OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Thoughts on STIX and some of the other threads on this list [formats discussion]


I think your points 1-8 are valid and we should really try and get this done, sooner rather than later...  

On your point about forcing the standards to all have the same MTI, I am not sure I fully agree... I think it is important that STIX and CybOX do the same thing for sure.  But I do not see any rational for forcing TAXII to do the same thing, other than it being a mandate.  Now, do not get me wrong, if they all end up doing the same thing than that would be great.  But there is no real requirement for that.  

TAXII as a protocol and not a language like STIX, needs to be able to adapt more quickly to changes in networking technologies or transport needs.  For example, as HTTP/2 becomes more main stream, we may need to do things different in TAXII and that needs to be independent of needing to make changes for STIX/CybOX.  There needs to be a separation there.  

So TAXII 2.0 might be, for example JSON and TAXII 3.0 might be Binary.  TAXII really needs to be able to adapt to what is best for the transport of the data over the network and STIX and CybOX need to adapt to what is the best for the tools and programs that will be displaying and using the data.

So it would be great if they were the same, but I do not see a requirement that they MUST be the same.  

Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Sep 15, 2015, at 10:02, Wunder, John A. <jwunder@mitre.org> wrote:

Hi everyone,

In an effort to come to some agreement on this topic and move forward I attempted to summarize a bunch of points that I think I saw general agreement on. I ran these points by a bunch of my MITRE co-workers (Sean Barnum, Mark Davidson, John Wunder, Ivan Kirillov, and Jon Baker) and they all agreed both with the points themselves and that there was general (not complete) agreement on the points.
 
1. It makes sense to have a single binding specification be “mandatory to implement” (MTI).
2. We should allow for the development of any number of other binding specifications that the community would find useful given sufficient interest.
3. All of these binding specifications will be driven off of a single high-level model.
4. Both the high-level model and each binding specification should be formalized as CTI work products.
5. The python-* APIs developed by DHS/MITRE would only support the MTI binding specification. Obviously, support for other bindings (or alternative versions of the MTI format bindings) could be developed by others.
6. We need more discussion over what the MTI format should be. There’s a lot of support for JSON but we haven’t seen a lot of concrete discussion of requirements and trade-offs.
7. We should start the work to identify the single MTI format now in order to get some informal consensus soon so that going forward we can focus our efforts on improving the data model.
8. All of these agreements that we reach on format in the near-term are informal and if a substantive requirement is identified later in the data modeling work (or even outside of that) that changes the analysis we can revisit the decision.

There wasn't a lot of list discussion on this, but in my opinion in order to ensure best compatibility among the OASIS CTI specs the MTI format should be consistent across STIX, CybOX, and TAXII.
 
So my proposal is that over the next few weeks, let’s have an in-depth discussion at the TC level about what the single MTI format should be. We can talk about our requirements and why we prefer one or the other, discuss the trade-offs of each, put together some examples, and hopefully hear from some more people. Once we have rough consensus (note: not complete agreement), we’ll document the entire discussion (requirements, trade-offs, examples, final decision) on the wiki and move on. If the topic comes up again, we refer people to the wiki. Once the time comes to formalize the MTI decision (ie. we’re preparing a release of STIX, TAXII, and/or CybOX) we review the analysis to see if it’s still valid against our updated requirements and, if so, go with that. If not, revisit it with those new improved requirements in mind.

As many people have said, format is not the most pressing topic we have to deal with. This path will allow us to get some closure on it near-term and move on to the more important work of improving the model.

What do you think?

John

=== snipped a massive amount of previous discussion about format(s) ===

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]