Re: [cti] Status of CTI OASIS Open Repositories

["Bret Jordan (CS)" <Bret_Jordan@symantec.com>]

Greg it is more than that.  Under the current setup, with using OASIS open repos, people need to sign OASIS paper to contribute.  This is a monumental barrier that some organizations will not cross.  Basically the bigger the org the more likely your OGC will not allow you to do that.  

We also need to remember what Rich S always said.  OASIS is for people that want to work on the standards.  But for everything else, there is a huge community that is 2-3 orders of magnitude larger.  We need to make sure the production side of STIX and TAXII is easy to use and contribute to.

Bret

---

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Back, Greg <gback@mitre.org>
Sent: Tuesday, October 11, 2016 7:22:49 AM
To: Mark Davidson
Cc: cti@lists.oasis-open.org
Subject: RE: [cti] Status of CTI OASIS Open Repositories

 

Thanks, Mark.

In terms of "learning more about STIX and TAXII", I wouldn't expect anyone (technical or otherwise) to use GitHub as a starting point... except maybe to a web page hosted on GitHub Pages, at which point GitHub is mostly irrelevant.

I also feel like the relationship of STIX and TAXII to OASIS is an asset rather than a liability; people do not necessarily need to understand OASIS in order to understand STIX and TAXII, but having the work affiliated with OASIS lends credibility to the work we are doing.

Furthermore, I expect anyone looking for information about STIX and TAXII will use a search engine, which should be equally capable of finding the content regardless of where it's hosted. A simple landing page accessible from an easily-remembered URL (like http://cti-tc.github.io) should serve to direct people to all content produced by the TC and its members).

If the biggest barrier to becoming involved is not understanding the relationship to OASIS (meaning that everything else we've done is crystal-clear), I'd consider that a monumental victory.

Greg

> -----Original Message-----
> From: Mark Davidson [mailto:mdavidson@soltra.com]
> Sent: Tuesday, October 11, 2016 6:57 AM
> To: Bret Jordan (CS) <Bret_Jordan@symantec.com>; Back, Greg
> <gback@mitre.org>
> Cc: cti@lists.oasis-open.org
> Subject: Re: [cti] Status of CTI OASIS Open Repositories
>
> I think having one global org for every TC is a negative for usability and will
> decrease the quality of the interaction our TC has with the outside world.
>
>
>
> A semi-technical (or technical) non-TC member who is trying to learn more
> about STIX and TAXII will not, at first, be guaranteed to understand what
> OASIS is or understand OASIS’ role in the development and governance of
> STIX and TAXII. Requiring knowledge about OASIS and its relationship to
> STIX/TAXII – i.e., understanding that https://github.com/oasis-open/ is
> where you find STIX and TAXII open source repositories (or further, that they
> have a CTI prefix) – is just not going to happen for the majority of people.
>
>
>
> We should be making the work produced by this TC as accessible as possible
> to the people outside this TC. We are not doing this work only for ourselves. I
> think we’ve demonstrated this already with the CybOX merger into STIX, so
> let’s keep going. FWIW, I agree with previous posts stating that the two
> approaches are roughly equivalent for TC members. I just think we need to
> focus on the external/outsider persona – they are the ones who need the
> most help consuming and understanding the work we are producing, and we
> should make it as easy as possible for them.
>
>
>
> Thank you.
>
> -Mark
>
>
>
> From: <cti@lists.oasis-open.org> on behalf of "Bret Jordan (CS)"
> <Bret_Jordan@symantec.com>
> Date: Monday, October 10, 2016 at 7:37 PM
> To: Greg Back <gback@mitre.org>
> Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
> Subject: Re: [cti] Status of CTI OASIS Open Repositories
>
>
>
> The chartered work repos have one primary purpose for us, and that is issue
> tracking against the published specifications.  We may use them for wikis or
> other things over time, but for the foreseeable future they will be used for
> issue tracking.
>
>
>
> Bret
>
> Sent from my Commodore 64
>
>
>
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>
>
> On Oct 10, 2016, at 5:33 PM, Greg Back <gback@mitre.org
> <mailto:gback@mitre.org> > wrote:
>
>        On 10/10/2016 3:08 PM, Bret Jordan (CS) wrote:
>
>
>
>                I disagree.  It would make things a lot easier if the Chartered
> work
>
>                repos were done as TC level projects instead of individual
> repos.
>
>
>        What specifically would be easier?
>
>        What specifically are we trying to do with Chartered Work repos? I
> would not recommend using them for prose specifications, unless we're
> planning to develop the specifications as Markdown, HTML, or some other
> plain text format.  I've been given the impression that we don't want to
> include JSON schemas as chartered work products, hence why cti-stix2-json-
> schemas and cti-cybox3-json-schemas [sic] are open repositories.
>
>
>
>
>                Further, I think this TC should create an open source project
> on github
>
>                that is outside of OASIS for all of our opensource projects and
>
>                contributions that come from MITRE or others.
>
>
>        The MITRE members of the TC have made an explicit decision to
> contribute our code to OASIS Open repos, rather than (for instance)
> continuing to use STIXProject.
>
>        What does being "outside of OASIS" gain us? What does it even
> mean for "the TC" to create something outside of OASIS (and therefore
> outside the TC)? As I've said before, anyone (including a TC member) is of
> course free to create whatever repositories they'd like.
>
>        ----------
>
>        I'd still appreciate hearing from Mark, John, and/or Trey.
>
>        Greg