1. OASIS will create official STIX and TAXII interoperability badges for exclusive use by vendors of products that have passed the online self-certification tests.
2. Products will be granted the right to use one of two available badges: a) STIX-only or b) STIX-and-TAXII. Since the TAXII test incorporates STIX, there will be no need for a TAXII-only badge and no benefit in offering multiple badges per product.
3. The interoperability badges will incorporate the STIX and TAXII logos. OASIS will continue to work with DHS to resolve trademark issues regarding the logos. If possible, OASIS will update the current STIX and TAXII logo designs in a way that leverages current brand recognition but also conveys the exciting changes in 2.x.
4. Only the major version number for the specifications will be used in the badges, i.e., 'STIX 2' and 'STIX/TAXII 2'. Attempting to denote minor version numbers in the badge (e.g. 'STIX 2.5') would cause extra work and risk confusion over time.
5. The badge will incorporate the STIX and TAXII 2 logos along with a term that indicates the accomplishment (i.e., the product has passed the interoperability test). We ruled out:
- 'Certified', 'Verified', 'Guaranteed', and 'Tested' because of liability issues.
- 'Interoperable' because it indicates explicit verification that a product has exchanged data with another product.
- 'Compliant' because the tests do not merely signify compliance with the specifications and because it's easy for the term to be muddled by a salesperson, as in "Sure, our product is STIX compliant (it's just not STIX Compliant)".
- 'Gold', 'Bronze', etc., because the tests aren't that granular at this point (however, we may want to introduce these levels down the road).
Instead, we recommend using the terms 'STIX 2 Preferred' and 'STIX TAXII 2 Preferred'. We believe Preferred will convey formal recognition that the product meets a higher level of quality. Users will want to select products that have attained the Preferred status and vendors will be incentivized to earn that credential.
Bret Jordan kindly mocked up a few concept designs (attached) to help us visualize the elements of the badge. We are not floating any of these mock-ups as preliminary design options or asking for your feedback or preferences on design at this point. (We will let you know when we get there.)
6. When used by vendors in online applications, the badges will be linked to an OASIS web page that explains the meaning of the badge, details restrictions for its use, lists all products authorized to use it, and provides instructions for how to earn the badge including a link to the online test.
7. Vendors who use the STIX Preferred badge without authorization will be contacted by OASIS General Counsel. They will be instructed to immediately remove the badge from their collateral and advised on the proper method for attaining authorization. (We don't anticipate this will be a problem.)
8. Branding is obviously just one aspect of this program. OASIS will draft SLA terms appropriate for self-attestation and work through other key operational issues with the CTI Interoperability Subcommittee.
Please let me know if you have any questions on branding for CTI interoperability self-certification. We look forward to helping the TC make this program successful.
Senior Director, OASIS