Re: [cti] RE: [EXT] Re: [cti] Possible Changes to Observed Data

[Trey Darley <trey@newcontext.com>]

On 16.08.2018 12:07:33, Kelley, Sarah E. wrote:
> Since the whole reason weâre contemplating changing how observed
> data works is so that it fits for new use cases like malware and
> infrastructure, Iâd like to suggest that we should hold off on
> making a decision on how to change observed data until we know that
> it will actually work with these new proposed objects. Since we
> pushed malware from CSD01, and infrastructure was never in it, I
> think we should hold off on making any changes to the observed data
> object until we can work through these objects at the same
> time. Otherwise we could wind up making changes now that ultimately
> will need to be changed again if they donât work for
> malware/infrastructure, etc.
> 

That would be my preference, Sarah. We should back out the changes to
Observed Data and issue draft-03.

As an editor, I understand the pressure to resolve comments and get
drafts out for review promptly. However Bret's suggested changes to
Observed Data were accepted into draft-02 without being adequately
discussed. (Neither Ivan Kirillov nor myself were consulted; as the
Cyber Observable co-chairs, at the very least this should have
happened.)

In fact, we *should* have discussed this on a TC working call. As you
rightly point out, the TC needs to validate that these changes to
Observed Data are adequate to address the needs of Malware and
Infrastructure.

There are still a fair number of folks out on summer vacation. I
recommend that we dedicate the entire working calls 11 & 18 September
to discussing this with a larger audience. (The week of 03 September
being US Labor Day holiday period, we'll likely have lower
participation on the 04 September working call.)

As Ivan and I are the Cyber Observable co-chairs and as we led the
work on Malware, we will happily lead this discussion. If the TC
elects to go this route, Ivan and I will work with together the TC
membership to assemble a set of questions which will allow us to
validate that the changes we make to Observed Data are fit-to-purpose
for Malware and Infrastructure, and that they do not negatively impact
STIX Patterning.

-- 
Cheers,
Trey
++--------------------------------------------------------------------------++
Director of Standards Development, New Context
gpg fingerprint: 3918 9D7E 50F5 088F 823F  018A 831A 270A 6C4F C338
++--------------------------------------------------------------------------++
--
"You know you have achieved perfection in design, not when you have
nothing more to add, but when you have nothing more to take away."
--Antoine de Saint-ExupÃry

Attachment: signature.asc
Description: PGP signature