Bret & All:
The only thing I would add is the word "/CybOX" after STIX in the
first paragraph. I believe we talked about this being part of the
Common Core, right? As such, I believe the specification language
should call out both standards.
Jane Ginn
CTIN
On 1/20/2016 12:32 PM, Jordan, Bret
wrote:
I agree. I would like to motion that we move this out of general
debate and move it in to the crafting of normative text. I think
the proposal we can all agree on, or that we have general
consensus on is:
Timestamps in STIX will use a single
RFC3339 timestamp field that includes the "Z" timezone
offset (example: 2016-01-20T12:27:53.123456Z). All
timestamps MUST be in UTC. Timestamps may include any number
of subsection precision. A corresponding text precision
field with year, month, day, hour, minute, second (default =
second). The values for the precision field MUST be all
lower-case. The precision is interpreted the same as
ISO-8601, a floor. The timestamp precision field is
optional. A producer recording time from something in US
EST time, would need to convert that time to UTC before
sending it across the wire.
A timestamp know only to a year would look like:
{
"timestamp":
"2016-00-00T00:00:00Z",
"timestamp_precision": "year"
}
A timestamp known only to an hour would look like:
{
"timestamp":
"2016-01-20T12:00:00Z",
"timestamp_precision": "hour"
}
A timestamp known to a second or
where the precision is unknown would look
like:
{
"timestamp":
"2016-01-20T12:31:12Z"
}
A timestamp known to 5 digit sub
second precision would look like:
{
"timestamp":
"2016-01-20T12:31:12.12345Z",
}
Thanks,
Bret
Bret
Jordan CISSP
Director of
Security Architecture and
Standards | Office of the
CTO
Blue Coat Systems
PGP
Fingerprint: 63B4 FC53
680A 6B7D 1447 F2C0
74F8 ACAE 7415 0050
"Without
cryptography vihv vivc
ce xhrnrw, however, the
only thing that can not
be unscrambled is an
egg."
|