Handling the entire STIX document at its highest TLP marking is certainly the easiest solution, but it doesn’t address the concept of "tear sheets".
Use Case: I generate a STIX document containing a set of indicators, and relating these indicators to a specific threat actor.
The indicators themselves are TLP GREEN, but the attribution to the threat actor is TLP AMBER.
If the STIX document is handled at its highest TLP marking, I lose the ability to share out the indicators to the broader community, because of the Threat Actor attribution.
In the human-readable world, this is often accomplished through tear sheets. The document would be marked TLP AMBER, but a lower section, marked GREEN, can be "torn off" (or C&Ped into a new document) and shared more broadly as a TLP GREEN document.
In the STIX/TAXII world, I would envision creating a TLP GREEN TAXII feed that would allow access to those top level objects tagged GREEN, while stripping off the TLP AMBER and RED top level objects that were part of the STIX document.
Just my 2 cents,
] On Behalf Of John-Mark Gurney
Sent: Thursday, February 04, 2016 3:51 PM
To: Eric Burger <Eric.Burger@georgetown.edu
Subject: Re: [cti] Missing MTI - what to do?
Eric Burger wrote this message on Mon, Feb 01, 2016 at 19:03 -0500:
I agree with Bret here. The question is what do we do with mixed-level TLP. For example, the whole STIX document is TLP amber, but these elements are TLP red. While the TAXII server might pass or store the whole document, if someone with amber but not red access asks for the document, does the whole document fail? I would offer if the source took the effort to separately indicate amber vs. red, they mean to pass the amber stuff with their trusted TAXII server partner “doing the right thing” with the red elements.
To me, it seems like the document should be marked w/ the highest classification that it contains, so if it has elements which are red, then the document must be red... If that's the case, then it should be less of an issue...
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php