OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Actions from CTI Working Call, 11/15



We’ll send out complete minutes separately, but I wanted to summarize the actions that we’ll take as a result of the working call. Thanks everyone for dialing in!


1.       The TAXII co-chairs talked about the release of 2.0 Draft 3. Please review!

2.       OpenC2 gave a brief intro on their work and there seemed to be a lot of interest. We’ll schedule a separate call with OpenC2 so they can give a presentation on what OpenC2 is and how it relates to STIX.

3.       We talked about Cyber Observable Extensions, Custom Extensions, and Custom Properties. Ivan sent an e-mail out with some suggested text modifications to hopefully clarify the distinction. Please review his e-mail and see if the text makes sense to you and you understand when to use each (in particular if you’re new or haven’t been following it before). If you have suggested changes, even better.

4.       We talked about adding last_seen to campaign and intrusion set. There wasn’t any objection on the call, but adding new fields needs to be made on the list. I’ll send a separate e-mail about this.

5.       There was a suggestion from Allan to change some text in the versioning section. After a brief discussion, consensus was to make the following change to Part 1, Section 3.1:

a.       OLD: Implementations MUST consider the version of the STIX Object with the highest version value to be the current state of the object.

b.       NEW: Implementations MUST consider the version of the STIX Object with the highest version value to be the most recent state of the object.

6.       We talked about text changes to bundle…Allan felt that the normative statement didn’t make sense since it was untestable and it should be replaced with a more definitional statement. There was a lot of discussion about the best way to write the text, whether all normative requirements needed to be testable, and the history of bundle (though no one actually disagreed with the fact that bundles don’t inherently convey meaning). I’ll send a separate e-mail to summarize the conversation and hopefully drive to consensus.


We didn’t get to these topics:

-          Allan had a comment on the usage of open vocabularies and required fields. We can tentatively add this to the agenda for Tuesday’s working call, and I’ll also follow up to Allan to narrow down his concern a little more.

-          We need to talk about the distinctions between data types as defined in Part 1 (STIX Core), Part 3 (Cyber Observable Core), and Part 5 (Patterning).


The editors are still working through Allan’s comments to parts 3-5. On that note…THANK YOU, Allan! Great comments and it makes it so much easier that you gave them at the beginning of the review period rather than at the end. Everyone else, please try to take the time now to review the documents and provide your comments to the list or to the editors.


We’re tracking ALL changes to the document at this stage. At the end of the review period and likely at the end of this week (middle of the review period) we’ll provide marked-up Word documents with the suggested changes so you all can review and make sure you’re comfortable with it.


Thanks everyone, and sorry for the novel of an e-mail.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]