Re: [cti-users] Towards a better understanding of JSON-LD (Was: MTI Binding)

["Wunder, John A." <jwunder@mitre.org>]

If you use an RDF-based serialization mechanism (as what Paul Patrick posted: thanks Paul!) then you force everyone to process the data as RDF. If you use a more generic serialization mechanism that’s a bit easier to work with natively then people can process the data however they want (including RDF, but also in other ways).

RDF is great! I just don’t think we should force everyone to use it by going with an RDF-based approach for moving the data around.

My understanding is that Cory’s proposal would bridge this gap a bit by representing the data more naturally in JSON-LD while still maintaining the annotations that allow it to be used as RDF.

John

On Oct 9, 2015, at 11:58 AM, Shawn Riley <shawn.p.riley@GMAIL.COM> wrote:

Again, if the higher level data model is RDF/OWL w/UML which is what has been proposed since the STIX was started, then why would you not use the serializations that are fully compatible with it that would allow everyone to exchange data. For those that understand RDF/OWL this is coming across as OASIS CTI will prohibit using the RDF/OWL data model from being used with existing serializations and technology in favor of forcing everyone to use plain JSON and JSONSchema. How would OASIS CTI prohibit the community from using the RDF/OWL data model and the RDF serializations that are fully valid against the STIX RDF/OWL data model? 

On Fri, Oct 9, 2015 at 11:51 AM, Wunder, John A. <jwunder@mitre.org> wrote:

So here’s my understanding:

We will define an OASIS work product that describes the STIX high-level data model. This work product will be some form of UML and/or RDF. So at that point, we’ve defined the high-level data model.

The community has (unofficially) decided that in the interest of best interoperability between tools we need to define a single serialization format as “mandatory to implement” (MTI). All tools implementing STIX would implement this format. This would also be codified as an OASIS work product.

Whether we have other OASIS work products for other serialization formats is up for debate, but I do think there’s some sense that the fewer of these we officially standardize the better (again, for best interoperability).

So let’s say we choose JSON / JSONSchema as the MTI format. We would have two OASIS work products:

- The high-level model

- A binding of that high-level model, describing what it looks like when serialized to JSON along with JSONSchema to automatically validate it.

Tools claiming that they participate in STIX-based exchanges would be required to implement the JSON serialization format. They could also implement any other  serialization formats they want (RDF-style STIX transfers, CSV, IODEF, Thrift, etc). Data exchange of those formats just wouldn’t be called a “STIX information exchanges” unless we also developed and published an OASIS work product standardizing them as such.

Although, now that I think of it, I’m wondering if an RDF-style exchange (JSON-LD, RDF/XML, RDF/Turtle) would be considered STIX-based just because it natively conforms to the high-level model (assuming the high-level model is RDF). I don’t know! If it did, those tools would also need to implement the MTI serialization but could also call the RDF exchange “STIX-based".

John

On Oct 9, 2015, at 11:30 AM, Shawn Riley <shawn.p.riley@GMAIL.COM> wrote:

I'm confused then. If the community is perfectly happy with an RDF/OWL w/UML data model then that is all that is needed to use the RDF serializations. It seems then the argument is creating additional JSON / JSONSchema on the wire format in addition to the RDF serializations?  Or is the community saying we are ok with having an RDF/OWL w/ UML data model but you will prohibit the community from using any of the existing RDF serializations designed to be used with the data model?

On Fri, Oct 9, 2015 at 11:14 AM, Wunder, John A. <jwunder@mitre.org> wrote:

I haven’t seen anybody suggest not having an abstract data model (either via RDF, UML, or something else). Bret in particular has been careful to maintain that we will base any serialization on a high-level model.

The question we’re tackling now is whether the on-the-wire MTI format should be something tied directly to RDF, like JSON-LD, or something that's indirectly tied to the high-level model via a binding specification, like JSON with JSONSchema. Both approaches allow for an RDF-based analysis, it’s just a question of whether an RDF-based serialization format is the best approach for sharing data between tools when not all of them will want to do RDF.

FWIW I’m waiting to see what Cory’s examples look like.

John

On Oct 9, 2015, at 10:55 AM, Shawn Riley <shawn.p.riley@GMAIL.COM> wrote:

I just don't see why some here are moving away from the original plan of moving from XML to an abstract data model like RDF. We had face to face discussions on the topic and it's been discussed repeatedly since STIX launched. The whole reason some have been promoting STIX internationally and across the community was because this was the future direction. I certainly don't want to throw away the last 4 years of work on CTI in RDF and the significant advancement in analytic tradecraft it brings. I don’t see why this should be positioned as an either-or decision. The desires of those wanting simple JSON serializations should be fully possible within an RDF-based modeling approach while still enabling us to support moving forward the state of the practice for cyber threat analysts. Please help me understand why after more than 4 years of discussing this transition from XML to an RDF-based modeling approach that we now have people pushing to move the CTI effort in another direction?

On Thu, Oct 8, 2015 at 12:14 PM, Jacobsen, Jasen W. <jasenj1@mitre.org> wrote:

Note that the JSON they provide is JSON-LD. http://docs.publishmydata.com/developers/105_resource_formats.html

And they provide a _javascript_ example of accessing the JSON-LD: http://docs.publishmydata.com/developers/121_example_javascript_filtered_resources.html

Good resource. Thanks for sharing.

- Jasen.

From: <cti-users@lists.oasis-open.org> on behalf of Shawn Riley <shawn.p.riley@gmail.com>
Date: Thursday, October 8, 2015 at 11:28 AM
To: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: Re: [cti-users] Towards a better understanding of JSON-LD (Was: MTI Binding)

I wanted to share a link (below) to a blog which talks about RDF serialization formats and while this isn't STIX specific it does use real world data from http://opendatacommunities.org/ which is the UK Department for Communities and Local Government's official Linked Open Data website. As I'm sure everyone is aware both the USA and UK governments have been champions of RDF for several years now and continue to push for open data to made available in RDF.  

http://blog.swirrl.com/articles/rdf-serialisation-formats/   <--NOTE this is from 2012 before the JSON-LD development but it should help those looking for more RDF data then the US Government's 7000+ RDF open data sets.