have restrictions for the contents of a "string" property. However, we do have very tight restrictions for property names and custom properties / custom objects.
The current restrictions we have in place and nearly a copy-n-paste from what we do in STIX today, they are:
* An API Base MUST be in ASCII and are limited to characters a–z (lowercase ASCII) and dash (-).
* An API Base SHOULD be no longer than 30 ASCII characters in length.
* An API Base MUST have a minimum length of three ASCII characters.
* An API Base MUST be no longer than 256 ASCII characters in length.
* Resource names MUST be in ASCII and are limited to characters a–z (lowercase ASCII) and underscore (_).
* Resource names SHOULD be no longer than 30 ASCII characters in length.
* Resource names MUST have a minimum length of three ASCII characters.
* Resource names MUST be no longer than 256 ASCII characters in length.
Personally I really like this approach, I believe there to be value in restricting these. I am, however, curious to know if the SC still feels this is the best way to go.