Re: [cti] On current TAXII discussions

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

This is a very important point that everyone
needs to be "on the same page" with (pardon the pun, not really
intended).

The current TAXII 2 RC-1 proposal for
pagination *does not require any knowledge of STIX* by the server
to implement it. I am very certain of this. I am not really sure where
folks are getting the idea that a TAXII server can only serve STIX documents,
because I know for sure that was not the intention, nor is it the implementation
in RC-1 - I know this because I tried to argue many times that it would
make TAXII a lot simpler if it assumed the data was always STIX, but was
always shot down by Mark :)

If you read the proposal you will quite
clearly see that all of the sample requests contain the requested content-type:
"application/vnd.oasis.stix+json".
This content type could just as easily be "application/vns.oasis.stix+XML"
and the TAXII 2 API would work *JUST FINE* with this XML data.

This is a very important thing that
everyone needs to be crystal clear on, because anything else is just mis-information.
TAXII 2 RC-1 is not bound to STIX 2/ JSON in any way.

Now, in other emails Brett brought up
a very important point about filtering - and how we can actually implement
filtering without tying TAXII 2 to JSON. This is as of now an unsolved
problem which is a large reason why TAXII query was pushed out of MVP.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security| www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown




From:      
 Bret Jordan <Bret_Jordan@symantec.com>
To:      
 Alexandre Dulaunoy
<Alexandre.Dulaunoy@circl.lu>, "cti@lists.oasis-open.org"
<cti@lists.oasis-open.org>
Date:      
 03/13/2017 02:10 PM
Subject:    
   Re: [cti] On
current TAXII discussions
Sent by:    
   <cti@lists.oasis-open.org>

---

Alexandre,

How then do you paginate STIX objects if
not by objects?  You can not really do it by bytes.  Breaking
JSON objects up by bytes is a disaster waiting to happen.

Bret

---

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
on behalf of Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>
Sent: Monday, March 13, 2017 10:53:43 AM
To: cti@lists.oasis-open.org
Subject: Re: [cti] On current TAXII discussions
 
On 12/03/17 13:13, Joep Gommers wrote:

> Lastly, it’s worthwhile to point out that in the current spec we
require TAXII servers/clients to understand STIX. 
> STIX is non-trivial and manipulating it (considering its many features)
in this way puts a disproportioned burden
> on TAXII servers and their implementation. Although less complicated
for IOC-only data, that’s not what TAXII
> is all about. We would highly recommend making a much cleaner cut.

We (as MISP team) strongly support this point. TAXII specification should
be clearly separated from the STIX parsing
and especially the pagination over object is overkill in the current proposed
specification.


-- 
Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
41, avenue de la gare L-1611 Luxembourg
info@circl.lu - www.circl.lu

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php