OASIS Cyber Threat Intelligence (CTI) TC

All,
 
One of the other topics we talked about on the working call today was the normative text around Bundle.
 
In RC3, the text (Part 1, Section 5) stated:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects in the same Bundle are not necessarily related. Objects
MUST NOT be considered related by virtue of being in the same Bundle.”
 
The suggestion from Allan is to modify that text to say:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily related. Objects
SHOULD NOT be considered related by virtue of being in the same Bundle.”
 
Allan can elaborate but his thinking was that:
-          
In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles.
-          
In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST
 
The counterpoints that I heard to changing it were:
-          
We need to be as clear as possible, because people have gotten it wrong before.
-          
Other normative statements aren’t testable, but it can still be worthwhile to put them in.
 
The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being in the same bundle.” That removes the untestable normative
statement and makes it part of the definition of bundle.
 
Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative MUST?
 
Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles don’t have meaning. We’re just trying to find the best
way to phrase it. So that’s good!
 
John
 
Link:
https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv
 

In general, based on STIX 1.x history, I would like us to try and be and clear as possible, and I have no issue with normative statements that can not be tested in code.  Not all of STIX can be reduced to a unit-test. We took a very aggressive stance on defining a Bundle in the past, based on the issues of the old STIX Package.  Lets be really careful about reducing the formality and strictness of the language less we end up back with a STIX Package.  Bret From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org> Sent: Tuesday, November 15, 2016 10:41:14 AM To: cti@lists.oasis-open.org Subject: [cti] Text around bundle   All,   One of the other topics we talked about on the working call today was the normative text around Bundle.   In RC3, the text (Part 1, Section 5) stated: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”   The suggestion from Allan is to modify that text to say: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”   Allan can elaborate but his thinking was that: -           In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles. -           In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST   The counterpoints that I heard to changing it were: -           We need to be as clear as possible, because people have gotten it wrong before. -           Other normative statements aren’t testable, but it can still be worthwhile to put them in.   The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.   Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative MUST?   Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!   John   Link: https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv  

I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related? On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote: All,   One of the other topics we talked about on the working call today was the normative text around Bundle.   In RC3, the text (Part 1, Section 5) stated: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”   The suggestion from Allan is to modify that text to say: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”   Allan can elaborate but his thinking was that: -           In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles. -           In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST   The counterpoints that I heard to changing it were: -           We need to be as clear as possible, because people have gotten it wrong before. -           Other normative statements aren’t testable, but it can still be worthwhile to put them in.   The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.   Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative MUST?   Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!   John   Link: https://docs.google.com/ document/d/ 1IcA5KhglNdyX3tO17bBluC5nqSf70 M5qgK9nuAoYJgw/edit#heading=h. rvtdrdkf1jdv  

Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”
 

From:
<cti@lists.oasis-open.org> on behalf of Patrick Maroney <oasis.individual@gmail.com>
Date: Tuesday, November 15, 2016 at 1:41 PM
To: John Wunder <jwunder@mitre.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related?

On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote:



All,
 
One of the other topics we talked about on the working call today was the normative text around Bundle.
 
In RC3, the text (Part 1, Section 5) stated:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects
in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”
 
The suggestion from Allan is to modify that text to say:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily
related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”
 
Allan can elaborate but his thinking was that:
-          
In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles.
-          
In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST
 
The counterpoints that I heard to changing it were:
-          
We need to be as clear as possible, because people have gotten it wrong before.
-          
Other normative statements aren’t testable, but it can still be worthwhile to put them in.
 
The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being
in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.
 
Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative
MUST?
 
Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles
don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!
 
John
 
Link:

https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv
 

Here is some proposed text which use ideas from all suggestions:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle
SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle.
Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so.
 

From:
<cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 1:52 PM
To: Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”
 

From:
<cti@lists.oasis-open.org> on behalf of Patrick Maroney <oasis.individual@gmail.com>
Date: Tuesday, November 15, 2016 at 1:41 PM
To: John Wunder <jwunder@mitre.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related?

On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote:



All,
 
One of the other topics we talked about on the working call today was the normative text around Bundle.
 
In RC3, the text (Part 1, Section 5) stated:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects
in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”
 
The suggestion from Allan is to modify that text to say:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily
related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”
 
Allan can elaborate but his thinking was that:
-          
In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles.
-          
In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST
 
The counterpoints that I heard to changing it were:
-          
We need to be as clear as possible, because people have gotten it wrong before.
-          
Other normative statements aren’t testable, but it can still be worthwhile to put them in.
 
The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being
in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.
 
Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative
MUST?
 
Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles
don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!
 
John
 
Link:

https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv
 

A bundle can contain a report and all of the objects that make up a report.  So lets be careful with that last sentence.  Bret From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Piazza, Rich <rpiazza@mitre.org> Sent: Tuesday, November 15, 2016 12:16:57 PM To: Wunder, John A.; Patrick Maroney Cc: cti@lists.oasis-open.org Subject: Re: [cti] Text around bundle   Here is some proposed text which use ideas from all suggestions:   A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so.   From: <cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org> Date: Tuesday, November 15, 2016 at 1:52 PM To: Patrick Maroney <oasis.individual@gmail.com> Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: Re: [cti] Text around bundle   Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”   From: <cti@lists.oasis-open.org> on behalf of Patrick Maroney <oasis.individual@gmail.com> Date: Tuesday, November 15, 2016 at 1:41 PM To: John Wunder <jwunder@mitre.org> Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: Re: [cti] Text around bundle   I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related? On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote: All,   One of the other topics we talked about on the working call today was the normative text around Bundle.   In RC3, the text (Part 1, Section 5) stated: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”   The suggestion from Allan is to modify that text to say: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”   Allan can elaborate but his thinking was that: -           In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles. -           In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST   The counterpoints that I heard to changing it were: -           We need to be as clear as possible, because people have gotten it wrong before. -           Other normative statements aren’t testable, but it can still be worthwhile to put them in.   The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.   Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative MUST?   Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!   John   Link: https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv  

Good point:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle
SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs or the Report object within the Bundle to do so.
 
 
 

From:
"Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Tuesday, November 15, 2016 at 2:20 PM
To: Rich Piazza <rpiazza@mitre.org>, John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 


A bundle can contain a report and all of the objects that make up a report.  So lets be careful with that last sentence. 
 
Bret
 





From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Piazza, Rich <rpiazza@mitre.org>
Sent: Tuesday, November 15, 2016 12:16:57 PM
To: Wunder, John A.; Patrick Maroney
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] Text around bundle

 



Here is some proposed text which use ideas from all suggestions:
 
 

From:
<cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 1:52 PM
To: Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”
 

From:
<cti@lists.oasis-open.org> on behalf of Patrick Maroney <oasis.individual@gmail.com>
Date: Tuesday, November 15, 2016 at 1:41 PM
To: John Wunder <jwunder@mitre.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related?

On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote:



All,
 
One of the other topics we talked about on the working call today was the normative text around Bundle.
 
In RC3, the text (Part 1, Section 5) stated:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects
in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”
 
The suggestion from Allan is to modify that text to say:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily
related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”
 
Allan can elaborate but his thinking was that:
-          
In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles.
-          
In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST
 
The counterpoints that I heard to changing it were:
-          
We need to be as clear as possible, because people have gotten it wrong before.
-          
Other normative statements aren’t testable, but it can still be worthwhile to put them in.
 
The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being
in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.
 
Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative
MUST?
 
Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles
don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!
 
John
 
Link:

https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv
 

With some slight changes that would work for me:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects
in contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related
should are encouraged to use SROs within the Bundle
or the Report object to do so.
 
Note that the should is intentionally non-normative.
 

From:
Rich Piazza <rpiazza@mitre.org>
Date: Tuesday, November 15, 2016 at 2:16 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Here is some proposed text which use ideas from all suggestions:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle
SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so.
 

From:
<cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 1:52 PM
To: Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”
 

From:
<cti@lists.oasis-open.org> on behalf of Patrick Maroney <oasis.individual@gmail.com>
Date: Tuesday, November 15, 2016 at 1:41 PM
To: John Wunder <jwunder@mitre.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related?

On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote:



All,
 
One of the other topics we talked about on the working call today was the normative text around Bundle.
 
In RC3, the text (Part 1, Section 5) stated:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects
in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”
 
The suggestion from Allan is to modify that text to say:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily
related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”
 
Allan can elaborate but his thinking was that:
-          
In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles.
-          
In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST
 
The counterpoints that I heard to changing it were:
-          
We need to be as clear as possible, because people have gotten it wrong before.
-          
Other normative statements aren’t testable, but it can still be worthwhile to put them in.
 
The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being
in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.
 
Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative
MUST?
 
Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles
don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!
 
John
 
Link:

https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv
 

Fine, but I think the “within the Bundle” clause (applying to both SROs and Report) is clearer:
 
Producers who wish to indicate that objects are related should use SROs or the Report object
within the Bundle to do so.
 

From:
John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 2:24 PM
To: Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

With some slight changes that would work for me:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects
in contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related
should are encouraged to use SROs within the Bundle
or the Report object to do so.
 
Note that the should is intentionally non-normative.
 

From:
Rich Piazza <rpiazza@mitre.org>
Date: Tuesday, November 15, 2016 at 2:16 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Here is some proposed text which use ideas from all suggestions:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle
SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so.
 

From:
<cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 1:52 PM
To: Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”
 

From:
<cti@lists.oasis-open.org> on behalf of Patrick Maroney <oasis.individual@gmail.com>
Date: Tuesday, November 15, 2016 at 1:41 PM
To: John Wunder <jwunder@mitre.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related?

On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote:



All,
 
One of the other topics we talked about on the working call today was the normative text around Bundle.
 
In RC3, the text (Part 1, Section 5) stated:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects
in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”
 
The suggestion from Allan is to modify that text to say:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily
related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”
 
Allan can elaborate but his thinking was that:
-          
In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles.
-          
In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST
 
The counterpoints that I heard to changing it were:
-          
We need to be as clear as possible, because people have gotten it wrong before.
-          
Other normative statements aren’t testable, but it can still be worthwhile to put them in.
 
The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being
in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.
 
Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative
MUST?
 
Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles
don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!
 
John
 
Link:

https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv
 

Hm, I took it out because it seemed to imply that the objects could only be related if they were in the same bundle. Being in the same bundle has nothing to do with whether objects are
related and so IMO our language shouldn’t try to make those concepts overlap, even just as an example.
 

From:
Rich Piazza <rpiazza@mitre.org>
Date: Tuesday, November 15, 2016 at 2:27 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Fine, but I think the “within the Bundle” clause (applying to both SROs and Report) is clearer:
 
Producers who wish to indicate that objects are related should use SROs or the Report object
within the Bundle to do so.
 

From:
John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 2:24 PM
To: Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

With some slight changes that would work for me:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects
in contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related
should are encouraged to use SROs within the Bundle
or the Report object to do so.
 
Note that the should is intentionally non-normative.
 

From:
Rich Piazza <rpiazza@mitre.org>
Date: Tuesday, November 15, 2016 at 2:16 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Here is some proposed text which use ideas from all suggestions:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle
SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so.
 

From:
<cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 1:52 PM
To: Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”
 

From:
<cti@lists.oasis-open.org> on behalf of Patrick Maroney <oasis.individual@gmail.com>
Date: Tuesday, November 15, 2016 at 1:41 PM
To: John Wunder <jwunder@mitre.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related?

On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote:



All,
 
One of the other topics we talked about on the working call today was the normative text around Bundle.
 
In RC3, the text (Part 1, Section 5) stated:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects
in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”
 
The suggestion from Allan is to modify that text to say:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily
related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”
 
Allan can elaborate but his thinking was that:
-          
In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles.
-          
In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST
 
The counterpoints that I heard to changing it were:
-          
We need to be as clear as possible, because people have gotten it wrong before.
-          
Other normative statements aren’t testable, but it can still be worthwhile to put them in.
 
