>1) Does it really make sense, other than for historical reasons, to keep these documents separate?
>2) If they were merged, then could not things like MAEC and other standards (that are NOT part of OASIS) just reference the sections that were of interest to them?
No. That approach is not a good way for non-OASIS standards to leverage them apart from the numerous reasons not to combine them in the first place.
I would strongly disagree with any moves to merge these three documents.
Each document represents a different context and a different corresponding standards effort.
CybOX 3.0 is the 3.0 version of the CybOX standard focused on representing the facts of cyber observables independent of any particular implementation context. Having this be a separate standard not tied to any one particular usage context allows
it to be effectively leveraged across multiple different usage contexts (STIX, MAEC, DFAX, and others).
STIX 2.0 is the 2.0 version of the STIX standard focused on representing diverse facets of cyber threat information and how they all interrelate. This includes acting somewhat as an umbrella relating different forms of content whose detailed form
is best represented in independent domain-focused standardized representations (CybOX, MAEC, CVRF, CVE, CAPEC, CWE, DFAX (eventually), etc). Tightly coupling any of these domain-focused representations to STIX would reduce the ability of those domain communities
to effectively manage their own standardized representations and would reduce their effective flexibility.
CTI Common 1.0 is an initial version of a standard focused on representing various information structures common to cyber security information representations. It is important that this remain independent such that different domain-focused representations
can leverage these common structures without needing to pull in domain-specific structures from any other domain-focused representation and so that the “common” structures do not get too heavily biased towards any single domain. CTI Common is currently being
leveraged by CybOX and STIX, will very likely be leveraged by MAEC and DFAX in the future, and has the potential for use within other cyber security representations as well to improve integrative consistency.
These are not simply different documents for parts of one single thing. They are three different documents for three different things.
I believe that merging these three efforts together would fundamentally damage the effectiveness and practicality of the ecosystem we are working to enable.