All,
It appears that TAXII 2.1 Envelopes were introduced in such a way that allows their fields to be backwards compatible with STIX Bundles, so that there is compatibility between TAXII 2.0 and TAXII 2.1 clients.Â
However, there is some ambiguity surrounding the explicitness of the TAXII 2.1 specification. It mentions that
When requesting STIX 2 content, that content will always be delivered in a TAXIIÂenvelopeÂeven if there only one object returned.
And
When adding STIX 2 content, clientsÂMUSTÂdeliver all objects in a TAXIIÂenvelope.Â
Â
If STIX BundlesÂareÂTAXII envelopes, then there is no ambiguity.
However, there is a slight semantic argumentÂto be made around "is" or "is not". My interpretation would be that BundlesÂ
areÂEnvelopes, but EnvelopesÂ
are notÂBundles. Envelopes do not include the required 'type' and 'id' fields to be interpreted as Bundles. However, an Envelope has only 3 (optional) properties, one of which is 'objects'. So a Bundle could be interpreted as an Envelope. This is further supported by the 'Must Ignore' property of I-JSON for "unrecognized fields" (
https://tools.ietf.org/html/rfc7493, Sec. 4.2).
Is this interpretation correct? Furthermore, is allowing a Bundle for the 'Add Objects' API in TAXII 2.1 acceptable?
Best regards,
Adam Pearce