OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] CTI TC Adoption and Interoperability SCs

Eric - I hear what you are saying below, but the major problem I see with this approach is as follows: If profiles are only used for product branding/marketing/certification purposes and not by the protocol itself, then there is no guarantee that a solution is implementing a profile as advertised. Whereas, if profile negotiation is part of TAXII, then I can be assured that someone advertising they support Profile A actually supports it, as it is actually part of the protocol.

Unless you foresee some certification body tasked with certifying that someone who advertises Profile A implements all the objects required for that profile? This seems like it would be something that would fall outside OASIS scope. Without such a certification process, then having profiles exist without being part of the protocol is a recipe for a real interoperability mess where Vendor A and B both claim to support the profile, even though they can not communicate. This is the type of thing that for example classically made UPNP AV profiles so problematic... two vendors claimed to support a profile yet the profiles had incompatible implementations so the devices could not talk to eachother.

Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

Inactive hide details for Eric Burger ---2015/07/13 11:41:56 AM---I am (clearly) all for profiles. However, negotiating at the Eric Burger ---2015/07/13 11:41:56 AM---I am (clearly) all for profiles. However, negotiating at the profile level would be very bad for the

From: Eric Burger <Eric.Burger@georgetown.edu>
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 2015/07/13 11:41 AM
Subject: Re: [cti] CTI TC Adoption and Interoperability SCs
Sent by: <cti@lists.oasis-open.org>

I am (clearly) all for profiles. However, negotiating at the profile level would be very bad for the future of the protocol.

Let us say we have Profile A that uses STIX optional* features S1, S2, and S3 as well as CybOX objects O1, O2, and O3. Then we have Profile B that uses STIX optional features S2, S3, and S4 as well as CybOX objects O1, O3, and O4. Profile A and B are well-known, are in the registry, and are broadly implemented.

Tomorrow, my buddies and I (e.g., trading partners) come up with a new use case. Let us call it Use Case C. Use Case C uses STIX features S1, S3, and S4 and CybOX object O1, O2, and O4.

If we negotiate at the STIX and CybOX level, my new use case just works. As it happens, everybody implements S1, S3, S4, O1, O2, and O4. Life is good. We just quashed a major attack from a real baddie through the wonders of information sharing and the power of TAXII, STIX, and CybOX. Thank you DHS, MITRE, and the community for all of our hard work. It paid off.

Now let us imagine what happens if we negotiate at the Profile level. Again, my buddies and I come up with Use Case C. However, before we can use it, we have to bring it to OASIS. Now, OASIS works (today) a lot faster than the ITU-T or the IETF. So, in a scant six months, we publish Profile C. Then, the vendors start to pick it up. Within two years, everybody that cares about Use Case C can negotiate support for it.

In the intervening three years, bank accounts are drained, the power grid got shut off, and child pornography runs rampant.

Worse yet, enterprises who cared about Profile A and Profile B did not think care about Profile C. So, they chose not to pay their vendors megabucks for the Profile C ‘upgrade.’ It is a real upgrade, in that the systems need to know about Profile C to negotiate for it. However, it is an upgrade in quotes, because no new STIX or CybOX support needed to be implemented. Of course, you know what comes next. Those enterprises succumb to Use Case C attacks. Now, Armageddon was launched as Use Case C turns out to be an APT that targets the SBLM MIRV fire control system. Bad day for the world.

All because we decided to negotiate profiles and not capabilities.

Please, keep negotiation at the building block level, not the profile level. Profiles are incredibly useful to let purchasers of CTI systems know what they are buying and likewise they are incredibly useful to manufacturers of CTI systems to let them know what to build. However, profiles are harmful as a protocol mechanism.

* Notice that profiles only tell folks what optional (SHOULD, MAY) features need to be there. Of course, all mandatory features are there. Otherwise, you should not call your product an implementation of TAXII, STIX, and CybOX.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]