[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Re: [EXT] [cti] RE: TAXII Version Filter - Please review
This specific text is on object lookup based on a version timestamp. I think its clearer if we donât confuse added_after functionality with this filter option.
So âIf the STIX object does not contain either a modified or created timestamp, then this filter may be ignoredâ
That is a good point... I am also starting to think that we should just not saying anything about those, or say that this specific version parameter does not work for objects that do not have versions. Meaning, if the version does not have a version, then this parameter is meaningless.
We would still need to figure out what we are going to do with the "last", "first", and "all" parameters. But the specific parameter I think we can just say it is not applicable.
Or we just say that for TAXII 2.1, we are going to do nothing here, and we will worry about it for TAXII 2.2. TAXII 2.2 could probably be released around the same time as STIX 2.1.
From: email@example.com <firstname.lastname@example.org> on behalf of Vargas-Gonzalez, Emmanuelle <email@example.com>
I feel like this line If the STIX object does not contain either a modified or created timestamp, then this filter should return the latest version according to the server.
does not convey (or goes against) the purpose of using the version filter. I am having a problem with the word latest on that line as not always we would want to resolve for the latest object in a server. Perhaps something like the following would allow for the resolution of objects without created or modified time.
If the STIX object does not contain either a modified or created timestamp, then this filter should use the date and time when the object was added to the server as a method to disambiguate the object to be returned.
Drew, Allan, and I took a stab at fixing the text on the version filter parameter so that can work with a STIX object that does not have a modified timestamp (marking-definition object). The text from section 3.4.1 now reads:
For STIX objects, this filter option requests objects whose modified time matches exactly the provided value and the value MUST follow the rules for timestamp as defined in [STIXâ Version 2.0. Part 1: STIX Core Concepts]. For STIX objects that do not contain a modified timestamp (ex. the marking-definition object), then this filter should match on the created timestamp. If the STIX object does not contain either a modified or created timestamp, then this filter should return the latest version according to the server.
For example: "2016-01-01T01:01:01.000Z" tells the server to return the exact STIX object(s) that matched the modified time or created time (in the case of a marking-definition object) of "2016-01-01T01:01:01.000Z".
The extra caveat for not having either a modified or created timestamp deals with the potential cyber observable changes. Please review and comment on the list with any concerns or changes.