Re: [cti] Agenda for August 9 Working Call

["Jordan, Bret" <bret.jordan@bluecoat.com>]

1.  I personally do not like the idea of version_comment...  It feels very git / svn like.  

2.  Not sure where I stand on this.

3.  Maybe we need a new field on Relationship to capture this Verb...  If we do this, then Name and Description probably can be dropped as they will not be needed.  The only reason description is there, I believe, is because historically we added description to anything that had a name.

4.  Hopefully we can fix some of the vocabs before we ship.

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Aug 9, 2016, at 10:15, Wunder, John A. <jwunder@mitre.org> wrote:

A couple notes from the call:

 

1.       There seemed to be consensus on the call that version_comment was useful, so we’ll go ahead and add it back (it was removed in draft3 due to a lack of response on the e-mail list). If anyone feels strongly that version_comment should not be added back please respond on the list.

2.       We had a good discussion about name fields, where the common decision point seemed to be things that are often analyst-driven need to have a required name field while things that are often computer-generated or used by computers do not. Thus, the only change from the list Bret sent around will be to make the name field on Infrastructure required. Malware and Infrastructure were a bit of a gray area, but it was felt that you could always use a hash for malware name if you needed to.

3.       We talked through the relationship field and the only real consensus was that it shouldn’t be a list. We can brainstorm for a better name for the property (currently “name”)…perhaps “relationship_type” given that it was suggested by 3 people. We’ve tried to avoid that because there’s already a “type” field, but maybe despite that potential confusion it’s the best option.

4.       We talked in general about a lot of vocabularies and will have a working call to discuss them on Wednesday. Unfortunately, we had a couple conflicts for the usual morning slot so right now I’m thinking 3-4:30pm Eastern. I know that’s not awesome for people in Europe, if you were planning to dial in but it’s a bad time let me know and we can find something else. In the meantime, given the “stubby” nature of our Incident and Course of Action objects we’ll remove the open vocabs for their labels field and can discuss them again when we add in full representations of the objects.

 

I know not everyone can make the calls. If you disagree with any of these decisions please respond on the lists so we can discuss further.

 

John

 

From: "Wunder, John A." <jwunder@mitre.org>
Date: Monday, August 8, 2016 at 1:47 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Agenda for August 9 Working Call

 

All,

 

Things have been settling down quite a bit with STIX, but it looks like we still have a few open topics to work through during draft 3. Let’s talk about these at the working call on August 9:

 

1.      The version_comment field

2.      Name fields (required/optional across all objects)

3.      Name vs. Label vs. Something Else on relationships

4.      The Actor Motivation & Sophistication vocabularies

 

Thanks,

John

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail