Iâm attempting to derive ârealâ deterministic ids for the examples in the spec. Right now the SCO are expressed as âstand-insâ that look like âtype--00000000-0000-0000-0000-000000000000â.
Iâm writing a script that will generate the ids â but I have encountered some text in the spec which seems ambiguous. They concern SCOs where a hash is one of the id contributing properties:
Here are the three uses:
For Artifact:
hashes,
payload_bin
Where
1.
if
hashes exists only include 1 hash from this common ordered list (based on the following order of preference)
[ md5, sha1, sha256, sha512 ]
2.
if no hashes are defined and
payload_bin exists include only the
payload_bin
For File:
hashes,
name,
extensions
Where
1.
if
hashes exists include 1 hash from this ordered list [ md5, sha1, sha256, sha512 ] only
2.
If no hashes
a.
Include defined
extensions
b.
Include defined
name
For X509 Certificates:
hashes,
serial_number
Where
1.
if
hashes exists include 1 hash from this ordered list [ md5, sha1, sha256, sha512 ] only
2.
Include serial_number
The way I read this, Artifact and File only include other properties if there are no hashes available, but X509 Certificates always includes serial_number.
If that is the case, then I would probably want to clean up the text â but Iâm not sure that this is what was intended.
Can someone more explicitly describe the use of the contributing properties for these three types?
Rich
--
Rich Piazza
The MITRE Corporation
781-271-3760
