OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-users] Questions about TAXII 2.1 Envelopes vs. STIX Bundles

Adam,

Thanks for the find.  I will need to carefully verify this, but I think you are correct. 

Bret


On May 12, 2020, at 8:35 AM, Adam Pearce <adam.pearce@xorsecurity.com> wrote:

Sure thing Marlon!

We also noticed what we think is a minor error in the spec.

The 'GET Object Manifests' API (section 5.3) specifies the 'Accept' header requiring the STIX media type.
Required Headers
Accept: application/taxii+json;version=2.1,application/stix+json;version=2.1

We don't think this is correct because (a) the spec explicitly states removal of all STIX media types in favor of the Envelope response, (b) there is no STIX actually being returned (only TAXII Manifest Resources), (c) the associated 'Response' section does not include the STIX media type in its 'Content-Type' header (which it should, if it were returning that media type).

I don't think we should require the 'Accept' header value, for the above reasons.

Best,
Adam

On Tue, May 12, 2020 at 10:18 AM Taylor, Marlon <Marlon.Taylor@cisa.dhs.gov> wrote:

This the type of constructive feedback/involvement Iâm talking about! (I actually asked the same question last week and yesterday)

 

Thanks Adam,

 

-Marlon

 

From: cti-users@lists.oasis-open.org <cti-users@lists.oasis-open.org> On Behalf Of Adam Pearce
Sent: Tuesday, May 12, 2020 8:05 AM
To: cti-users@lists.oasis-open.org
Cc: Hill, Taneika <Taneika.Hill@cisa.dhs.gov>; Steven Fox <sfox@bcmcgroup.com>; David Ailshire(dailshire@bcmcgroup.com) <dailshire@bcmcgroup.com>; O'Brien, William (CTR) <william.obrien@associates.cisa.dhs.gov>; Taylor, Marlon <Marlon.Taylor@cisa.dhs.gov>; <Marlon.Taylor@us-cert.gov> <Marlon.Taylor@us-cert.gov>
Subject: [cti-users] Questions about TAXII 2.1 Envelopes vs. STIX Bundles

 

CAUTION: This email originated from outside of DHS. DO NOT click links or open attachments unless you recognize and/or trust the sender. Contact your component SOC with questions or concerns.

 

All,

 

It appears that TAXII 2.1 Envelopes were introduced in such a way that allows their fields to be backwards compatible with STIX Bundles, so that there is compatibility between TAXII 2.0 and TAXII 2.1 clients. 

 

However, there is some ambiguity surrounding the explicitness of the TAXII 2.1 specification. It mentions that

 

When requesting STIX 2 content, that content will always be delivered in a TAXII envelope even if there only one object returned.

 

And

 

When adding STIX 2 content, clients MUST deliver all objects in a TAXII envelope. 

 

If STIX Bundles are TAXII envelopes, then there is no ambiguity.

 

However, there is a slight semantic argument to be made around "is" or "is not". My interpretation would be that Bundles are Envelopes, but Envelopes are not Bundles. Envelopes do not include the required 'type' and 'id' fields to be interpreted as Bundles. However, an Envelope has only 3 (optional) properties, one of which is 'objects'. So a Bundle could be interpreted as an Envelope. This is further supported by the 'Must Ignore' property of I-JSON for "unrecognized fields" (https://tools.ietf.org/html/rfc7493, Sec. 4.2).

 

Is this interpretation correct? Furthermore, is allowing a Bundle for the 'Add Objects' API in TAXII 2.1 acceptable?

 

Best regards,

Adam Pearce


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]