[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Update from STIX Package renaming Mini-Group
Jason Keirstead wrote this message on Tue, May 03, 2016 at 14:07 -0300: > That seems like a TAXII level problem, if anything. > > I don't see how having IDs would even solve that problem, without changes > to TAXII to allow someone to say something like "bundle recieved" I agree... I don't think Bundles should have IDs. We decided that STIX was going to be a transport mechanism, not a document format. If you don't have the TLO's you need, then you need to request the missing TLO's from your higher level transport, ala Bret's example w/ TAXII or via your transport mechanism. As soon as you add an ID to a STIX Bundle, you are now adding meaning to the grouping and we loose the Bundle is just a set of (possibly) unrelated STIX objects. > From: "Jordan, Bret" <bret.jordan@bluecoat.com> > To: Jason Keirstead/CanEast/IBM@IBMCA > Cc: Allan Thomson <athomson@lookingglasscyber.com>, Mark Davidson > <mdavidson@soltra.com>, "cti@lists.oasis-open.org" > <cti@lists.oasis-open.org> > Date: 05/03/2016 02:03 PM > Subject: Re: [cti] Update from STIX Package renaming Mini-Group > Sent by: <cti@lists.oasis-open.org> > > > > I agree with Jason... I know the request on the call was about how do you > know if you did not get a bundle. That seems to be an implementation / > transport level issue, not a language level issue. Allan / Terry? Thoughts? > Is there another way of doing what you asked without having an ID field? > > > Thanks, > > Bret > > > > Bret Jordan CISSP > Director of Security Architecture and Standards | Office of the CTO > Blue Coat Systems > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can > not be unscrambled is an egg." > > On May 3, 2016, at 10:08, Jason Keirstead <Jason.Keirstead@ca.ibm.com > > wrote: > > > > Open question - adding an identifier "so that it can be tracked", > implies that it SHOULD be tracked. > > As an implementer - why do I need to track bundles, as all a bundle > is is a whole bunch of content that may or may not be related? > > I would argue that we should not encourage the storage or tracking of > the bundle structure, and therefore they should not have IDs. > > - > Jason Keirstead > STSM, Product Architect, Security Intelligence, IBM Security Systems > www.ibm.com/security | www.securityintelligence.com > > Without data, all you are is just another person with an opinion - > Unknown > > > <graycol.gif>Allan Thomson ---05/03/2016 12:23:49 PM---As discussed > on the call today I would like to propose that we add an identifier > attribute for the b > > From: Allan Thomson <athomson@lookingglasscyber.com> > To: Mark Davidson <mdavidson@soltra.com>, "cti@lists.oasis-open.org" > <cti@lists.oasis-open.org> > Date: 05/03/2016 12:23 PM > Subject: Re: [cti] Update from STIX Package renaming Mini-Group > Sent by: <cti@lists.oasis-open.org> > > > > > > As discussed on the call today I would like to propose that we add an > identifier attribute for the bundle so that it can be tracked. > > { > "type": "bundle", > "spec_version": "stix-2.0”, > “id”: “bundle--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f" > "indicators": [ > { > "type": "indicator", > "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", > "created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff", > "created_time": "2016-04-29T14:09:00.123456Z", > "revision": 1, > "modified_time: "2016-04-29T14:09:00.123456Z", > "object_marking_refs": > ["marking-definition--089a6ecb-cc15-43cc-9494-767639779123"], > "title": "Poison Ivy Malware", > "description": "This file is part of Poison Ivy", > "pattern": "file-object.hashes.md5 = > '3773a88f65a5e780c8dff9cdc3a056f3'" > } > ], > { > "type": "marking-definition", > "id": "marking-definition--089a6ecb-cc15-43cc-9494-767639779123", > "created_time": "2016-02-19T09:11:01Z", > "definition_type": "tlp", > "definition": { > "tlp": "GREEN" > } > } > } > > > From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf > of Mark Davidson <mdavidson@soltra.com> > Date: Friday, April 29, 2016 at 9:56 AM > To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> > Subject: [cti] Update from STIX Package renaming Mini-Group > > All, > > Here is a quick update from the STIX Package name mini-group. The > mini group is proposing: > Renaming STIX-Package to STIX-Bundle > STIX-bundle is simply a transport container > STIX-Bundle is a grouping of STIX content that isn’t > required to be related (it MIGHT be related, but being in > the same bundle doesn’t mean it’s related) > Removing all TLO Common Properties (with an open question > about Data Markings) > Removed properties: id, created_by_ref, > created_time, revision, modified_time, > revoked, revision_comment, confidence, > object_markings_refs, granular_markings > STIX-Bundle will keep the `spec_version` property > All content in the bundle MUST be the same STIX version > (identified by spec_version) > There is an open question about whether Data Markings should be in > the STIX-Bundle. Arguments for keeping it are: > The group seemed to have consensus that Bundle-level > markings were desired, but evidence was difficult for the > mini-group to find. > Certain sharing communities would appreciate the > simplicity of package marking. > It makes objects look smaller and is more natural for > people who are new to the specs > Arguments for removing it are: > Data Marking at the bundle level is “two ways of doing > things” - on-the-object markings and on-the-bundle > markings > TLO signatures will not be valid when the Bundle-level > markings are used > > Thank you. > -Mark > > > [attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM] > -- John-Mark
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]