OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] The inconsistencies we talked about on last working call

Bret â

 

On 6) a GPS location should not be forced to have a name. Suggest its best to keep it optional and folks can use the name if they find it useful.

 

Btw â If we used Civic location data construct it includes the option of the name being part of the address anyway.

 

On 7) SCO are new effectively because they are now top-level objects. Most code has to know whether its 2.0 vs 2.1 from the objects theyâre reading anyway. I donât see why spec_version is required for SCO in 2.1.

 

 

Allan Thomson

CTO (+1-408-331-6646)

LookingGlass Cyber Solutions

 

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Thursday, June 27, 2019 at 3:21 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] The inconsistencies we talked about on last working call

 

All,

 

Here is the complete list of inconsistencies I found. The ones in red text we talked about on the last working call.

 

  1. Malware Object - Name is optional, boolean is called is_family versus just "family"
    1. We talked about name being optional and there is some good use cases for malware when you do not yet know a name, so optional really is key
    2. Is_Family is weird.  We do not say "is_revoked" or "is_defanged".  We should probably just call this "family"
  1. Indicator Object - Name is optional.
    1. We talked about this and many people wanted it required, but we decided to keep it optional and add a normative SHOULD to say it should be filled out. 
  1. Grouping Object - Name is optional
    1. Is there a reason why you would not have a name for this?
  1. Sighting Object - Does not have a description like the Relationship object.
    1. Is there a reason why we would not want to have this?
  1. Marking Definition - Name is optional, there is no description defined.  
    1. We can not really make name required at this point, since the defined TLP markings do not have it. I guess we could, but it would require some text to explain why the TLPs did not have it, but it is NOW required. 
    2. I am not sure why it does not have a description
  1. Location Object - Does not have a name.
    1. I am not sure why this is missing.  It seems like you would want or need the ability to call a location something.  "Joe's Internet Cafe".  Further, this should probably be required. 
  1. SCOs - spec_version is optional
    1. Are we going to have problems because some SCOs have changed from 2.0 to 2.1

 

 

Bret

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]