OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: STIX and TAXII question


All,


A few of us have been discussing some critical points about TAXII on Slack and how the date added should be used inside of a collection.  Since this discussion has branched beyond just TAXII and in to STIX, I felt like bringing it up on the list, would be a good idea.


Level setting on scale:

From a scale standpoint, think of your TAXII server holding 100 billion objects and it having 5,000 different collections.


Problem the way I see it:

A TAXII server will have a container of all STIX objects that it knows about and there will be a separate container that keeps track of which objects are in which collection. It goes without saying that an object can be in zero, one, many, or all collections. Further, if you update a STIX object in one collection (fix a type'o) you probably want that update to show up in all of the collections that the STIX object is found in.  This can be done automatically by just tracking the root STIX ID in a collection.  This means that any new versions of a STIX object will automatically be found in their respective collection.  The other option requires a ton of book keeping and maintenance.  You would need to track which version of a STIX object is in which collection and when an update was made, you would need to touch every single collection that the new versions should be added to.  Further, an operator would need to know if their update should be applied to all collections that the object is currently found in.


A use case was brought up that a person may want to version an object (ver 1) to remove say TLP:RED content and make a new version (ver 2) be TLP:GREEN. Then you would have the STIX ID foo ver 1 in collection "private" and STIX ID foo ver 2 in collection "public".  I am wondering what others think of this?  Is this a valid use of versioning?  Or should the object be forked with a related-to relationship?  What happens if STIX ID foo ver 1 gets updated?  Does that mean the server then needs to track if the update should be applied to version 2 as well?  If version 2 is Green and version 1 and 3 are RED, does that make things weird for a client?  What happens if a client has access to both "private" and "public" and finds the same object but different versions?  What is the client supposed to do?


Thanks

Bret










[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]