Re: [cti] STIX WG

[Bret Jordan <jordan.oasisopen@gmail.com>]

At some level I can help with the COA extension and the relationships that are needed to point to a CACAO Playbook. CACAO was designed to natively plug into the STIX graph. You can think of a CACAO playbook as an SDO that was defined by a different group. The only thing needed is a set of relationships that can point to it. But I agree that we may want additionalÂfunctionality in COA as well.

In regards to signing STIX and or TAXII JSON payloads, there is a spec going through ITU-T SG17 Q11 for this and one that already went through the IETF and has an RFC number. The signature stuff is called X.JSS and uses RFC 8785. X.JSS may go to determinationÂat the next meeting in September. This is the method that CACAO is using. I would strongly suggest that we here in the CTI TC do not reinvent the wheel but use the upcoming proposed X.number from the ITU. RememberÂX.500, X.509 and all other X.numbers come from the ITU.Â

Using something in STIX and TAXII from CACAO also has precedent since the whole extension mechanism that we now use in STIX comes from the work Allan and I did in CACAO. So using the same sort of digital signing solution makes a lot of sense. The solution defined in CACAO that uses X.JSS has already fleshed out all of the issues and includes things like counter-signing and multiple signatures.

Bret

On Thu, Jul 27, 2023 at 9:53âAM Vasileios Mavroeidis <vasileim@ifi.uio.no> wrote:

Hi all,

I'll be happy to lead the COA Playbook Extension. If more are interested in co-leading the effort with me and doing some preparatory work together, it would be great. We already have a lot of material with three different proposed approaches that I can present in the first meeting. Then we can take it from there.

Best,

Vasileios Mavroeidis

Professor for Cybersecurity @ University of Oslo

Standards Architect @ sekoia.io

On 25 Jul 2023, at 17:33, Emily Ratliff <Emily.Ratliff@ibm.com> wrote:

STIX WG members:

Â

Now that the Incident extension is stable, we will turn our attention back to other topics. Please let us know if there is a topic or extension that you would like to lead.

Â

We met last Friday to discuss priorities. We will take a bit of a break in August due to vacations. There will be no meetings on Aug. 4 and Aug. 11.

Â

This Friday we will pick up where we left off with the updates to the Extension Policy that Rich was spearheading.

Â

Topics for future meetings include:

1. COA Playbook Extension
2. JSON Signing â we need someone to lead a minigroup on this topic
3. Container extension
4. Asset extension â we need someone to lead a minigroup on this
5. Location extension â covid previously proposed extending the Location object with GeoJSON, we need someone to lead a minigroup on this topic
6. There have been some requests to extend the Infrastructure object into the SCADA space. We need an expert to participate, if we are going to consider this.
7. Best practices for modelling x509 certificates â we need someone to lead this topic
8. Updates to the STIX Patterning Language to address the deprecation of embedded relationships

Â

If you are interested in leading any of these topics, please reach out to the WG. We can use the Friday timeslot or schedule separate mini-group discussions.

Â

Thanks,

Â

Emily