Jane,
I don’t disagree with anything you said, but are you implying that has some relevance to whether we propose STIX be an ITU standard? Note many OASIS standards have become ITU standards. Maybe Chet could provide a list of other OASIS standards
that have become ITU standards?
Rob mentioned a concern over whether doing this put any restrictions on us. I do not believe it does. My belief is the other way round – OASIS puts the restrictions on the ITU. Maybe OASIS staff could provide us with the process and something
on the experience of the many other TC’s that have .already done this?
At the meeting, my perception of the reservation raised seemed to be about STIX stability. I did not realize there are concerns about the stability of the standard and I would like to hear more about those concerns. But even if we intend
to update it monthly (which I don’t think will be the case), I still don’t see that as a barrier to adoption by the ITU.
Note if we don’t promote STIX to be the standard for threat intelligence, the ITU could conceivably make a different standard which I think would be a travesty. I wouldn’t think they would do that since we have one ready-made and easy for
them to adopt – as long as we are willing to provide it to them.
--
Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize
I welcome VSRE emails. Learn more at http://vsre.info/
From:
cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of JG @ OASIS <jg@ctin.us>
Date: Friday, April 22, 2022 at 12:44 PM
To: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
Subject: Re: [cti] RE: [External] RE: [cti] Propose ITU STIX standard as agenda topic for next month
All:
Adding some information to this thread about ITU:
State of play: The U.S. is running a candidate to lead the International Telecommunication Union (ITU), the telecommunications agency of the UN.
-
If elected, Doreen Bogdan-Martin would be the first female secretary-general of the ITU, and the first U.S. leader since the 1960s.
-
Her competition is Russian candidate Rashid Ismailov, who previously worked for the Russian government and Huawei, as well as Nokia and Ericsson.
There's a battle brewing over how much of a role the ITU and governments should have over internet standards and protocols, with China
and Russia advocating for the ITU to have more control over how the internet operates.
Source: https://www.axios.com/us-russia-internet-international-telecommunication-union-b1704192-495d-4fdc-95e2-cb923906c501.html
Jane Ginn
Cyber Threat Intelligence Network
On 4/22/2022 9:29 AM, Coderre, Rob wrote:
Jason,
Thanks for the info. That doesn’t sound onerous, which was my biggest “concern”.
Rob
From my understanding this is simply a waterfall-sequence process by which a specific version is being "blessed" by ITU. There are no ramifications or restrictions on what OASIS or the
CTI TC can release as updates, they just won't be part of that until there's an update.
Maybe OASIS can do an out of band presentation on the ITU process?
Jason,
Speaking for myself, I don’t think there are any “concerns” per sé, but more questions around process and what ITU standardization means for updates and additions to the spec
over time. Does acceptance and publication by ITU put any additional restrictions on things? I am generally in favor, as this would open up broader acceptance of the TC standards for international use. I just don’t know enough about the process to make
a truly informed decision.
Best,
Rob
I just want to chime in that, for whatever it's worth, I fully support this as well.
Unfortunately I could not make the meeting so I am unclear what if any concerns were raised - and am somewhat surprised there are any ? - I am also interested in
hearing them be raised on the list, as soon as possible.
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
I fully support this for both STIX 2.1 and TAXII 2.1. I was the one that originally floated the idea to the ITU-T SG17 Chair and the US and UK delegations. I still fully support this and would suggest that the TC vote on this so that it can be official.
If there are any issues, as Duncan mentioned, please air them on the public mailing list so that they can be archived and documented.
I would like to propose that there be an agenda item on next month’s TC call to discuss whether CTI TC should liaison with ITU on making STIX 2.1 an ITU standard.
My understanding (as official OASIS Liaison to ITU SG17 and attending most SG17 meetings for last few years) is that ITU has sent OASIS several liaisons requesting this. My understanding (from discussion with OASIS legal counsel) is that
it was inappropriate prior to STIX becoming an OASIS standard (ie TC committee spec is not appropriate, but OASIS standard is) and that had been the holdup in the past. OASIS formally responded to ITU with that fact and implied that once STIX 2.1 was approved
as standard, that OASIS would then proceed with ITU standardization. STIX 2.1 is now an OASIS standard so that hurdle is removed. Today was the first I’d heard that there are other concerns. I would like those concerns aired (ideally via email prior to next
month’s TC meeting) and a plan created to address them if possible so we at least know a proposed timeline on when we might proceed. Or to decide that ITU standardization is inappropriate if that is the will of the group (which I really hope it is not the
case).
OASIS is proud that one of it’s advantages is that it has been a path to ITU standardization for many influential standards. In my opinion, ITU standardization would help address many of the issues brought up on today’s call with respect
to increasing STIX awareness and adoption, and a more global reach for the TC.
Ditto everything above for TAXII but in the interest of one-step-at-a-time, I’ll settle for discussing STIX.
iPhone, iTypo, iApologize
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by
you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of
internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement
at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________
http://www.accenture.com
--
**********************************
R. Jane Ginn, MSIA, MRP
OASIS, CTI TC Co-Secretary
OASIS, TAC TC Secretary
jg@ctin.us
**********************************
|