Thanks for the quick feedback. So given lack of standards, in the mean time I am going to implement a custom property that implements a signing/validating strategy pattern and for a first pattern just use something similar to how JWT tokens sign their content for public key validation. Specifically so that someone can have a signed content and verify that content with a ~public PKI listing.
âFor meâ at the moment, the specific signing standard is not overly important as long as a consumer knows where to find the upstream public signatures for downstream/consumer validation.
something like âx_signature: â â, which can be easily implemented with helpers in a libraryâs implementation.
Would you say that a standard is ânearâ? or 2020+ type of thing?
Stephen,
Thanks for the question. Yes, this is a known
issue that the TC needs to address. One of the major problems
is that IETF JOSE working group has yet to define a canonical
representation of JSON data. This makes signing the STIX objects
difficult, as there is not yet any RFC for doing what we need. We
have talked about a few different options internal to our CTI TC
for how this could be done, but the solution would be limited to
STIX and TAXII, rather than an industry wide standard.Â
To this end I have been bringing up this issue in the
IETF JOSE WG mailing list, and trying to get a work item started
during the Prague IETF meeting to address this. If you are
interested in signed JSON content, either for STIX or something
else, I would highly encourage you to join the discussion at
jose@ietf.org.
ÂThere seems to be a few people on the JOSE mailing list that,
like me, want to see this work get done. However, as you may
know, all standards work (even here in OASIS) is consensus based.
Meaning, the more people that want something done, the more likely
it will get done.Â
Â
Thanks,
Bret
PGP
Fingerprint:Â63B4 FC53 680A 6B7D 1447
ÂF2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing
that can not be unscrambled is an egg."
Hey all
I am looking for some experiences working with âsigningâ
objects (SDOs, SROs, Data Marking Definitions, etc). I am
looking at using a custom property, but wanted to get some feedback
if others are doing this?
use case: As bundles are passed around in STIX, There are
different actors/identities that are consuming this
information. Has there been thought on a common standard for
signing bundles and each item within a bundle (in the case where a
bundleâs objects were provided by different actors, but was bundled
by someone else).
Thanks!
Steve
Stephen Russett
@stephenrussett
|