[cti-users] Re: [cti-stix] MTI Binding

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[cti-users] Re: [cti-stix] MTI Binding

Aharon Chernin
Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.

Aharon

From: <[hidden email]> on behalf of "Jordan, Bret"
Date: Tuesday, October 6, 2015 at 11:45 AM
To: "[hidden email]", "[hidden email]"
Subject: [cti-stix] MTI Binding

We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  

Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 6, 2015, at 06:17, Davidson II, Mark S <[hidden email]> wrote:

I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:
 
1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it

2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?

3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code? 
I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).
 
Thank you.
-Mark
 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[cti-users] Re: [cti-stix] MTI Binding

Jordan, Bret
Sounds good...

I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  


If this is agreed upon, then:

I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 6, 2015, at 10:40, Aharon Chernin <[hidden email]> wrote:

Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.

Aharon

From: <[hidden email]> on behalf of "Jordan, Bret"
Date: Tuesday, October 6, 2015 at 11:45 AM
To: "[hidden email]", "[hidden email]"
Subject: [cti-stix] MTI Binding

We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  

Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 6, 2015, at 06:17, Davidson II, Mark S <[hidden email]> wrote:

I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:
 
1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it

2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?

3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code? 
I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).
 
Thank you.
-Mark
 



signature.asc (859 bytes) Download Attachment
SOC
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cti-users] Re: [cti-stix] MTI Binding

SOC
I too would like to see JSON as the default and second that! 

Kevin Wetzel
Jigsaw Enterprise


On Oct 6, 2015, at 12:49 PM, Jordan, Bret <[hidden email]> wrote:

Sounds good...

I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  


If this is agreed upon, then:

I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 6, 2015, at 10:40, Aharon Chernin <[hidden email]> wrote:

Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.

Aharon

From: <[hidden email]> on behalf of "Jordan, Bret"
Date: Tuesday, October 6, 2015 at 11:45 AM
To: "[hidden email]", "[hidden email]"
Subject: [cti-stix] MTI Binding

We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  

Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 6, 2015, at 06:17, Davidson II, Mark S <[hidden email]> wrote:

I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:
 
1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it

2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?

3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code? 
I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).
 
Thank you.
-Mark
 


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[cti-users] Model / Binding Motions

Foley, Alexander - GIS
In reply to this post by Jordan, Bret

By my count:

 

1.      We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.

a.      If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.

                                                    i.     Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption

b.      We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.

 

I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.

 

Thanks,

 

Alex

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Jordan, Bret
Sent: Tuesday, October 06, 2015 12:49 PM
To: Aharon Chernin
Cc: [hidden email]; [hidden email]
Subject: [cti-users] Re: [cti-stix] MTI Binding

 

Sounds good...

 

I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  

 

 

If this is agreed upon, then:

 

I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Oct 6, 2015, at 10:40, Aharon Chernin <[hidden email]> wrote:

 

Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.

 

Aharon

 

From: <[hidden email]> on behalf of "Jordan, Bret"
Date: Tuesday, October 6, 2015 at 11:45 AM
To: "[hidden email]", "[hidden email]"
Subject: [cti-stix] MTI Binding

 

We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  

 

Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Oct 6, 2015, at 06:17, Davidson II, Mark S <[hidden email]> wrote:

 

I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:

 

1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?

Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it


2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?


3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code? 

I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).

 

Thank you.

-Mark

 

 

 


This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.

Re: Is anyone actually proposing JSON-LD as the MTI for STIX?

Ok, I will step into it and propose JSON-LD as a MTI based on the following MINIMUM requirements for any exchange format:

1: That all data exchange is described by one or more machine readable schema

2: That all exchange data reference its definition(s) such that every tag used may be deterministically bound to its definition

3: That elements in an exchange document be able to reference elements in other exchange documents

4: That all STIX exchange formats utilize existing standards and not duplicate standard capabilities.

