| Why isn’t TAXII the way to send a bunch of unrelated STIX things in a single TAXII message?
More inline.
A STIX Relationship Object (SRO) and a Report Object do not allow you to include or embedded the various things that are linked. A Bundle on the other hand allows you to attach multiple STIX "things" in a single JSON blob of data. You may use these in TAXII you may use them in sneaker-net, you may use them with STIX over email or STIX over skype.
Without the STIX Bundle there is really no way to send multiple STIX objects as a single "thing". The way a lot of people may use a Bundle is like:
1) TAXII, give me all indicators over the past 24 hours. So if there were say 10 Million new indicators. You could group all of those Indicators together in a single Bundle.
So everything in the bundle is related. They all occurred in the last 24 hours. 2) Let me send you 4 CTI Reports and automatically dereference all of the content and send that to you as well. This will include say the 4 report objects, 1000 SDOs per report and say 2000 SDOs per report. Once again, you could send these all as single JSON objects or you could wrap them in a container to send them.
Again, everything in these bundles are also related. They are related to their (Bundled) Reports. This is what a Bundle is. But we are trying to fix the STIX 1.x problems we had with the old STIX Package. Where some times things in the STIX Package were related and sometimes they were not. And there was no way to tell the difference. This way, the way we have it, if you include SROs or a Report Object that the SRO or Report object tells you how things are related. But just because two objects are in a Bundle does NOT make them related at all, ever. You need something else to actually relate them.
Let’s say you need to bundle things that are truly not related. In that case, why would you bundle them?
Coming from a place of ignorance, why do we have Bundles? Let me explain by a slightly different wording:
A Bundle is a collection of arbitrary STIX Objects that do not have any relationship to each other, unless they do have a relationship with each other. However, if they do have a relationship with each other, we have SRO’s and Report objects to tie them together, which means you really should never bundle a collection of related STIX Objects together. Since there is a mechanism for collecting related STIX Objects together, one might be tempted to use a Bundle to collect a bunch of unrelated STIX Objects together. However, sometimes these objects are related, which means one cannot draw any conclusions that STIX Objects in a Bundle are not related.
In English: the only purpose of a Bundle is to confuse implementors and give the bad guys a chance to find holes in code that is more complicated than it needs to be.
Why do we have Bundles?
Alright sorry for the double e-mail, talked through this a bit on Slack with Mark, Bret, and Ivan. We wanted to address Allan’s comments with the fewest changes to the existing text possible given how many review cycles it’s been through. To that end, any objections to this? Ø A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and Objects are not considered related by virtue of being in the same Bundle. Short, sweet, and to the point. John I like removing the SHOULD normative statement and your last sentence. I would also be fine with Rich’s suggestion. Allan, do you think something like what Bret wrote would work for you? If so and if nobody else has objections we can take this off list and do some word-smithing. John What about this: "A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained in a Bundle are not related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related should use SROs and / or the Report object to do so." Bret
How about this then: Producers who wish to indicate that objects within the Bundle are related should use SROs or the Report object to do so. Hm, I took it out because it seemed to imply that the objects could only be related if they were in the same bundle. Being in the same bundle has nothing to do with whether objects are related and so IMO our language shouldn’t try to make those concepts overlap, even just as an example. Fine, but I think the “within the Bundle” clause (applying to both SROs and Report) is clearer: Producers who wish to indicate that objects are related should use SROs or the Report object within the Bundle to do so. With some slight changes that would work for me: A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects in contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related should are encouraged to use SROs within the Bundle or the Report object to do so. Note that the should is intentionally non-normative. Here is some proposed text which use ideas from all suggestions: A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so. Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.” I think Allan's points are good. Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related?On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org> wrote: All, One of the other topics we talked about on the working call today was the normative text around Bundle. In RC3, the text (Part 1, Section 5) stated: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.” The suggestion from Allan is to modify that text to say: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.” Allan can elaborate but his thinking was that: - In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles. - In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST The counterpoints that I heard to changing it were: - We need to be as clear as possible, because people have gotten it wrong before. - Other normative statements aren’t testable, but it can still be worthwhile to put them in. The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle. Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative MUST? Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good! John
|