OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Re: [EXT] [cti] Embedded Relationships

> Could you further explain this? I don’t understand how something can be a TAXII server but not have a historical database.
> I feel that it must have some repository/database of information to store the POSTed objects temporarily until a TAXII client
> does a GET request. Otherwise where do you get the STIX objects that are used in steps 4 and 6 above? A proxy I get,
> but that is really just a middle-man between a real TAXII server.

Again, you are assuming that people are always occupying the "repository" persona. There are many personas for TAXII, not all of which store data. I highly suggest you take a look at the personas defined in the Interoperability Subcommittee's use case specification - https://docs.google.com/document/d/1l54RhjxwuXrZUQ19zIHUiZ7_c6otbLbVVfluKJogU7s/edit#heading=h.4do73o99e2l7

Just because you POST TAXII information to me, does not mean you can then later GET that same information from me, because I may not be acting as any kind of repository. I may not even have a TAXII "read" facility at all, and only accept POSTs to a channel or collection, and all GETs against the channel or collection return empty all the time. A use case for this may be a device that wants to expose a TAXII collection or channel to allow people to submit CTI to it to trigger some action, such as adding something to a watch list or launching a remediation. As such, I have no need to store this information at all, anywhere.

Or, to flip it around, I may offer a read-only view of a channel or collection and not anyone to ever POST anything to it at all. A use case for this might be a proxy device that exposes live sighting information on a channel or collection. This information would all be read-only, live, streaming data from the device.... there is no repository, and if you go back to that device in an hour those objects wouldn't even exist on it anymore.

Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems

Without data, all you are is just another person with an opinion - Unknown

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]