5: That the STIX exchange schema scale in complexity based on requirements (simple things should be simple, complex things possible and reasonable)

 

I would note that current STIX-XML meets all of the above except #3 and perhaps #5. Simple JSON meets none. IMHO JSON-LD meets all. It is not perfect, perfect is not available – it seems a good balance between simplicity and flexibility. I would also emphasize that the above list is minimal, there are other desirable features. I would be surprised if these requirements were not ubiquitous in the group.

 

I would also point out the relative risks. If some are correct and STIX is a closed manual coded system then JSON-LD will have some unused and ignored context sections in the front and we will have wasted some time making the RDF schema. The alternative risk for “simple JSON” is that it will not be possible to have dynamic use of stix data, that data external to stix will be unusable, that data internal to stix will be unavailable to others – that STIX is another “data island” where the sea-change is moving in the opposite direction.

 

-Cory Casanave

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Davidson II, Mark S
Sent: Tuesday, October 06, 2015 8:17 AM
To: Jordan, Bret; Cory Casanave; [hidden email]; [hidden email]
Subject: [cti-users] RE: [cti-stix] [cti-users] MTI Binding

 

I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:

 

1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?

Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it

2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?

3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?

I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).

 

Thank you.

-Mark

 

From: [hidden email] [[hidden email]] On Behalf Of Jordan, Bret
Sent: Monday, October 05, 2015 10:23 PM
To: Cory Casanave <[hidden email]>; [hidden email]; [hidden email]
Subject: Re: [cti-stix] [cti-users] MTI Binding

 

Cory,

 

Please help me understand....  

 

Say for kicks and giggles I have some structs that looks like this to consume an Indicator in a STIX package

 

type StixMessageType struct {
       Id         string                    `json:"id,omitempty"`
       IdRef      string                    `json:"idref,omitempty"`
       Timestamp  string                    `json:"timestamp,omitempty"`
       Version    string                    `json:"version,omitempty"`
       Indicators []indicator.IndicatorType `json:"indicators,omitempty"`
}

 

type IndicatorType struct {

       Id                        string                         `json:"id,omitempty"`

       IdRef                     string                          `json:"idref,omitempty"`
       Timestamp                 string                         `json:"timestamp,omitempty"`
       Version                      string                               `json:"version,omitempty"`
       Negate                       bool                                 `json:"negate,omitempty"`
       Title                        string                               `json:"title,omitempty"`
       Types                        []string                             `json:"type,omitempty"`
       AlternativeIDs               []string                             `json:"alternative_ids,omitempty"`
       Descriptions                 []common.StructuredTextType          `json:"descriptions,omitempty"`
       ShortDescriptions            []common.StructuredTextType          `json:"short_descriptions,omitempty"`
       ValidTimePositions           []ValidTimeType                      `json:"valid_time_positions,omitempty"`
       Observable                   *observable.ObservableType           `json:"observable,omitempty"`
       CompositeIndicatorExpression *CompositeIndicatorExpressionType    `json:"composite_indicator_expression,omitempty"`
       IndicatedTTP                 []common.RelatedTTPType              `json:"indicated_ttps,omitempty"`
       KillChainPhases              []common.KillChainPhaseReferenceType `json:"kill_chain_phases,omitempty"`
       TestMechanisms               []TestMechanismType                  `json:"test_mechanisms,omitempty"`
       LikelyImpact                 *common.StatementType                `json:"likely_impact,omitempty"`
       SuggestedCOAs                []SuggestedCOAsType                  `json:"suggested_coas,omitempty"`
       Handling                     []common.MarkingSpecificationType    `json:"handling,omitempty"`
       Confidence                   *common.ConfidenceType               `json:"confidence,omitempty"`
       Sightings                    *SightingsType                       `json:"sightings,omitempty"`
       RelatedIndicators            *RelatedIndicatorsType               `json:"related_indicators,omitempty"`
       RelatedCampaigns             *RelatedCampaignReferencesType       `json:"related_campaigns,omitempty"`
       RelatedPackages              []common.RelatedPackageRefType       `json:"related_packages,omitempty"`
       Producer                     *common.InformationSourceType        `json:"producer,omitempty"`
}

And lets say I get an indicator over the wire that looks something like this, built directly from the STIX 1.2 schema.  

