[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti] Normative Statements
I dunno - I guess we have to agree to disagree, because I am unconvinced.
If entity X hands me a bundle that has a bunch of pieces of data inside it - absent any other external information, I have no idea as to their intent as-per the creation of that bundle. So how can I say if they violated the spec or not, to know if the content is valid? How can an auditor know this? What value is having this statement in the specification if no one can know?
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Peter F Brown ---11/22/2016 10:43:29 AM---I don’t agree Jason, Using Duncan’s example, you can say "you violated the spec" - That is clearly t
From: Peter F Brown <peter@peterfbrown.com>
To: Jason Keirstead/CanEast/IBM@IBMCA, "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Cc: "duncan@sfractal.com" <duncan@sfractal.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 11/22/2016 10:43 AM
Subject: RE: [cti] Normative Statements
Sent by: <cti@lists.oasis-open.org>
The thing with this statement however is you can't even procedurally test it (as I pointed out - this is neither testable by a human nor a machine). The only person who could test this statement is a psychic.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Bret Jordan (CS)" ---11/21/2016 01:56:34 PM---Agreed... Too often we look at these documents through the lens of a developer and what a product c
From: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
To: Peter F Brown <peter@peterfbrown.com>, "duncan@sfractal.com" <duncan@sfractal.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 11/21/2016 01:56 PM
Subject: Re: [cti] Normative Statements
Sent by: <cti@lists.oasis-open.org>
> "I would argue that if a normative statement can not be tested then it is not actually normative and is just a guideline."
> "MUST all normative statements be testable? "
I disagree. Using the example below "Implementations of TAXII servers that offer TLP MUST NOT forward STIX documents marked TLP Red to non-trusted destinations". This is untestable BUT when the it does occur - you can say "you violated the spec". If it's non-normative, then it is not a violation if you do it. I vote normative wording if we require it, even it if not testable in all cases.
Duncan Sparrell
s-Fractal Consulting LLC
iPhone, iTypo, iApologize
-------- Original Message --------
Subject: Re: [cti] Normative Statements
From: "Wunder, John A." <jwunder@mitre.org>
Date: Wed, November 16, 2016 8:47 am
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Eric Burger
<Eric.Burger@georgetown.edu>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
As you guys are reviewing the documents can you be checking for this? I just looked through all of the MUST requirements across the documents and while there might be a couple ones in a gray area (it’s testable if you have the source data, but you can’t look at content absent the source data and validate it) but for the most part I think we’re in good shape.
The SHOULD requirements are obviously a bit harder to evaluate and we could probably debate for years about them but if you see anything especially bad definitely bring it up.
John
From: <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Wednesday, November 16, 2016 at 8:07 AM
To: Eric Burger <Eric.Burger@georgetown.edu>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Normative Statements
I would argue that if a normative statement can not be tested then it is not actually normative and is just a guideline.
It should be noted that we aren't even talking about "automated testing" - the proposed normative statement is not even testable in the mind of a human reading the document, because they have no idea if the things in the bundle were intended by the producer to be related or not.
As such, I agree with Alan that such statements serve little purpose in a spec and belong more in a set of implementor guidelines.
--
Sent from my mobile device, please excuse any typos.
Eric Burger --- [cti] Normative Statements ---
From: | "Eric Burger" <Eric.Burger@georgetown.edu> |
To: | cti@lists.oasis-open.org |
Date: | Tue, Nov 15, 2016 7:28 PM |
Subject: | [cti] Normative Statements |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]