OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] On current TAXII discussions

This is a very important point that everyone needs to be "on the same page" with (pardon the pun, not really intended).

The current TAXII 2 RC-1 proposal for pagination *does not require any knowledge of STIX* by the server to implement it. I am very certain of this. I am not really sure where folks are getting the idea that a TAXII server can only serve STIX documents, because I know for sure that was not the intention, nor is it the implementation in RC-1 - I know this because I tried to argue many times that it would make TAXII a lot simpler if it assumed the data was always STIX, but was always shot down by Mark :)

If you read the proposal you will quite clearly see that all of the sample requests contain the requested content-type: "application/vnd.oasis.stix+json". This content type could just as easily be "application/vns.oasis.stix+XML" and the TAXII 2 API would work *JUST FINE* with this XML data.

This is a very important thing that everyone needs to be crystal clear on, because anything else is just mis-information. TAXII 2 RC-1 is not bound to STIX 2/ JSON in any way.

Now, in other emails Brett brought up a very important point about filtering - and how we can actually implement filtering without tying TAXII 2 to JSON. This is as of now an unsolved problem which is a large reason why TAXII query was pushed out of MVP.

Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security| www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

From:        Bret Jordan <Bret_Jordan@symantec.com>
To:        Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date:        03/13/2017 02:10 PM
Subject:        Re: [cti] On current TAXII discussions
Sent by:        <cti@lists.oasis-open.org>


How then do you paginate STIX objects if not by objects?  You can not really do it by bytes.  Breaking JSON objects up by bytes is a disaster waiting to happen.


From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>
Monday, March 13, 2017 10:53:43 AM
Re: [cti] On current TAXII discussions

On 12/03/17 13:13, Joep Gommers wrote:

> Lastly, it’s worthwhile to point out that in the current spec we require TAXII servers/clients to understand STIX.
> STIX is non-trivial and manipulating it (considering its many features) in this way puts a disproportioned burden
> on TAXII servers and their implementation. Although less complicated for IOC-only data, that’s not what TAXII
> is all about. We would highly recommend making a much cleaner cut.

We (as MISP team) strongly support this point. TAXII specification should be clearly separated from the STIX parsing
and especially the pagination over object is overkill in the current proposed specification.

Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
41, avenue de la gare L-1611 Luxembourg
info@circl.lu -

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]