The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being
in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.
 
Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative
MUST?
 
Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles
don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!
 
John
 
Link:

https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv
 

How about this then:
 
Producers who wish to indicate that objects
within the Bundle are related should use SROs or the Report object to do so.
 

From:
John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 2:32 PM
To: Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Hm, I took it out because it seemed to imply that the objects could only be related if they were in the same bundle. Being in the same bundle has nothing to do with whether objects are
related and so IMO our language shouldn’t try to make those concepts overlap, even just as an example.
 

From:
Rich Piazza <rpiazza@mitre.org>
Date: Tuesday, November 15, 2016 at 2:27 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Fine, but I think the “within the Bundle” clause (applying to both SROs and Report) is clearer:
 
Producers who wish to indicate that objects are related should use SROs or the Report object
within the Bundle to do so.
 

From:
John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 2:24 PM
To: Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

With some slight changes that would work for me:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects
in contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related
should are encouraged to use SROs within the Bundle
or the Report object to do so.
 
Note that the should is intentionally non-normative.
 

From:
Rich Piazza <rpiazza@mitre.org>
Date: Tuesday, November 15, 2016 at 2:16 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Here is some proposed text which use ideas from all suggestions:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle
SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so.
 

From:
<cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 1:52 PM
To: Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”
 

From:
<cti@lists.oasis-open.org> on behalf of Patrick Maroney <oasis.individual@gmail.com>
Date: Tuesday, November 15, 2016 at 1:41 PM
To: John Wunder <jwunder@mitre.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related?

On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote:



All,
 
One of the other topics we talked about on the working call today was the normative text around Bundle.
 
In RC3, the text (Part 1, Section 5) stated:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects
in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”
 
The suggestion from Allan is to modify that text to say:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily
related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”
 
Allan can elaborate but his thinking was that:
-          
In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles.
-          
In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST
 
The counterpoints that I heard to changing it were:
-          
We need to be as clear as possible, because people have gotten it wrong before.
-          
Other normative statements aren’t testable, but it can still be worthwhile to put them in.
 
The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being
in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.
 
Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative
MUST?
 
Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles
don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!
 
John
 
Link:

https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv
 

What about this: "A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained in a Bundle are not related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related should use SROs and / or the Report object to do so." Bret From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Piazza, Rich <rpiazza@mitre.org> Sent: Tuesday, November 15, 2016 12:34:31 PM To: Wunder, John A.; Patrick Maroney Cc: cti@lists.oasis-open.org Subject: Re: [cti] Text around bundle   How about this then:   Producers who wish to indicate that objects within the Bundle are related should use SROs or the Report object to do so.   From: John Wunder <jwunder@mitre.org> Date: Tuesday, November 15, 2016 at 2:32 PM To: Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com> Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: Re: [cti] Text around bundle   Hm, I took it out because it seemed to imply that the objects could only be related if they were in the same bundle. Being in the same bundle has nothing to do with whether objects are related and so IMO our language shouldn’t try to make those concepts overlap, even just as an example.   From: Rich Piazza <rpiazza@mitre.org> Date: Tuesday, November 15, 2016 at 2:27 PM To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com> Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: Re: [cti] Text around bundle   Fine, but I think the “within the Bundle” clause (applying to both SROs and Report) is clearer:   Producers who wish to indicate that objects are related should use SROs or the Report object within the Bundle to do so.   From: John Wunder <jwunder@mitre.org> Date: Tuesday, November 15, 2016 at 2:24 PM To: Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com> Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: Re: [cti] Text around bundle   With some slight changes that would work for me:   A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects in contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related should are encouraged to use SROs within the Bundle or the Report object to do so.   Note that the should is intentionally non-normative.   From: Rich Piazza <rpiazza@mitre.org> Date: Tuesday, November 15, 2016 at 2:16 PM To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com> Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: Re: [cti] Text around bundle   Here is some proposed text which use ideas from all suggestions:   A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so.   From: <cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org> Date: Tuesday, November 15, 2016 at 1:52 PM To: Patrick Maroney <oasis.individual@gmail.com> Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: Re: [cti] Text around bundle   Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”   From: <cti@lists.oasis-open.org> on behalf of Patrick Maroney <oasis.individual@gmail.com> Date: Tuesday, November 15, 2016 at 1:41 PM To: John Wunder <jwunder@mitre.org> Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: Re: [cti] Text around bundle   I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related? On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote: All,   One of the other topics we talked about on the working call today was the normative text around Bundle.   In RC3, the text (Part 1, Section 5) stated: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”   The suggestion from Allan is to modify that text to say: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”   Allan can elaborate but his thinking was that: -           In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles. -           In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST   The counterpoints that I heard to changing it were: -           We need to be as clear as possible, because people have gotten it wrong before. -           Other normative statements aren’t testable, but it can still be worthwhile to put them in.   The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.   Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative MUST?   Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!   John   Link: https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv  

