[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Timestamp Serialization Question
It is simple and there isn't room for ambiguity - the window is defined as the precision field, on both sides of the provided timestamp. If I provide you 12:00:00 with 1 minute precision, then it means any time from 11:59:00 to 12:01:00.
This is how all time critical systems operate. For example, when you grab packets off of a 10G interface, the timestamps give you a value in nanoseconds, but if you read the documentation, the value is normally +/- some level of nanoseconds (10 to 100 or more, depending on hardware and other situations) - it is a window on either side of the value given. It's not the value given is the floor or the ceiling - the value is the center of the confidence interval and you have to go on either side. For STIX to buck this trend and say our timestamps are specifying the floor of the confidence interval would be very strange and counter-intuitive.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Eric Burger ---01/19/2016 10:48:43 PM---This is another violent agreement, “yes, and” situations. Yes, this is how the data gets generated i
From: Eric Burger <Eric.Burger@georgetown.edu>
To: cti@lists.oasis-open.org
Date: 01/19/2016 10:48 PM
Subject: Re: [cti] Timestamp Serialization Question
Sent by: <cti@lists.oasis-open.org>
So, we could do it that way - which would require the producer to take the equivalent of 100% of their known precision and adjust their timestamps downward accordingly. I would argue strongly though that this is pretty much *never* how this is done in industry and would result in confusion. Normally the onus is on the consumer of information to interpret the producers information as they see fit when they know the precision.
Here is the difference:
- If I follow the specification below, and I read the time 12:00:00 off the clock and know my precision to be minute-level, then I would have to supply a timestamp of 11:59:00 with a precision of 1 minute ( note here the importance, that minute-level precision is not the same as 60 second precision - it actually requires a 2x the confidence interval time-boxing - this is important!). The consumer would then take that information and know "OK the time starts at 11:59:00 and ends between then at 12:01:00"
- The way it is normally done instead, is the producer of the time-sensitive information just sends whatever time came off of their information producing source. The consumer of that information then constructs the time-box around whatever rules they see fit. To carry forward the above example, the producer would send me 12:00:00 with 1 minute precision, and I would know implicitly, if I care about this at all, that that event could have occurred any time between 11:59:00 and 12:01:00.
I think that the second method is how pretty much all systems behave. I have never known a system to behave the first way.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>Eric Burger ---01/19/2016 10:06:48 PM---I would offer the important precision is not not hours, minutes, or seconds, but number of seconds.
From: Eric Burger <Eric.Burger@georgetown.edu>
To: cti@lists.oasis-open.org
Date: 01/19/2016 10:06 PM
Subject: Re: [cti] Timestamp Serialization Question
Sent by: <cti@lists.oasis-open.org>
The use case as I understand it at a high level is so that when someone submits a timestamp of 12:00:00 zulu, we know the difference between if they truely mean exactly 12:00:00 on the button, or if they only have second level precision available to them. And this is required because we aren't mandating a fixed format, but RFC 3339 which is variable.
Eric Burger --- Re: [cti] Timestamp Serialization Question ---
From: | "Eric Burger" <Eric.Burger@georgetown.edu> |
To: | cti@lists.oasis-open.org |
Date: | Tue, Jan 19, 2016 9:30 PM |
Subject: | Re: [cti] Timestamp Serialization Question |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]