OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Minor change to section 5.5.2 of the STIX specification based on issue 195

It is important to note, that the change to it being called "SCO" was probably done in error, when we went through and tried to find all of the examples and uses of SCOs, when we were updating the documents to reflect the SCO as top-level objects.ÂÂ

While this change is probably just undoing a typo. Rich and I feel like we need to make sure everyoneÂin the TC understands this and so everyone can comment on it.ÂÂ

If we need to go back to having it be a list of "SCOs", then the descriptions and definitionsÂin the Sighting Object probablyÂneed to be changed to make it consistent and ensure there are no conflicts.Â

Bret

On Tue, Dec 10, 2019 at 2:04 PM Piazza, Rich <rpiazza@mitre.org> wrote:

Issue 195 pointed out that in the embedded relationships table of Sightings â the following text seems to be in error:

ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ

observed_data_refs

list of type identifier (of type SCO)

Â

Based on the definition of observed_data_refs in section 5.2.1, the editors agreed it should be changed to:

Â

observed_data_refs

list of type identifier (of type observed-data)

Â

However, the editors wanted to point out the implications of this change.

Â

Given the change of SCOs to be top-level objects, it might be expected that an identifier of type SCO would also be valid. For example, if one wants to share that they saw (using a sighting object) an IP address â they could just put the id of the IP address SCO in the observed_data_refs property of the sighting.

Â

This change would make such a sighting object invalid.

Â

Previously, it was necessary to âwrapâ the IP address in Observed Data object â because that was the only place the IP address could be specified.

With the change to top-level SCOs, this is no longer true. It might seem unnecessary for the sighting to reference an Observed Data object, which then references the IP address SCO â but with this change â the specification requires it.

Â

If you have objections to this â we can discuss it on the next working call.

Â

ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Rich

Â

--Â

Rich Piazza

The MITRE Corporation

781-271-3760

Â

signature_1179553494

Â

Â



--

Thanks,
Bret
PGP Fingerprint:Â63B4 FC53 680A 6B7D 1447 ÂF2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]