Comment on 1):
It seems valuable to have
STIX Domain Objects section, a STIX Relationship Objects section, and a STIX Other Objects section for the Bundle, Language Content, and Marking Definition on Part 2. I think Common Properties and other associated content could remain on Part 1.
Comment on 2):
If the contents are more relevant to SCOs, could this be moved into Part 4 instead of Part 1. That way everything related to SCOs sits in a single document.
Comment on 3):
I think it could be a good idea based on the comment above.
This aside, I share Sarahâs concern about the rearrangement and timing. If it would be possible to record those section changes as part of the changelog in the new version it would be valuable. In regards to updating the definition of STIX
objects, I see no problem in that and should help is providing more concise language.
- Emmanuelle
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
On Behalf Of Wunder, John A.
Sent: Monday, February 11, 2019 10:45 AM
To: Kelley, Sarah E. <skelley@mitre.org>; Piazza, Rich <rpiazza@mitre.org>; Bret Jordan <Bret_Jordan@symantec.com>; cti@lists.oasis-open.org
Subject: Re: [cti] RE: [EXT] [cti] Structural Changes to the STIX Docs
These are good points, but I also agree with the point Bret has brought up a few times ab out how it can be confusing to see how Data Markings, Language Content, Bundle, etc. all relate to the other objects. A smaller scale version of this
would be to clearly define the classes of objects in Part 1:
- STIX Domain Objects
- STIX Relationship Objects
- STIX Cyber Observables
- STIX Metadata Objects? STIX Helper Objects?
In each of those sections we can be very explicit about what that means, and in each object definition we describe that itâs a STIX ___ Object. That requires very little reorganization but also (hopefully) makes the taxonomy of object types
and when weâre talking about each very clear.
Part 3 merge I think should be considered once the observable objects proposal is finalized and accepted â it just depends on how much overlap there is and what it would look like to merge it in to parts 1 and 4.
The vocabs probably should have been in Part 2 from the start, though along the lines of what Sarah suggested I wouldnât make the change in a point release when so much other stuff is changing.
John
From: <cti@lists.oasis-open.org> on behalf of "Kelley, Sarah E." <skelley@mitre.org>
Date: Monday, February 11, 2019 at 10:35 AM
To: Rich Piazza <rpiazza@mitre.org>, "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] RE: [EXT] [cti] Structural Changes to the STIX Docs
My biggest concern with making these changes is that it feels like it might be a lot of change for a dot release. Like if someone is just looking for what has changed between 2.0 and 2.1 itâs going to be much harder to figure it out if
we totally rearrange where to find things in the docs. Iâm not opposed to the changes, but maybe this isnât the best time.
I also agree with Rich that this would take a considerable amount of time and thus potentially delay 2.1.
Thanks,
Sarah Kelley
Lead Cybersecurity Engineer, T8B2
Defensive Operations
The MITRE Corporation
703-983-6242
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
On Behalf Of Piazza, Rich
Sent: Monday, February 11, 2019 10:22 AM
To: Bret Jordan <Bret_Jordan@symantec.com>;
cti@lists.oasis-open.org
Subject: [cti] Re: [EXT] [cti] Structural Changes to the STIX Docs
Iâm open to discussing these changes. I have to read thru the changes from the F2F, and I havenât had the time yet.
My initial comment is that I kinda like have the underlying objects (the SOOs) in a separate document. It helps make a clean separation of between
SDOs which are about the CTI information in the content, and SOOs which is more like metadata. On the other hand, I never understood why the Vocabularies werenât in Part 2.
I also see the common properties as metadata.
If Part 1 is all about metadata perhaps Part 3 could be merged in, since Part 3 is all about cyber observables metadata.
The custom sections on Part 1 and 3 do seem somewhat redundant.
I just want to state that if making these editorial changes would significantly delay the release of STIX 2.1, then I would suggest we defer this to 2.2.
From: <cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Friday, February 8, 2019 at 5:02 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [EXT] [cti] Structural Changes to the STIX Docs
All,
As one of your editors on STIX, I would like to propose a few structural changes to the documents.
1) I would like to move all STIX objects to Part 2 and have the Common Properties be the first section in Part 2. Basically have a STIX Domain Objects section, a STIX Relationship Objects section,
and a STIX Other Objects section for the Bundle, Language Content, and Marking Definition.
2) I would like to see about merging Part 3 in to Part 1. The lines between them and the Chinese wall that we had between them, is fading fast.
3) I would like to have a common properties section in Part 4, as the first section. Basically all of the common properties for Cyber Observable Objects.
This would then leave us with 3 main parts + pattern instead of 4 + patterning
I would then like to change the definition of STIX Objects to include SDOs, SROs, SOOs, and SCOs. I think this will help people better understand what we are talking about and give us a better
way of referencing all of the parts.
Bret