Re: [cti] Detailed sub-issues for the topic of refactoring "sources"

["Jordan, Bret" <bret.jordan@bluecoat.com>]

My comments are inline

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

More detailed sub-issues to be discussed/decided:

• What should the structure of the Reference TLO look like?
  • Current proposal is three properties: (this addresses the “external_ids” issue as well)
  • “reference_URL” (optional) - specifies a URL to the external reference
  • “external_identifier” (optional) - specifies an identifier for the external reference content
  • “defining_context” (optional) - specifies the context within which the external_identifier is defined (system, registry, organization, etc.)

[sean]I support the current proposal described here

[jordan] I would like more information and context around these

• Use “created_by_ref” on each TLO as shorthand for “Producer” source relationships?

[sean]I do not believe that this is necessary but I do not object to it being included optionally in addition to explicit relationships.

[jordan] I believe we should have this as an optional field on every TLO.  

• • Should “created_by_ref” shorthand and “Producer” Has Source relationship both be explicitly supported?  What if there is conflicting information?

[sean]Yes. For the time being I support both approaches being explicitly supported.

[jordan] I do not really support the idea of doing a created_by_ref in a relationship.  My thinking right now is I would only have it be on the TLO

• • Should “created_by_ref” be optional or required?

[sean]Optional

[jordan] Optional.  We should allow people to create anonymous content or content that is not attributed to anyone.

• Does leaving out both a created_by_ref and has_source relationship for an object imply anonymity?

[sean]No. I believe that there is a clear distinction between content with an unknown source and content with an explicitly anonymous source. I believe leaving out both a created_by_ref and has_source relationship for an object should imply “unknown” source whereas “anonymous” source should be explicitly asserted with an “Anonymous” Identity object.

[jordan] I think this is splitting hairs.  I think we can support the use of people using a well known ID that equal anonymous.  But in practice, some organizations will just leave it blank.  I think this is best handled inside of eco-systems. 

• What values should be in the default vocabulary for the Roles property on Has Source relationships?

[sean]I would suggest the following list as a good starting point:

• Producer
• Analysis Originator
• Codification Originator
• Translator
• Transformer
• Anonymized
• Reviewer
• Transmitter
• Derivation Resource

[jordan] Not sure yet...  I would need to look at it a bit more.

• Should “Has Source” relationship support many-to-one capability to assert lots of STIX content has the same source in an efficient manner? Is the “efficiency” issue necessary to address at this time?
  • Basically this:
    • Relationship
      • ID = id-5
      • From = id-2, id-3, id-4
      • To = id-1
      • Nature = Has Source
  • Versus this:
  • Relationship
  • ID = id-5
  • From = id-2
  • To = id-1
  • Nature = Has Source
  • Relationship
    • ID = id-6
    • From = id-3
    • To = id-1
    • Nature = Has Source
  • Relationship
    • ID = id-7
    • From = id-4
    • To = id-1
    • Nature = Has Source

[sean]No. I do not believe that “efficiency” is a big enough issue for us to consider this in 2.0. It could always be added in future releases.

[jordan] I would have to see this request within context of everything else in an around this to see if adding it now would increase the burden on implementers. 

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail