[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Update from STIX Package renaming Mini-Group
Jason Keirstead wrote this message on Tue, May 03, 2016 at 14:07 -0300:
> That seems like a TAXII level problem, if anything.
>
> I don't see how having IDs would even solve that problem, without changes
> to TAXII to allow someone to say something like "bundle recieved"
I agree... I don't think Bundles should have IDs.
We decided that STIX was going to be a transport mechanism, not a
document format. If you don't have the TLO's you need, then you need
to request the missing TLO's from your higher level transport, ala
Bret's example w/ TAXII or via your transport mechanism.
As soon as you add an ID to a STIX Bundle, you are now adding meaning
to the grouping and we loose the Bundle is just a set of (possibly)
unrelated STIX objects.
> From: "Jordan, Bret" <bret.jordan@bluecoat.com>
> To: Jason Keirstead/CanEast/IBM@IBMCA
> Cc: Allan Thomson <athomson@lookingglasscyber.com>, Mark Davidson
> <mdavidson@soltra.com>, "cti@lists.oasis-open.org"
> <cti@lists.oasis-open.org>
> Date: 05/03/2016 02:03 PM
> Subject: Re: [cti] Update from STIX Package renaming Mini-Group
> Sent by: <cti@lists.oasis-open.org>
>
>
>
> I agree with Jason... I know the request on the call was about how do you
> know if you did not get a bundle. That seems to be an implementation /
> transport level issue, not a language level issue. Allan / Terry? Thoughts?
> Is there another way of doing what you asked without having an ID field?
>
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
> On May 3, 2016, at 10:08, Jason Keirstead <Jason.Keirstead@ca.ibm.com
> > wrote:
>
>
>
> Open question - adding an identifier "so that it can be tracked",
> implies that it SHOULD be tracked.
>
> As an implementer - why do I need to track bundles, as all a bundle
> is is a whole bunch of content that may or may not be related?
>
> I would argue that we should not encourage the storage or tracking of
> the bundle structure, and therefore they should not have IDs.
>
> -
> Jason Keirstead
> STSM, Product Architect, Security Intelligence, IBM Security Systems
> www.ibm.com/security | www.securityintelligence.com
>
> Without data, all you are is just another person with an opinion -
> Unknown
>
>
> <graycol.gif>Allan Thomson ---05/03/2016 12:23:49 PM---As discussed
> on the call today I would like to propose that we add an identifier
> attribute for the b
>
> From: Allan Thomson <athomson@lookingglasscyber.com>
> To: Mark Davidson <mdavidson@soltra.com>, "cti@lists.oasis-open.org"
> <cti@lists.oasis-open.org>
> Date: 05/03/2016 12:23 PM
> Subject: Re: [cti] Update from STIX Package renaming Mini-Group
> Sent by: <cti@lists.oasis-open.org>
>
>
>
>
>
> As discussed on the call today I would like to propose that we add an
> identifier attribute for the bundle so that it can be tracked.
>
> {
> "type": "bundle",
> "spec_version": "stix-2.0”,
> “id”: “bundle--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f"
> "indicators": [
> {
> "type": "indicator",
> "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
> "created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff",
> "created_time": "2016-04-29T14:09:00.123456Z",
> "revision": 1,
> "modified_time: "2016-04-29T14:09:00.123456Z",
> "object_marking_refs":
> ["marking-definition--089a6ecb-cc15-43cc-9494-767639779123"],
> "title": "Poison Ivy Malware",
> "description": "This file is part of Poison Ivy",
> "pattern": "file-object.hashes.md5 =
> '3773a88f65a5e780c8dff9cdc3a056f3'"
> }
> ],
> {
> "type": "marking-definition",
> "id": "marking-definition--089a6ecb-cc15-43cc-9494-767639779123",
> "created_time": "2016-02-19T09:11:01Z",
> "definition_type": "tlp",
> "definition": {
> "tlp": "GREEN"
> }
> }
> }
>
>
> From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf
> of Mark Davidson <mdavidson@soltra.com>
> Date: Friday, April 29, 2016 at 9:56 AM
> To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
> Subject: [cti] Update from STIX Package renaming Mini-Group
>
> All,
>
> Here is a quick update from the STIX Package name mini-group. The
> mini group is proposing:
> Renaming STIX-Package to STIX-Bundle
> STIX-bundle is simply a transport container
> STIX-Bundle is a grouping of STIX content that isn’t
> required to be related (it MIGHT be related, but being in
> the same bundle doesn’t mean it’s related)
> Removing all TLO Common Properties (with an open question
> about Data Markings)
> Removed properties: id, created_by_ref,
> created_time, revision, modified_time,
> revoked, revision_comment, confidence,
> object_markings_refs, granular_markings
> STIX-Bundle will keep the `spec_version` property
> All content in the bundle MUST be the same STIX version
> (identified by spec_version)
> There is an open question about whether Data Markings should be in
> the STIX-Bundle. Arguments for keeping it are:
> The group seemed to have consensus that Bundle-level
> markings were desired, but evidence was difficult for the
> mini-group to find.
> Certain sharing communities would appreciate the
> simplicity of package marking.
> It makes objects look smaller and is more natural for
> people who are new to the specs
> Arguments for removing it are:
> Data Marking at the bundle level is “two ways of doing
> things” - on-the-object markings and on-the-bundle
> markings
> TLO signatures will not be valid when the Bundle-level
> markings are used
>
> Thank you.
> -Mark
>
>
> [attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]
>
--
John-Mark
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]