[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply
Tony â I understand and value the goal of expanding to other sectors. My point is do that with V2. Not V1. Most companies doing CTI are global companies including my own.
Supporting 2 versions of a standard is both costly, time-consuming, error-prone and ultimately the downstream consumer of CTI is the one that is impacted by having multiple standards. ITU-T should focus on helping STIX/TAXII v2 expand its reach if they want to help. And that is my advice to OASIS. From: Tony Rutkowski <tony@yaana.com> Hi Allan, Perhaps some background is useful. OASIS has had working relationship for years with other standards bodies who assist in the global marketing and evangelization of its specification platforms to different user
bases. In some of these bodies, there are authoritative translations to different languages as part of the value proposition. ETSI is one of them - which published a STIX derivative to enable its use as part of the normative NIS Directive. ITU-T SG17 is
another. None of this new, as similar activities have been occurring for decades. About two years ago, Korean organizations began a cooperative effort in SG17 to develop telecommunication use cases for STIX use. The work seems to have been popular and they are expanding the work, and seeking
OASIS collaboration in what they produce. Certainly care is needed so they are not developing their own alternative STIX specifications, but that doesn't appear to be what is occurring here. The participants there are not "foolish and disconnected" but appreciate
the value proposition of CTI work and are attempting to expand its use to other sectors. --tony From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com> Regardless of when STIX2 becomes a full approved standard I think OASIS guidance to ITU-T should be that they should not standardize a standard (version1) that is already being replaced for good reason. I think it makes ITU-T look foolish and disconnected. But if they want to do that then go ahead. Its just an opinion. From:
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Kelley, Sarah E." <skelley@mitre.org> If we would prefer to use STIX/TAXII 2, does this require that some form of STIX 2 and TAXII 2 be a full Oasis standard before next summer? Am I reading that correctly?
Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242 From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
On Behalf Of Allan Thomson The importance of making sure VERSION 2 is the version to considered as the primary standard for CTI sharing cannot be understated. The market already does not understand the important and significant differences between v1 and v2. I strongly suggest that OASIS make sure the ITU-T does everything it can to adopt version 2 not 1. From:
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "jamie.clark@oasis-open.org"
<jamie.clark@oasis-open.org> Dear members of the CTI TC: ACTION REQUESTED. Would you please let us (and the TC) know if there's any objection to that approach? We'll plan to send the "version 2 coming soon" message, as described above,
which requires no TC vote, if we hear no objections. Please feel free to contact Chet or me if you have any questions.
Kind regards Jamie [1] Including SAML, XACML and CAP (an emergency services resources info protocol).
James Bryce Clark, General Counsel https://www.oasis-open.org/staff
OASIS Borderless Cybersecurity conference, October 2018:
https://us18.borderlesscyber.org/en/
Previously
Prague 2017,
NYC 2017,
Tokyo 2016,
Brussels 2016,
World Bank 2015 |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]