I like removing the SHOULD normative statement and your last sentence. I would also be fine with Rich’s suggestion.
 
Allan, do you think something like what Bret wrote would work for you? If so and if nobody else has objections we can take this off list and do some word-smithing.
 
John
 

From:
<cti@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Tuesday, November 15, 2016 at 2:37 PM
To: Rich Piazza <rpiazza@mitre.org>, John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 


What about this:
 
"A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained in a Bundle are not related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects
are related should use SROs and / or the Report object to do so."
 
Bret





From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Piazza, Rich <rpiazza@mitre.org>
Sent: Tuesday, November 15, 2016 12:34:31 PM
To: Wunder, John A.; Patrick Maroney
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] Text around bundle

 



How about this then:
 
Producers who wish to indicate that objects
within the Bundle are related should use SROs or the Report object to do so.
 

From:
John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 2:32 PM
To: Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Hm, I took it out because it seemed to imply that the objects could only be related if they were in the same bundle. Being in the same bundle has nothing to do with whether objects are
related and so IMO our language shouldn’t try to make those concepts overlap, even just as an example.
 

From:
Rich Piazza <rpiazza@mitre.org>
Date: Tuesday, November 15, 2016 at 2:27 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Fine, but I think the “within the Bundle” clause (applying to both SROs and Report) is clearer:
 
Producers who wish to indicate that objects are related should use SROs or the Report object
within the Bundle to do so.
 

From:
John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 2:24 PM
To: Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

With some slight changes that would work for me:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects
in contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related
should are encouraged to use SROs within the Bundle
or the Report object to do so.
 
Note that the should is intentionally non-normative.
 

From:
Rich Piazza <rpiazza@mitre.org>
Date: Tuesday, November 15, 2016 at 2:16 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Here is some proposed text which use ideas from all suggestions:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle
SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so.
 

From:
<cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 1:52 PM
To: Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”
 

From:
<cti@lists.oasis-open.org> on behalf of Patrick Maroney <oasis.individual@gmail.com>
Date: Tuesday, November 15, 2016 at 1:41 PM
To: John Wunder <jwunder@mitre.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related?

On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote:



All,
 
One of the other topics we talked about on the working call today was the normative text around Bundle.
 
In RC3, the text (Part 1, Section 5) stated:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects
in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”
 
The suggestion from Allan is to modify that text to say:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily
related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”
 
Allan can elaborate but his thinking was that:
-          
In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles.
-          
In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST
 
The counterpoints that I heard to changing it were:
-          
We need to be as clear as possible, because people have gotten it wrong before.
-          
Other normative statements aren’t testable, but it can still be worthwhile to put them in.
 
The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being
in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.
 
Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative
MUST?
 
Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles
don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!
 
John
 
Link:

https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv
 

Alright sorry for the double e-mail, talked through this a bit on Slack with Mark, Bret, and Ivan. We wanted to address Allan’s comments with the fewest changes to the existing text possible
given how many review cycles it’s been through. To that end, any objections to this?
 
Ø  
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and Objects are not considered related by
virtue of being in the same Bundle.
 
Short, sweet, and to the point.
 
John
 

From:
<cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 2:41 PM
To: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

I like removing the SHOULD normative statement and your last sentence. I would also be fine with Rich’s suggestion.
 
