[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Identifier is STIX
A single definition implies single semantic definitions and they are not that. The structural formats may be the same but how the value of the id is constructed are different. Therefore, suggesting that there should be a single definition is misleading and potentially more confusing than helpful. All objects have identifiers of some form. That does not mean they all have the same method of constructing those identifiers. Allan From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com> All, With the recently requested change from EclecticIQ and others, the STIX IDs now can support UUIDv5 and the definition of the ID is now very close to the definition for the IDs we have for the new
Cyber Observables. It is my personal opinion that we should have a single definition. Before today, the definitions were pretty far apart, but now, they are very close. I will copy them below. But basically the only real difference is the Cyber Observable
ID allows the creator to use some random hashing algorithm in addition to UUIDv5. The STIX ID says it has to be either a UUIDv4 or UUIDv5. STIX ID An
identifier universally and uniquely identifies a SDO, SRO, Bundle, Language Content, or Marking
Definition, or SCO. Identifiers MUST follow the form object-type--UUID,
where object-type is the exact value (all type names are lowercase strings, by
definition) from the type property of the object being identified or referenced and
where the UUID is either an RFC 4122-compliant Version 4 or Version 5 UUID. The
UUID
MUST be generated according to the algorithm(s) defined in RFC 4122, section 4.4 (Version 4 UUID) or section 4.3 (Version 5 UUID) [RFC4122].
For UUIDv5:
Cyber Observable ID A
deterministic-id uniquely identifies a STIX Cyber Observable in a deterministic way. Meaning,
the ID for the exact same STIX Cyber Observable with the same contributing ID properties and same hash method used by two different producers
SHOULD have the same ID value. Identifiers MUST follow the form
object-type--hash,
where object-type is the exact value (all type names are lowercase strings, by
definition) from the type property of the object being identified or referenced and
where the hash SHOULD be a UUIDv5 compliant hash. The data for the hash function
SHOULD use JCS [ref todo] to build a canonical representation of the JSON data. The properties that
SHOULD be included in the hash are defined for each STIX Cyber Observable as ID Contributing Properties.
Bret â |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]