 

{
    "stix_package": {
        "id": "example:package-1ad2aab5-1707-4fcc-8fd2-ebae152adeec",
        "indicators": [
            {
                "id": "example:indicator-8571137a-32a2-4934-8077-2129475813af",
                "idref": "companyfoo:indicator-1234-1234-1234-1234",
                "timestamp": "2015-10-05T20:03:23-06:00",
                "version": "1.2.1",
                "title": "Some really neat indicator that we found",
                "type": [
                    "URL Watchlist"
                ],
                "alternative_ids": [
                    "CV-2014-12-12345",
                    "CV-2015-02-54321"
                ],
                "descriptions": [
                    {
                        "id": "example:text-8769b510-9e76-4573-9778-864a51f052ae",
                        "format": "text/plain",
                        "value": "Some long description"
                    }
                ],
                "short_descriptions": [
                    {
                        "id": "example:text-12170f79-62f4-48d9-9a97-d7077f05714f",
                        "format": "text/plain",
                        "value": "Some shorter description"
                    }
                ]
            }
        ]
    }
}

 

We have a version field to say what version of an indicator it is and we know the type because it is in an indicator blob inside a stix_package blob.  

 

How does adding namespace elements make this more clear? 

 

I can easily parse this indicator and do interesting things with it.  I can parse the TTPs that reference it and do things with them.  I understand all of the fields in the indicator package because they are all well documented on the Github site [1] for Indicators.  So I can either dump this data in to a relational database or in to a document database like MongoDB.  

 

Please help me understand why namespaces are required for structured data that is well defined.  Like I said before, I can totally get and fully understand the need for JSON-LD in the open web.  It makes perfect sense when you need this to share say random profile data between two or more entities (twitter, Facebook, youtube, etc).  But we are not transporting random CTI, it will be in STIX.  So alternative_ids are Alternative IDs, and a title is a Title.  I do not see how JSON-LD helps us in anyway other than making a case for RDF over UML/OWL as RDF can work with JSON-LD.  

 

The only value I can see for JSON-LD is if we want to allow overloading.  So I can make my own Indicator format and not adhere to the STIX version of an Indicator.  In that case, yes, I can see the value, but I can also see the madness and chaos that would come from it.  

 

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 


Sounds good...

I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  


If this is agreed upon, then:

I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 6, 2015, at 10:40, Aharon Chernin <[hidden email]> wrote:

Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.

Aharon

From: <[hidden email]> on behalf of "Jordan, Bret"
Date: Tuesday, October 6, 2015 at 11:45 AM
To: "[hidden email]", "[hidden email]"
Subject: [cti-stix] MTI Binding

We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  

Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 6, 2015, at 06:17, Davidson II, Mark S <[hidden email]> wrote:

I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:
 
1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it

2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?

3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code? 
I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).
 
Thank you.
-Mark
 




This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cti-users] Model / Binding Motions

Barnum, Sean D.
I do not believe that we are at all ready to be making any decisions on MTI or even really on default bindings yet.

Before such decisions can be made we first need four things:
  • Understanding and consensus on the requirements and evaluation criteria that should be used to select an MTI or default binding
  • Identification and understanding of potential binding options and their capabilities and limitations
  • Understanding of how each potential binding option meets or does not meet the consensus requirements and evaluation criteria
  • Understanding of member opinions and preferences

We simply do not have any of these things yet. Ongoing discussions on the list demonstrate that clearly, I believe.
Even if we had all of the above worked out for our current knowledge, we still would not necessarily have enough to make a decision today as many of the issues and proposals for STIX 2.0 changes have the likelihood of affecting the consensus requirements and evaluation criteria for an MTI. 
Any decisions made on incomplete information are likely to be poor ones.

I would propose that attempting to cut short discussions aimed at addressing the above needs would be premature at this time.

sean

From: <[hidden email]> on behalf of "Foley, Alexander - GIS"
Date: Tuesday, October 6, 2015 at 2:05 PM
To: "[hidden email]", "[hidden email]"
Subject: [cti-users] Model / Binding Motions

By my count:

 

1.      We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.

a.      If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.

