OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Re: [EXT] [cti] Embedded Relationships


> Could you further explain this? I don’t understand how something can be a TAXII server but not have a historical database.
> I feel that it must have some repository/database of information to store the POSTed objects temporarily until a TAXII client
> does a GET request. Otherwise where do you get the STIX objects that are used in steps 4 and 6 above? A proxy I get,
> but that is really just a middle-man between a real TAXII server.

Again, you are assuming that people are always occupying the "repository" persona. There are many personas for TAXII, not all of which store data. I highly suggest you take a look at the personas defined in the Interoperability Subcommittee's use case specification - https://docs.google.com/document/d/1l54RhjxwuXrZUQ19zIHUiZ7_c6otbLbVVfluKJogU7s/edit#heading=h.4do73o99e2l7

Just because you POST TAXII information to me, does not mean you can then later GET that same information from me, because I may not be acting as any kind of repository. I may not even have a TAXII "read" facility at all, and only accept POSTs to a channel or collection, and all GETs against the channel or collection return empty all the time. A use case for this may be a device that wants to expose a TAXII collection or channel to allow people to submit CTI to it to trigger some action, such as adding something to a watch list or launching a remediation. As such, I have no need to store this information at all, anywhere.

Or, to flip it around, I may offer a read-only view of a channel or collection and not anyone to ever POST anything to it at all. A use case for this might be a proxy device that exposes live sighting information on a channel or collection. This information would all be read-only, live, streaming data from the device.... there is no repository, and if you go back to that device in an hour those objects wouldn't even exist on it anymore.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]