OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [cti] Normative Statements


"Implementations of TAXII servers that offer TLP MUST NOT forward STIX documents marked TLP Red to non-trusted destinations"

If this is the example requirement under discussion, it clearly appears to be testable, by human or machine, without psychic powers.

  * IF a STIX document is marked TLP Red   -- this has a yes or no answer.  The overall marking of a document would be the high-water level of all its components' markings, and if no component is marked then the requirement does not apply.  The requirement could be met either by sanitizing the document by removing all offending components, or by not forwarding anything at all.
  * TO non-trusted destinations      -- this has a yes or no answer, assuming the TAXII server has a destination white list.

A counterexample would help understand why this might be regarded as untestable.  "Source data" does not apply - if source data is marked but the STIX document is not, then the source processing system is at fault, not the TAXII server.

Dave



-----Original Message-----
From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Peter F Brown
Sent: Tuesday, November 22, 2016 10:02 AM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: Bret Jordan (CS) <Bret_Jordan@symantec.com>; duncan@sfractal.com; cti@lists.oasis-open.org
Subject: RE: [cti] Normative Statements

Well,

“So how can I say if they violated the spec or not, to know if the content is valid? How can an auditor know this?”

If the spec says “don’t pass x on” and you do, that would seem to be a clear – and testable – violation, no?

But I agree – it’s easier said than done. My main point is that several projects have gotten so bogged down in determining whether something is “testable” or “normative” that they actually miss the bigger prize of gaining buy-in to the use of the spec.

Cheers,

Peter




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]