RE: [Non-DoD Source] RE: [cti] RE: Versioning Background Docs

["Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>]

My understanding is that in general versioning should be handled using the
CTI Core "created_at" attribute which exists on both objects and
relationships.  If this changes any object with a deterministic hash would
also have its GUID change.  As such different versions of an object would
respect each other's unique GUIDs thus protecting referential integrity.

Even without a deterministic hash this would still be possible by simply
generating a new GUID every time a new version of an object or relationship
is produced.

Jeffrey Mates, Civ DC3/DCCI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Defense Cyber Crime Institute
jeffrey.mates@dc3.mil
410-694-4335


-----Original Message-----
From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf
Of Jason Keirstead
Sent: Monday, March 14, 2016 11:27 AM
To: Taylor, Marlon
Cc: cti@lists.oasis-open.org; Mates, Jeffrey CIV DC3/DCCI;
marlon.taylor@us-cert.gov
Subject: [Non-DoD Source] RE: [cti] RE: Versioning Background Docs

Are you saying that versions will only exist on relationship objects? How
will that help me figure out if a given threat actor's description is the
most recent.


-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown 


Inactive hide details for "Taylor, Marlon" ---03/14/2016 12:07:46
PM---Correct. Hashing won't provide that capability. Relation"Taylor,
Marlon" ---03/14/2016 12:07:46 PM---Correct. Hashing won't provide that
capability. Relationships will provide what you're looking for.

From: "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>,
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org>,
"marlon.taylor@us-cert.gov" <marlon.taylor@us-cert.gov>
Date: 03/14/2016 12:07 PM
Subject: RE: [cti] RE: Versioning Background Docs

________________________________




Correct. Hashing won't provide that capability.

Relationships will provide what you're looking for.

-Marlon



________________________________

From: Jason Keirstead
Sent: Monday, March 14, 2016 10:56:04 AM
To: Taylor, Marlon
Cc: Mates, Jeffrey CIV DC3/DCCI; cti@lists.oasis-open.org;
marlon.taylor@us-cert.gov
Subject: RE: [cti] RE: Versioning Background Docs


Apologize for my confusion but I don't really understand what is being
discussed in this thread. 

Are people talking about IDs or Versions? What does hashing have to do with
versioning?

I (hope?) people are not advocating to simply hash the contents of the
object and use that as a version? That is not workable. A version has to be
continually incrementing. I need to be able to look at a version and know if
it is the latest version or if it is stale. You can't do that with hashes.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown 


Inactive hide details for "Taylor, Marlon" ---03/14/2016 11:42:28 AM---Hi
All, Jeff and I spoke offline and we are in agreement"Taylor, Marlon"
---03/14/2016 11:42:28 AM---Hi All, Jeff and I spoke offline and we are in
agreement with the hash based approach. Some takeaway

From: "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>
To: "Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>,
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Cc: "marlon.taylor@us-cert.gov" <marlon.taylor@us-cert.gov>
Date: 03/14/2016 11:42 AM
Subject: RE: [cti] RE: Versioning Background Docs Sent by:
<cti@lists.oasis-open.org> 

________________________________




Hi All,

Jeff and I spoke offline and we are in agreement with the hash based
approach. Some takeaways:
- cleared up "shallowness" of shallow objects
- conveyed the idea of relationships which contain arrays of ids (he calls
them link aggregators)

As we finalize objects across the TC we can go into object-specific required
fields. Ex: should every Indicator have an observable?

Keep up the feedback. 

-Marlon 



________________________________

Attachment: smime.p7s
Description: S/MIME cryptographic signature