As we have talked off-line, there are things I like about this proposal and things I do not.
Bret Sent from my Commodore 64
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 Stephen Russett wrote this message on Fri, Nov 23, 2018 at 10:44 -0800:Hey all
I am looking for some experiences working with âsigningâ objects (SDOs,
SROs, Data Marking Definitions, etc). I am looking at using a custom
property, but wanted to get some feedback if others are doing this?
use case: As bundles are passed around in STIX, There are different
actors/identities that are consuming this information. Has there been
thought on a common standard for signing bundles and each item within a
bundle (in the case where a bundleâs objects were provided by different
actors, but was bundled by someone else).
Sorry, I just saw this email.I have already written a proposal on signing, and I wrote the first proposalalmost two years ago.Signing data needs to be handled very carefully as if it is not handledproperly, you can end up w/ attackers being able to pretend that data wassigned when it was not...The latest version of the proposal is at:https://github.com/jmgnc/cti-sep-repository/blob/digitalsig/seps/draft/extensions/x-newcontext-signing-ext/x-newcontext-signing-ext.mdIt does not support third party signatures yet, but this is relativelyeasy to write up if needed... After thinking about how versioning works,and interactions w/ TAXII and other items, third party signatures needto be their own SDO, otherwise it introduces complexities into the TAXIIserver in how to aggregate signatures, where as having an independantobject makes it possible.. Though I realized that not being able toadd the reference hashes makes this idea more difficult, but not impossible..Feel free to ask questions if you need more info...-- John-MarkThis publicly archived list provides a forum for asking questions,offering answers, and discussing topics of interest on STIX,TAXII, and CybOX. Users and developers of solutions that leverageSTIX, TAXII and CybOX are invited to participate.In order to verify user consent to OASIS mailing list guidelinesand to minimize spam in the list archive, subscription is requiredbefore posting.Subscribe: cti-users-subscribe@lists.oasis-open.orgUnsubscribe: cti-users-unsubscribe@lists.oasis-open.orgPost: cti-users@lists.oasis-open.orgList help: cti-users-help@lists.oasis-open.orgList archive: http://lists.oasis-open.org/archives/cti-users/List Guidelines: http://www.oasis-open.org/maillists/guidelines.phpCTI Technical Committee: https://www.oasis-open.org/committees/cti/Join OASIS: http://www.oasis-open.org/join/
|