Bret â The suggested changes I proposed would have been more easily adopted by the SCO work and would not have caused conflict even if the future SCO work would change.
However, the adopted changes in WD6 are explicitly in conflict with the current SCO work and therefore will just cause further discussion and debate on TAXII when that could be avoided.
I donât understand why we are pushing a version of TAXII 2.1 out when the impact of any new version of companies to implement is sufficiently impactful that they are likely to schedule updating to TAXII and STIX at the same time.
Certainly there is no STIXPreferred interoperability for STIX2.0 with TAXII2.1 and unlikely to be anytime soon or ever.
I question the rationale for continued spec work (and taking the TC time to review and public reviews) and push on TAXII 2.1 until we get an updated STIX2.1 spec done *enough* to warrant organizations considering both spec updates
at the same time.
The suggestions that were not adopted (just to be clear), were the suggestions to address how to deal with the yet to be decided cyber observables not having any timestamp. The editors felt that it would be best
to address that issue, if and when, those cyber observable changes get finalized in STIX. Especially since it is not yet clear if Cyber Observables can exist in such a limited fashion, meaning without at least a created timestamp.
Given how long it may take to move STIX 2.1 through the process, it is believed that it would be best to not hold up TAXII for an undermined amount of time.
If we look at timeframes for STIX, just to keep things in perspective.
1) Say we get agreement on Cyber Observables, Malware, and Infrastructure in the next 30 days (super aggressive)
1a) That puts us at or around the end of February
2) Then we have some editorial work to prep the documents to be done. That will take 1 week+
3) Then we do a ballot to approve STIX 2.1 as a CSD. That will take 2-weeks.
3a) That puts us at or around the end of March
4) Then per the STIX process, we have 6 months to verify that the new cyber observables, malware, and infrastructure work
4a) That puts us at the end of September, assuming that nothing needs to be changed from the implementations
5) Then we do another CSD ballot and 30-day public review period
5a) That put us into early November (assuming no changes come in via public review)
So you can see, that if we hold TAXII up for STIX, it could be a LONG time before people can make use of the fixes we have put in to TAXII 2.1. Which I personally feel is a bad idea. And if STIX cyber observables
go through in their current form, we would have plenty of time to release TAXII 2.2 to address any of those changes. Or we could just simply release a simple errata document that says how to treat cyber observables in TAXII 2.1
Bret