                                                    i.     Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption

b.      We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.

 

I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.

 

Thanks,

 

Alex

 

From: [hidden email] [[hidden email]] On Behalf Of Jordan, Bret
Sent: Tuesday, October 06, 2015 12:49 PM
To: Aharon Chernin
Cc: [hidden email]; [hidden email]
Subject: [cti-users] Re: [cti-stix] MTI Binding

 

Sounds good...

 

I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  

 

 

If this is agreed upon, then:

 

I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Oct 6, 2015, at 10:40, Aharon Chernin <[hidden email]> wrote:

 

Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.

 

Aharon

 

From: <[hidden email]> on behalf of "Jordan, Bret"
Date: Tuesday, October 6, 2015 at 11:45 AM
To: "[hidden email]", "[hidden email]"
Subject: [cti-stix] MTI Binding

 

We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  

 

Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Oct 6, 2015, at 06:17, Davidson II, Mark S <[hidden email]> wrote:

 

I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:

 

1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?

Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it


2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?


3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code? 

I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).

 

Thank you.

-Mark

 

 

 


This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[cti-users] Re: [cti-stix] [cti-users] Model / Binding Motions

Jordan, Bret
We have most of this on the wiki today.  


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 6, 2015, at 12:15, Barnum, Sean D. <[hidden email]> wrote:

I do not believe that we are at all ready to be making any decisions on MTI or even really on default bindings yet.

Before such decisions can be made we first need four things:
  • Understanding and consensus on the requirements and evaluation criteria that should be used to select an MTI or default binding
  • Identification and understanding of potential binding options and their capabilities and limitations
  • Understanding of how each potential binding option meets or does not meet the consensus requirements and evaluation criteria
  • Understanding of member opinions and preferences

We simply do not have any of these things yet. Ongoing discussions on the list demonstrate that clearly, I believe.
Even if we had all of the above worked out for our current knowledge, we still would not necessarily have enough to make a decision today as many of the issues and proposals for STIX 2.0 changes have the likelihood of affecting the consensus requirements and evaluation criteria for an MTI. 
Any decisions made on incomplete information are likely to be poor ones.

I would propose that attempting to cut short discussions aimed at addressing the above needs would be premature at this time.

sean

From: <[hidden email]> on behalf of "Foley, Alexander - GIS"
Date: Tuesday, October 6, 2015 at 2:05 PM
To: "[hidden email]", "[hidden email]"
Subject: [cti-users] Model / Binding Motions

By my count:
 
1.      We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.
a.      If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.
                                                    i.     Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption
b.      We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.
 
I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.
 
Thanks,
 
Alex
 
From: [hidden email] [[hidden email]] On Behalf Of Jordan, Bret
Sent: Tuesday, October 06, 2015 12:49 PM
To: Aharon Chernin
Cc: [hidden email]; [hidden email]
Subject: [cti-users] Re: [cti-stix] MTI Binding
 
Sounds good...
 
I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  
 
 
If this is agreed upon, then:
 
I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.

 

Thanks,
 
Bret
 
 
 
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 
 
On Oct 6, 2015, at 10:40, Aharon Chernin <[hidden email]> wrote:
 
Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.
 
Aharon
 
From: <[hidden email]> on behalf of "Jordan, Bret"
Date: Tuesday, October 6, 2015 at 11:45 AM
To: "[hidden email]", "[hidden email]"
Subject: [cti-stix] MTI Binding
 
We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  
 
Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.
 
 
Thanks,
 
Bret
 
 
 
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 
 
On Oct 6, 2015, at 06:17, Davidson II, Mark S <[hidden email]> wrote:
 
I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:
 
1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it


2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?


3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code? 
I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).
 
Thank you.
-Mark
 
 
 

This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.


signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[cti-users] Re: [cti-stix] [cti-users] Model / Binding Motions

Barnum, Sean D.
We have initial starts on parts of this on the wiki representing input from a very limited set of people.
I would assert that we need that information fleshed out more and significantly broader input before we could consider it consensus or complete.

