OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [cti] RE: Versioning Background Docs

Hi All,

An email for our international members and US all-nighters.

I was going to type up my strategy for versioning but as I reviewed the top 2 links(see below), I saw Sean summarized it in Option 3 (honestly I was going to say the same thing, basically). The only difference in my approach is the use of a HASH rather than a GUID for the ID. So format: [ObjectType-HASH]

Since Sean did such a good job analyzing and summarizing a point I was going to make, I'll focus on my reasons for a HASH over a GUID.

HASH based IDs:
-          Meaningful IDs: with GUIDs there is no relationship between the ID and content however hashed based IDs will be directly related to the content.
-          Secret searches: someone could request info on [ObjectType-HASH] without having to convey what [ObjectType-HASH] is. This could be done with GUIDs however GUIDs are not based on the content so there’s no assurance, without first requesting that object, that you are getting what you think you’re referencing (you might want to always ask for a copy of what you’re referencing).
-          Duplicate detection: since the hashing process will be part of the standard (part of this idea) consumers/producers/brokers will be able to determine if a given content is a duplicate or not.
o   This is an issue that hasn’t been addressed formally but can be resolved CTI wide right here.
-          Data Integrity/Assurance: since the hashing process will be know, consumers can double-check the provided hash by computing the hash to determine if there is mismatch.
o   This addresses concerns about ensuring all needed data is passed along with content.

A question about tracking evolving content such as incident/campaign has been brought up(Sean also mentioned this concern).

1.       How will this work for evolving content(or series) such as incidents?
a.       Evolving content can be tracked via relationships
2.       Will a new version (hash) keep the relationships of the former version?
a.       Not implicitly. All relationships to the new version must be explicitly established.
                                                              i.      This also has advantages for derivative work concealment (don’t worry about how I got it just know this is what it is)
3.       Will a user need to keep all explicit versions of an incident(or series)?
a.       No. Users are free to keep/destroy what they want.

Open Questions:
1.       What hash algorithm should be used? (eg.SHA-256)
2.       What fields should be included in the hash?
3.       What if the provided hash and the computed hash don’t match?
a.       Reject the content
b.      Ignore the provided hash (replace with computed hash) and process the content
c.       Add the provided hash as an alternative id (TBD) re-hash content

These links were sent to me from some one on the mailing list (Thanks!)
1.       http://making-security-measurable.1364806.n2.nabble.com/STIX-Content-Revision-and-Revocation-td7582483.html
2.       http://making-security-measurable.1364806.n2.nabble.com/STIX-Content-Revision-and-Revocation-tp7582483p7582620.html
Image files:  (I think these are the images I created, way back, in response to Sean’s diagrams)
3.       http://making-security-measurable.1364806.n2.nabble.com/attachment/7582637/0/pg4.png
4.       http://making-security-measurable.1364806.n2.nabble.com/attachment/7582637/1/Sharing.png
·         http://making-security-measurable.1364806.n2.nabble.com/template/NamlServlet.jtp?macro=search_page&node=7579090&query=revocation&days=0

What do you think?

Marlon Taylor
Technology Services Section (TSS)
National Cybersecurity & Communications Integration Center (NCCIC)
U.S. Department of Homeland Security


From: cti@lists.oasis-open.org on behalf of Wunder, John A.
Sent: Friday, March 11, 2016 11:20:02 AM
To: Taylor, Marlon; cti@lists.oasis-open.org
Cc: marlon.taylor@us-cert.gov
Subject: Re: [cti] RE: Versioning Background Docs

Thanks Marlon.

This is good background material and I’d encourage everyone participating in the versioning to read it. It’s targeted at STIX 1.1 rather than 2.0 so you’ll have to mentally replace “time” with “serial number” or “revision” but the questions are still the same.

I’m also planning to either hunt down some existing scenarios or put together new ones that include real data so we can really dig into what this would mean in practice. I’ll send those out to the list when I’m finished.


From: <cti@lists.oasis-open.org> on behalf of Marlon Taylor <Marlon.Taylor@hq.dhs.gov>
Date: Friday, March 11, 2016 at 9:20 AM
To: Marlon Taylor <Marlon.Taylor@hq.dhs.gov>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Cc: "marlon.taylor@us-cert.gov" <marlon.taylor@us-cert.gov>
Subject: [cti] RE: Versioning Background Docs

I extracted the embedded doc and converted the email body to PDF to ease any issues opening the previous email archive attachment.






From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Taylor, Marlon
Sent: Thursday, March 10, 2016 6:45 PM
To: cti@lists.oasis-open.org
Cc: marlon.taylor@us-cert.gov
Subject: [cti] Versioning Background Docs



Hi All,


I posted the attached files on #versioning channel on Slack(https://cti-tc.slack.com/messages/versioning/). These docs were generated by the STIX community way back, late 2013 - early 2014, when we tried to address versioning.


They contain use cases and some explanations of concerns/ideas around the general topic of versioning like IDs, Versioning, Duplicates, and Revocation. It would be beneficial to reference these in our strategy for versioning (not excluding other items). Once everyone has a chance to go there the previous work we can collaborate and look at strategies for moving forward.


Looking forward to working with you on this.


Marlon Taylor

Technology Services Section (TSS)

National Cybersecurity & Communications Integration Center (NCCIC)

U.S. Department of Homeland Security




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]