Re: [cti] OASIS CTI-wide resolution on the MTI serialization

On Nov 20, 2015, 10:32 AM -0500, Trey Darley <trey@soltra.com>, wrote:

Hi, everybody -

I'm sure you are well aware of the seemingly endless MTI serialization
MTI debate (aka, JSON versus XML). Historically, standardization
efforts following the "rough consensus and running code" model have
been successful. Standardization efforts following the "endless
academic debate within committee" model have not fared so well. Rough
consensus and running code have gotten us to where we're at today and
it is that same model which will ultimately win the day.

There is a vocal minority within the CTI community who present a
chicken and egg scenario where we have to fix the model in stone
before we can decide on the MTI serialization yet no tangible progress
can be made on the model without a serialization in which technical
people can express their ideas in running code. It is time to cut that
Gordian Knot. As one of the co-chairs succintly put it yesterday, "One
fact, if we do not gain adoption greater than 18-20% of the market in
the next year or so, this standard will fade away in to obscurity,
regardless of how neat and perfect the model is. The model is
important, but not the most important. Adoption is the most important
criteria."

The TAXII SC has made phenomenal progress towards defining TAXII 2.0
and may in fact have draft work product by the end of this year. The
CybOX SC, while not quite as far along as the TAXII folks, is moving
rapidly towards a CybOX 3.0 draft spec. What do these SCs have in
common? They're not merely debating use cases in theoretical terms,
but simultaneously working through the actual issues on a technical
level using JSON notation.

Accordingly, the co-chairs are moving to close this debate so that we
can concentrate our efforts on addressing critical issues within the
STIX/CybOX models themselves.

This is in no way to discount the need to translate the refactoring
efforts into UML models for the final OASIS draft specifications. UML
modelling is putting the icing on the cake. Now is the time to
actually *bake* the cake.

Likewise, the co-chairs recognize that there will be communities of
interest requiring alternative serialization formats (XML, protobufs,
JSON-LD, OWL, etc). The OASIS TC has a role to play in helping to
standardize these alternative representations to ensure
interoperabilitity. However, that work effort lies in the future.
First we must complete the task at hand.

Supporters of the resolution:
* Aharon Chernin (Soltra)
* Alexander Foley (Bank of America)
* Bernd Grobauer (Siemens)
* Bret Jordon (Blue Coat)
* David Eilken (Soltra)
* Ivan Kirillov (MITRE)
* Jason Keirstead (IBM)
* Joep Gommers (EclecticIQ)
* John Anderson (Soltra)
* John Wunder (MITRE)
* Jon Baker (MITRE)
* Jonathan Bush (Soltra)
* Mark Davidson (MITRE)
* Richard Struse (DHS)
* Sergey Polzunov (EclecticIQ)
* Trey Darley (Soltra)

And with that, I present to you the formal resolution text as agreed
upon by the co-chairs and hereby motion to put the proposal to a
formal TC-wide vote. Can I get a second to the motion?

<snip
Resolved:
=========
The CTI community will embrace a JSON/JSON Schema-based MTI
representation for the TAXII 2.0, STIX 2.0, and CybOX 3.0 refactoring
efforts.

Elaboration:
============
By adopting an MTI representation, we are explicitly requiring any
vendor or software product claiming CTI-compatibility to minimally
support the JSON serialization. Vendors are free to define and support
additional serializations (XML, protobufs, etc.) to address their
specific use cases, but if they do not support the MTI serialization,
their products are not CTI-interoperable and they cannot claim to
support the CTI standards.

The committee chairs recognize the need for additional optional
serialization formats, either now or in the future. The committee
chairs are prepared to support standardizing alternative serialization
formats for interoperability purposes in collaboration with the
interested parties but until the TC has approved the STIX 2.0, TAXII
3.0 and CybOX 3.0 specifications we as a community do not have the
bandwidth to support this effort.

Regardless of what alternative serialization formats may be defined
and standardized in the future, the JSON MTI will remain the "must be
this tall to ride" in terms of CTI standards compliance.
</snip

--
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com
--
"It is easier to move a problem around (for example, by moving the
problem to a different part of the overall network architecture) than
it is to solve it." --RFC 1925

cti message