The discussions dominating the list even today demonstrate that we are not there yet.

sean

From: "[hidden email]" on behalf of "Jordan, Bret"
Date: Tuesday, October 6, 2015 at 2:23 PM
To: "Barnum, Sean D."
Cc: "Foley, Alexander - GIS", "[hidden email]", "[hidden email]"
Subject: Re: [cti-stix] [cti-users] Model / Binding Motions

We have most of this on the wiki today.  


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 6, 2015, at 12:15, Barnum, Sean D. <[hidden email]> wrote:

I do not believe that we are at all ready to be making any decisions on MTI or even really on default bindings yet.

Before such decisions can be made we first need four things:
  • Understanding and consensus on the requirements and evaluation criteria that should be used to select an MTI or default binding
  • Identification and understanding of potential binding options and their capabilities and limitations
  • Understanding of how each potential binding option meets or does not meet the consensus requirements and evaluation criteria
  • Understanding of member opinions and preferences

We simply do not have any of these things yet. Ongoing discussions on the list demonstrate that clearly, I believe.
Even if we had all of the above worked out for our current knowledge, we still would not necessarily have enough to make a decision today as many of the issues and proposals for STIX 2.0 changes have the likelihood of affecting the consensus requirements and evaluation criteria for an MTI. 
Any decisions made on incomplete information are likely to be poor ones.

I would propose that attempting to cut short discussions aimed at addressing the above needs would be premature at this time.

sean

From: <[hidden email]> on behalf of "Foley, Alexander - GIS"
Date: Tuesday, October 6, 2015 at 2:05 PM
To: "[hidden email]", "[hidden email]"
Subject: [cti-users] Model / Binding Motions

By my count:
 
1.      We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.
a.      If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.
                                                    i.     Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption
b.      We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.
 
I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.
 
Thanks,
 
Alex
 
From: [hidden email] [[hidden email]] On Behalf Of Jordan, Bret
Sent: Tuesday, October 06, 2015 12:49 PM
To: Aharon Chernin
Cc: [hidden email]; [hidden email]
Subject: [cti-users] Re: [cti-stix] MTI Binding
 
Sounds good...
 
I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  
 
 
If this is agreed upon, then:
 
I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.

 

Thanks,
 
Bret
 
 
 
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 
 
On Oct 6, 2015, at 10:40, Aharon Chernin <[hidden email]> wrote:
 
Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.
 
Aharon
 
From: <[hidden email]> on behalf of "Jordan, Bret"
Date: Tuesday, October 6, 2015 at 11:45 AM
To: "[hidden email]", "[hidden email]"
Subject: [cti-stix] MTI Binding
 
We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  
 
Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.
 
 
Thanks,
 
Bret
 
 
 
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 
 
On Oct 6, 2015, at 06:17, Davidson II, Mark S <[hidden email]> wrote:
 
I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:
 
1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it


2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?


3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code? 
I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).
 
Thank you.
-Mark
 
 
 

This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cti-users] Model / Binding Motions

Terry MacDonald-2
In reply to this post by Barnum, Sean D.

I agree that it seems quite premature at this point to make an MTI decision. I would prefer we continue to discuss the options we have at present. I personally do not know enough about JSON-LD and the limitations of it to be able to make an informed decision. I'm sure a lot of the other SC members feel the same.

We need to tease out more information from both sides to be able to effectively come to a group consensus.

Cheers
Terry MacDonald

On 7/10/2015 5:15 am, "Barnum, Sean D." <[hidden email]> wrote:
I do not believe that we are at all ready to be making any decisions on MTI or even really on default bindings yet.

Before such decisions can be made we first need four things:
  • Understanding and consensus on the requirements and evaluation criteria that should be used to select an MTI or default binding
  • Identification and understanding of potential binding options and their capabilities and limitations
  • Understanding of how each potential binding option meets or does not meet the consensus requirements and evaluation criteria
  • Understanding of member opinions and preferences

We simply do not have any of these things yet. Ongoing discussions on the list demonstrate that clearly, I believe.
Even if we had all of the above worked out for our current knowledge, we still would not necessarily have enough to make a decision today as many of the issues and proposals for STIX 2.0 changes have the likelihood of affecting the consensus requirements and evaluation criteria for an MTI. 
Any decisions made on incomplete information are likely to be poor ones.

