I would agree with Allan that it’s far too early for any kind of ballot, non-binding or otherwise. Some of these ideas have yet to even be fleshed out, so trying to vote on an incomplete proposal is asking for trouble.
Sarah Kelley
Lead Cybersecurity Engineer, T8B2
Defensive Operations
The MITRE Corporation
703-983-6242
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
On Behalf Of Bret Jordan
Sent: Thursday, November 1, 2018 10:55 AM
To: Allan Thomson <athomson@lookingglasscyber.com>; cti@lists.oasis-open.org
Subject: [cti] Re: [EXT] Re: [cti] Observable Debate
As I said, it would be a non-binding ballot. Basically just a show of hands. Maybe this would help get some more ideas? Who knows.
Bret
From: Allan Thomson <athomson@lookingglasscyber.com>
Sent: Thursday, November 1, 2018 8:46:25 AM
To: Bret Jordan; cti@lists.oasis-open.org
Subject: [EXT] Re: [cti] Observable Debate
Bret – Any ballot is premature. We need further discussion and ideas on the table.
Allan
From:
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Thursday, November 1, 2018 at 7:45 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Observable Debate
Maybe we should do a non-binding ballot at this stage, open to all TC members not just voting members, just to get a pulse of where the TC is at.
Possible ballot question: What do you think the TC should do in regards to Observed Data and Cyber Observables based on the discussions that have been happening on the list?
1) Do nothing, leave everything as is
2) Do nothing for 2.x but target a change for 3.0 and define a timetable to start work on 3.0
3) Leave Observed Data as is, but also allow cyber observables to become top-level objects. This would be two ways of doing something, but would not break any existing code. This would allow
a transition over time.
4) Make cyber observables top-level objects and make Observed Data contain a list of embedded references (option 1 prime)
5) Change Observed Data and Relationships to allow for deep referencing (Medusa or Medusa-like solution)
6) Change Observed Data so that it becomes a generic wrapper for cyber observables and some relationships are made external and some are kept as internal (not to be confused with our use of embedded
relationships). Basically option 7 with some of John Wunder's tweaks.
7) Other - User added solution
Maybe this would help us figure out how far away we are? Maybe it could eliminate an option or two to focus the discussion?
Bret