OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] RE: Road to final publication of STIX, TAXII, and CyBox as Oasis standards

Just to offer my opinion - the question IMO for newcomers should not be framed as "should we do 1.X or wait"... I feel like that's a false dichotomy. There is no need for vendors to wait for .next to become a blessed OASIS standard to implement it, as nothing stops vendors from implementing and even stating support for provisional standards. The number of vendors who will have implemented support for .next before it is "blessed", is likely to be far greater than zero... vendors will simply make the minor revisions needed (if any) to meet the full compliance once it finally is blessed. This has been the workflow for many standards hotly demanded by the marketplace over the years... modem, wifi, HTML, CSS, bluetooth.. this happens all the time as vendors can't always wait for the process to come to conclusion before implementation.

I would also say, no one should "wait" - if they're interested then they should get involved, help us create the specs, and perhaps even more importantly, help us by writing code (even if it is internal and can't be shared)... the more people we have involved writing code and testing interoperability the more likely we will be to make a standard that works... waiting on the sidelines won't help that... that's my opinion.

Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

Inactive hide details for Mark Clancy ---04/26/2016 10:06:56 PM---Thanks Rich this is very helpful! The main reason I asked aboMark Clancy ---04/26/2016 10:06:56 PM---Thanks Rich this is very helpful! The main reason I asked about the timeline for “.next” is I have h

From: Mark Clancy <mclancy@soltra.com>
To: "Struse, Richard" <Richard.Struse@HQ.DHS.GOV>, "OASIS CTI TC Discussion List" <cti@lists.oasis-open.org>
Date: 04/26/2016 10:06 PM
Subject: Re: [cti] RE: Road to final publication of STIX, TAXII, and CyBox as Oasis standards
Sent by: <cti@lists.oasis-open.org>

Thanks Rich this is very helpful!

The main reason I asked about the timeline for “.next” is I have had several conversations with people who are on the sidelines for implementation of “.current" saying in effect “well we will just wait until .next is released before we put this in our products”. They may not realize this is still a far distance away so I advocate they should not wait.


(P.s. Your message was digitally signed from a different address than the key do to the remailer I suppose so my mobile email client didn’t play nice with it)

From: <cti@lists.oasis-open.org> on behalf of "Struse, Richard" <Richard.Struse@HQ.DHS.GOV>
Tuesday, April 26, 2016 at 11:23 AM
OASIS CTI TC Discussion List <cti@lists.oasis-open.org>
[cti] RE: Road to final publication of STIX, TAXII, and CyBox as Oasis standards

Thanks for the question and the opportunity to help everyone understand where we are both with the existing specifications and the next major releases.

For the existing specifications here is where we are at:For each of the three families of specifications once they have been approved as Committee Specifications, the next steps are to collect three or more Statements of Use for each Committee Specification and then hold a Special Majority Ballot to submit those Committee Specifications as Candidate OASIS Standards (COSs). OASIS then publishes the COSs and puts them out for a sixty-day public comment period. After that review, and again assuming we do not need to make any substantive changes, there is a two-week ballot period for voting by the member companies of OASIS. If that ballot passes, the Committee Specifications immediately become OASIS Standards in perpetuity. So, roughly speaking we could have full OASIS standards within ninety days of having approved the Committee Specifications. For STIX and TAXII that translates into mid-August. For CybOX that translates into mid-September.

Separate from the text specifications we also need to approve the XML Binding specifications for STIX and CybOX, which includes the XSD schemas. We have a draft of the STIX document that’s being finalized and will be submitted to the TC shortly for the thirty day review period. The same draft should be usable for CybOX without many modifications and so should also be submitted soon. These specifications will need to go through the same process as the text specifications and, if all goes well, should be finalized a month later (mid-September).

One point of perspective – from my discussions with OASIS, TC’s generally average eighteen to twenty-four months from the initial meeting of the TC to having their first set of approved OASIS standards. Therefore, the roughly fifteen months from TC inception that it will take to have approved OASIS standards for our initial specifications is actually faster than most.

As far as the timeframe for the TC to consider and approve new releases of STIX, TAXII and CybOX (your “.next”) I think it is fair to say that we have a number of things going in our favor. First, we are all now familiar with the OASIS process, the document templates and the intricacies of OASIS voting rules. In addition, the specifications for STIX 2.0, TAXII 2.0 and CybOX 3.0 are all being developed with this process in mind and therefore we should be able to expedite this process as much as OASIS rules allow. Assuming that the TC delivers solid Committee Specification Drafts for STIX, TAXII and CybOX in July, in theory we could have approved Committee Specifications by October and full OASIS standards for the next release before the end of Q1 of 2017. Please note that there are a lot of moving parts and some assumptions in these timelines but they are certainly in the realm of the possible. It is up to everyone in the TC to work assiduously to make these a reality.
I hope this addresses your questions.


Richard J. Struse
Chair, OASIS Cyber Threat Intelligence (CTI) Technical Committee

Chief Advanced Technology Officer
National Cybersecurity and Communications Integration Center (NCCIC) and
Stakeholder Engagement and Cyber Infrastructure Resiliency (SECIR)
Cyber Security & Communications
U.S. Department of Homeland Security

Phone: 202-527-2361

From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Mark Clancy
Thursday, April 21, 2016 11:43 AM
[cti] Road to final publication of STIX, TAXII, and CyBox as Oasis standards

Great to see so much activity on CTI standards version “.next”, but where exactly are we with getting CTI standards “.current” namely STIX 1.2.1, TAXII 1.1.1 and what ever version of CybOX goes with them to final approved, published standards under the Oasis process?

I know the STIX ballot was approved, but there was some formal response to comments needed. Is this complete?
I know the TAXII ballot was withdrawn. When does this come back up and what is needed to do this?
I don’t know where we stand with CyBox so any updates there?

We have had this TC for what like 8 months and we already started with a well sorted out candidate set for Oasis CTI standards (aka “.current”) to be published yet we don’t have any of the three actually in final approved & published status.

The other reason I ask this to set realistic expectations as to how much longer it will be when we finally agree on CTI standards “.next” how frighteningly long it will take to get them to final approved & published status.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]