I would propose that attempting to cut short discussions aimed at addressing the above needs would be premature at this time.

sean

From: <[hidden email]> on behalf of "Foley, Alexander - GIS"
Date: Tuesday, October 6, 2015 at 2:05 PM
To: "[hidden email]", "[hidden email]"
Subject: [cti-users] Model / Binding Motions

By my count:

 

1.      We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.

a.      If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.

                                                    i.     Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption

b.      We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.

 

I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.

 

Thanks,

 

Alex

 

From: [hidden email] [[hidden email]] On Behalf Of Jordan, Bret
Sent: Tuesday, October 06, 2015 12:49 PM
To: Aharon Chernin
Cc: [hidden email]; [hidden email]
Subject: [cti-users] Re: [cti-stix] MTI Binding

 

Sounds good...

 

I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  

 

 

If this is agreed upon, then:

 

I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Oct 6, 2015, at 10:40, Aharon Chernin <[hidden email]> wrote:

 

Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.

 

Aharon

 

From: <[hidden email]> on behalf of "Jordan, Bret"
Date: Tuesday, October 6, 2015 at 11:45 AM
To: "[hidden email]", "[hidden email]"
Subject: [cti-stix] MTI Binding

 

We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  

 

Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Oct 6, 2015, at 06:17, Davidson II, Mark S <[hidden email]> wrote:

 

I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:

 

1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?

Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it


2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?


3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code? 

I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).

 

Thank you.

-Mark

 

 

 


This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[cti-users] RE: Model / Binding Motions

Bush, Jonathan
In reply to this post by Foley, Alexander - GIS

Personally, I am not prepared to vote for any binding, be it JSON, XML, JSON-LD, CSV, etc… until we see all of the requirements (use cases) we are trying to satisfy.  That is like trying to select your software stack before you know what you are trying to build.  What if a use-case comes up that whatever binding we choose won’t satisfy (or satisfy easily)?  Then do we go back and take a mulligan?

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Foley, Alexander - GIS
Sent: Tuesday, October 06, 2015 2:05 PM
To: [hidden email]; [hidden email]
Subject: [cti-users] Model / Binding Motions

 

By my count:

 

1.       We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.

a.       If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.

                                                               i.      Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption

b.      We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.

 

I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.

 

Thanks,

 

Alex

 

From: [hidden email] [[hidden email]] On Behalf Of Jordan, Bret
Sent: Tuesday, October 06, 2015 12:49 PM
To: Aharon Chernin
Cc: [hidden email]; [hidden email]
Subject: [cti-users] Re: [cti-stix] MTI Binding

 

Sounds good...

 

I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  

 

 

If this is agreed upon, then:

 

I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Oct 6, 2015, at 10:40, Aharon Chernin <[hidden email]> wrote:

 

Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.

 

Aharon

 

From: <[hidden email]> on behalf of "Jordan, Bret"
Date: Tuesday, October 6, 2015 at 11:45 AM
To: "[hidden email]", "[hidden email]"
Subject: [cti-stix] MTI Binding

 

We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  

 

Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Oct 6, 2015, at 06:17, Davidson II, Mark S <[hidden email]> wrote:

 

I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:

 

1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?

Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it

2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?

3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code? 

I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).

 

Thank you.

-Mark

 

 

 


This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.


DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cti-users] Model / Binding Motions

Paul Patrick
In reply to this post by Terry MacDonald-2
+1 on Sean and Terry's comments

Sent from my iPhone

On Oct 6, 2015, at 4:53 PM, Terry MacDonald <[hidden email]> wrote:

I agree that it seems quite premature at this point to make an MTI decision. I would prefer we continue to discuss the options we have at present. I personally do not know enough about JSON-LD and the limitations of it to be able to make an informed decision. I'm sure a lot of the other SC members feel the same.

We need to tease out more information from both sides to be able to effectively come to a group consensus.

