OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Identity objects in the STIX common object repository


Rich - I was primarily suggesting that identity of producers of extensions be published so that others can know where the extension comes from and in cases where they would like to contact the producers (or people forking changes) can reach out to them. This would be akin to a userid in GitHub of the submitter but would be the STIX2 identity object. 

So it could be as simple as when someone submits a PR to the repo that they include both the extension and their identity object they wish to use as âcreated_by_refâ. 

Any vetting on the identity object validity could be done as part of accepting the PR to the repo.

I donât see why this needs to be related to âconsumptionâ at all and certainly removes the concern of anonymity as an entity that is publishing an extension is presumably doing that because they want the community to use it and naturally would want to be associated with that content. I canât imagine a case where someone would publish an extension and not want to be associated with it by remaining anonymous. But I can imagine lots of cases where using extensions would be kept private because entities donât want to share that they are using them for specific applications or uses. 

Allan

On Jun 10, 2021, at 11:52 AM, Rich Piazza <rpiazza@mitre.org> wrote:

HI everyone,

 

Both Jason and Allan have proposed storing identity objects for producers and consumers in the STIX common object repository.

 

This sounds like a good idea to me.  The repo could act as a âwhite pagesâ for STIX users. 

 

If you receive some content but it doesnât include the Identity object referred to in the created_by_ref property, not knowing who created the content could be an impediment to trusting/using it.  Additionally, if an extension definition is stored in the repository, you might want contact information of the creator to discuss how to use the extension.

 

Of course, some STIX users will prefer to remain anonymous â so this would not be for them. There is the problem of having a common place to find Identity objects to facilitate spoofing the creator of a submission, although there is nothing to prevent that currently.

 

There would need to be some protocol to vet any Identity object submissions to the repository and there might be multiple identities for an individual/organization, but those details can be worked out.

 

Comments??

 

                Rich P.

 

--

Rich Piazza

Lead Cyber Security Engineer

The MITRE Corporation

781-271-3760

 

<image001.png>

 

 




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]