[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [Non-DoD Source] RE: [cti] RE: Versioning Background Docs
My understanding is that in general versioning should be handled using the CTI Core "created_at" attribute which exists on both objects and relationships. If this changes any object with a deterministic hash would also have its GUID change. As such different versions of an object would respect each other's unique GUIDs thus protecting referential integrity. Even without a deterministic hash this would still be possible by simply generating a new GUID every time a new version of an object or relationship is produced. Jeffrey Mates, Civ DC3/DCCI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Computer Scientist Defense Cyber Crime Institute jeffrey.mates@dc3.mil 410-694-4335 -----Original Message----- From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Jason Keirstead Sent: Monday, March 14, 2016 11:27 AM To: Taylor, Marlon Cc: cti@lists.oasis-open.org; Mates, Jeffrey CIV DC3/DCCI; marlon.taylor@us-cert.gov Subject: [Non-DoD Source] RE: [cti] RE: Versioning Background Docs Are you saying that versions will only exist on relationship objects? How will that help me figure out if a given threat actor's description is the most recent. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Inactive hide details for "Taylor, Marlon" ---03/14/2016 12:07:46 PM---Correct. Hashing won't provide that capability. Relation"Taylor, Marlon" ---03/14/2016 12:07:46 PM---Correct. Hashing won't provide that capability. Relationships will provide what you're looking for. From: "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov> To: Jason Keirstead/CanEast/IBM@IBMCA Cc: "Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, "marlon.taylor@us-cert.gov" <marlon.taylor@us-cert.gov> Date: 03/14/2016 12:07 PM Subject: RE: [cti] RE: Versioning Background Docs ________________________________ Correct. Hashing won't provide that capability. Relationships will provide what you're looking for. -Marlon ________________________________ From: Jason Keirstead Sent: Monday, March 14, 2016 10:56:04 AM To: Taylor, Marlon Cc: Mates, Jeffrey CIV DC3/DCCI; cti@lists.oasis-open.org; marlon.taylor@us-cert.gov Subject: RE: [cti] RE: Versioning Background Docs Apologize for my confusion but I don't really understand what is being discussed in this thread. Are people talking about IDs or Versions? What does hashing have to do with versioning? I (hope?) people are not advocating to simply hash the contents of the object and use that as a version? That is not workable. A version has to be continually incrementing. I need to be able to look at a version and know if it is the latest version or if it is stale. You can't do that with hashes. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Inactive hide details for "Taylor, Marlon" ---03/14/2016 11:42:28 AM---Hi All, Jeff and I spoke offline and we are in agreement"Taylor, Marlon" ---03/14/2016 11:42:28 AM---Hi All, Jeff and I spoke offline and we are in agreement with the hash based approach. Some takeaway From: "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov> To: "Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Cc: "marlon.taylor@us-cert.gov" <marlon.taylor@us-cert.gov> Date: 03/14/2016 11:42 AM Subject: RE: [cti] RE: Versioning Background Docs Sent by: <cti@lists.oasis-open.org> ________________________________ Hi All, Jeff and I spoke offline and we are in agreement with the hash based approach. Some takeaways: - cleared up "shallowness" of shallow objects - conveyed the idea of relationships which contain arrays of ids (he calls them link aggregators) As we finalize objects across the TC we can go into object-specific required fields. Ex: should every Indicator have an observable? Keep up the feedback. -Marlon ________________________________
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]