Cheers
Terry MacDonald

On 7/10/2015 5:15 am, "Barnum, Sean D." <[hidden email]> wrote:
I do not believe that we are at all ready to be making any decisions on MTI or even really on default bindings yet.

Before such decisions can be made we first need four things:
  • Understanding and consensus on the requirements and evaluation criteria that should be used to select an MTI or default binding
  • Identification and understanding of potential binding options and their capabilities and limitations
  • Understanding of how each potential binding option meets or does not meet the consensus requirements and evaluation criteria
  • Understanding of member opinions and preferences

We simply do not have any of these things yet. Ongoing discussions on the list demonstrate that clearly, I believe.
Even if we had all of the above worked out for our current knowledge, we still would not necessarily have enough to make a decision today as many of the issues and proposals for STIX 2.0 changes have the likelihood of affecting the consensus requirements and evaluation criteria for an MTI. 
Any decisions made on incomplete information are likely to be poor ones.

I would propose that attempting to cut short discussions aimed at addressing the above needs would be premature at this time.

sean

From: <[hidden email]> on behalf of "Foley, Alexander - GIS"
Date: Tuesday, October 6, 2015 at 2:05 PM
To: "[hidden email]", "[hidden email]"
Subject: [cti-users] Model / Binding Motions

By my count:

 

1.      We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.

a.      If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.

                                                    i.     Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption

b.      We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.

 

I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.

 

Thanks,

 

Alex

 

From: [hidden email] [[hidden email]] On Behalf Of Jordan, Bret
Sent: Tuesday, October 06, 2015 12:49 PM
To: Aharon Chernin
Cc: [hidden email]; [hidden email]
Subject: [cti-users] Re: [cti-stix] MTI Binding

 

Sounds good...

 

I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  

 

 

If this is agreed upon, then:

 

I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Oct 6, 2015, at 10:40, Aharon Chernin <[hidden email]> wrote:

 

Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.

 

Aharon

 

From: <[hidden email]> on behalf of "Jordan, Bret"
Date: Tuesday, October 6, 2015 at 11:45 AM
To: "[hidden email]", "[hidden email]"
Subject: [cti-stix] MTI Binding

 

We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  

 

Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Oct 6, 2015, at 06:17, Davidson II, Mark S <[hidden email]> wrote:

 

I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:

 

1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?

Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it


2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?


3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code? 

I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).

 

Thank you.

-Mark

 

 

 


This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
JA
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[cti-users] Re: [cti-stix] Re: [cti-users] Model / Binding Motions

JA
In reply to this post by Barnum, Sean D.
I would like to state Interoperability as a requirement.


2015-10-06 21:15 GMT+03:00 Barnum, Sean D. <[hidden email]>:

> I do not believe that we are at all ready to be making any decisions on MTI
> or even really on default bindings yet.
>
> Before such decisions can be made we first need four things:
>
> Understanding and consensus on the requirements and evaluation criteria that
> should be used to select an MTI or default binding
> Identification and understanding of potential binding options and their
> capabilities and limitations
> Understanding of how each potential binding option meets or does not meet
> the consensus requirements and evaluation criteria
> Understanding of member opinions and preferences
>
>
> We simply do not have any of these things yet. Ongoing discussions on the
> list demonstrate that clearly, I believe.
> Even if we had all of the above worked out for our current knowledge, we
> still would not necessarily have enough to make a decision today as many of
> the issues and proposals for STIX 2.0 changes have the likelihood of
> affecting the consensus requirements and evaluation criteria for an MTI.
> Any decisions made on incomplete information are likely to be poor ones.
>
> I would propose that attempting to cut short discussions aimed at addressing
> the above needs would be premature at this time.
>
> sean
>
> From: <[hidden email]> on behalf of "Foley, Alexander - GIS"
> Date: Tuesday, October 6, 2015 at 2:05 PM
> To: "[hidden email]", "[hidden email]"
> Subject: [cti-users] Model / Binding Motions
>
> By my count:
>
>
>
> 1.      We have Bret’s motion that we require a default binding for STIX and
> CybOX and it requires a second.
>
> a.      If this motion succeeds, we have Bret’s motion that JSON be chosen
> as the default binding for STIX and CybOX and it requires a second.
>
>                                                     i.     Kevin Wetzel, I
> apologize but I do not see you as a member of the cti committee… please
> follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption
>
> b.      We also have an (alternate?) proposal from Cory that JSON-LD
> specifically be chosen as our default binding and it requires a second.
>
>
>
> I must admit this conversation has been very difficult to follow – if I’m
> missing a key motion that we construct a UML / RDF / OWL model that’s
> separate from choosing a new preferred binding / data encoding, please feel
> free to propose or second any motions.
>
>
>
> Thanks,
>
>
>
> Alex
>
>
>
> From: [hidden email] [mailto:[hidden email]]
> On Behalf Of Jordan, Bret
> Sent: Tuesday, October 06, 2015 12:49 PM
> To: Aharon Chernin
> Cc: [hidden email]; [hidden email]
> Subject: [cti-users] Re: [cti-stix] MTI Binding
>
>
>
> Sounds good...
>
>
>
> I would like to formally make a motion that we require a default binding for
> STIX 2.0 and CybOX 3.0.
>
>
>
>
>
> If this is agreed upon, then:
>
>
>
> I would like to formally make a motion that the default binding for STIX 2.0
> and CybOX 3.0 be JSON.
>
>
>
> Thanks,
>
>
>
> Bret
>
>
>
>
>
>
>
> Bret Jordan CISSP
>
> Director of Security Architecture and Standards | Office of the CTO
>
> Blue Coat Systems
>
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
>
>
> On Oct 6, 2015, at 10:40, Aharon Chernin <[hidden email]> wrote:
>
>
>
> Bret, I think we need to propose that STIX, CybOX, and TAXII have to require
> a default binding type first. Then the MTI motion could be changed to
> something like, “I would like to propose that we adopt JSON as the default
> binding”.
>
>
>
> Aharon
>
>
>
> From: <[hidden email]> on behalf of "Jordan, Bret"
> Date: Tuesday, October 6, 2015 at 11:45 AM
> To: "[hidden email]", "[hidden email]"
> Subject: [cti-stix] MTI Binding
>
>
>
> We have had a good discussion here and on the wiki and I have seen a lot of
> people advocating for JSON to be used as the MTI.  While a few other options
> have been tossed around and discussed they do not seem to have an advocate
> pushing for them nor do they seem to have the broad support that JSON does.
>
>
>
> Therefore, I would like to formally propose that we adopt JSON as the MTI
> for STIX 2.0 and CybOX 3.0.
>
>
>
>
>
> Thanks,
>
>
>
> Bret
>
>
>
>
>
>
>
> Bret Jordan CISSP
>
> Director of Security Architecture and Standards | Office of the CTO
>
> Blue Coat Systems
>
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
>
>
> On Oct 6, 2015, at 06:17, Davidson II, Mark S <[hidden email]> wrote:
>
>
>
> I think we’re wrapped around the axle a little bit on this whole topic. I’d
> like to try and step back and ask some basic questions:
>
>
>
> 1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the
> question asked, and I’ve seen lots of discussion. Is there somebody who
> would like to come forward and state their opinion that JSON-LD should be
> the MTI for STIX?
>
> Note: I see this question as a higher bar than asking who thinks we should
> consider it – IMO the recent discussion makes it clear that we are
> considering it
>
>
> 2. There was an opinion that the proposed examples (the indicator and
> incident idioms) wouldn’t be sufficient for comparing size and complexity.
> What examples would be sufficient?
>
>
> 3. What toolchain is required to develop software that supports using a
> model without any custom code? Maybe I’m missing something, but if I have a
> product and I want to add STIX support, won’t developers have to write code?
>
> I guess at its core – I hear what people are saying about models and not
> programming to the data syntax, I just don’t understand how that actually
> works (the more concrete the example the better, at least for me).
>
>
>
> Thank you.
>
> -Mark
>
>
>
>
>
>
>
> ________________________________
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer. If you are not the intended
> recipient, please delete this message.

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

Loading...