Allan, do you think something like what Bret wrote would work for you? If so and if nobody else has objections we can take this off list and do some word-smithing.
 
John
 

From:
<cti@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Tuesday, November 15, 2016 at 2:37 PM
To: Rich Piazza <rpiazza@mitre.org>, John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 


What about this:
 
"A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained in a Bundle are not related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects
are related should use SROs and / or the Report object to do so."
 
Bret





From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Piazza, Rich <rpiazza@mitre.org>
Sent: Tuesday, November 15, 2016 12:34:31 PM
To: Wunder, John A.; Patrick Maroney
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] Text around bundle

 



How about this then:
 
Producers who wish to indicate that objects
within the Bundle are related should use SROs or the Report object to do so.
 

From:
John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 2:32 PM
To: Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Hm, I took it out because it seemed to imply that the objects could only be related if they were in the same bundle. Being in the same bundle has nothing to do with whether objects are
related and so IMO our language shouldn’t try to make those concepts overlap, even just as an example.
 

From:
Rich Piazza <rpiazza@mitre.org>
Date: Tuesday, November 15, 2016 at 2:27 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Fine, but I think the “within the Bundle” clause (applying to both SROs and Report) is clearer:
 
Producers who wish to indicate that objects are related should use SROs or the Report object
within the Bundle to do so.
 

From:
John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 2:24 PM
To: Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

With some slight changes that would work for me:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects
in contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related
should are encouraged to use SROs within the Bundle
or the Report object to do so.
 
Note that the should is intentionally non-normative.
 

From:
Rich Piazza <rpiazza@mitre.org>
Date: Tuesday, November 15, 2016 at 2:16 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Here is some proposed text which use ideas from all suggestions:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle
SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so.
 

From:
<cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 1:52 PM
To: Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”
 

From:
<cti@lists.oasis-open.org> on behalf of Patrick Maroney <oasis.individual@gmail.com>
Date: Tuesday, November 15, 2016 at 1:41 PM
To: John Wunder <jwunder@mitre.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related?

On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote:



All,
 
One of the other topics we talked about on the working call today was the normative text around Bundle.
 
In RC3, the text (Part 1, Section 5) stated:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects
in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”
 
The suggestion from Allan is to modify that text to say:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily
related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”
 
Allan can elaborate but his thinking was that:
-          
In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles.
-          
In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST
 
The counterpoints that I heard to changing it were:
-          
We need to be as clear as possible, because people have gotten it wrong before.
-          
Other normative statements aren’t testable, but it can still be worthwhile to put them in.
 
The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being
in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.
 
Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative
MUST?
 
Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles
don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!
 
John
 
Link:

https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv
 

In the interests of moving forward -> I’m good with what you propose.
 
Not having MUST was my primary objection.
 
allan
 

From:
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 12:15 PM
To: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, "Piazza, Rich" <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Alright sorry for the double e-mail, talked through this a bit on Slack with Mark, Bret, and Ivan. We wanted to address Allan’s comments with the fewest changes to the existing text possible
given how many review cycles it’s been through. To that end, any objections to this?
 
Ø  
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and Objects are not considered related by
virtue of being in the same Bundle.
 
Short, sweet, and to the point.
 
John
 

From:
<cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 2:41 PM
To: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

I like removing the SHOULD normative statement and your last sentence. I would also be fine with Rich’s suggestion.
 
Allan, do you think something like what Bret wrote would work for you? If so and if nobody else has objections we can take this off list and do some word-smithing.
 
John
 

From:
<cti@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Tuesday, November 15, 2016 at 2:37 PM
To: Rich Piazza <rpiazza@mitre.org>, John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 


What about this:
 
"A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained in a Bundle are not related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects
are related should use SROs and / or the Report object to do so."
 
Bret





From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Piazza, Rich <rpiazza@mitre.org>
Sent: Tuesday, November 15, 2016 12:34:31 PM
To: Wunder, John A.; Patrick Maroney
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] Text around bundle

 



How about this then:
 
Producers who wish to indicate that objects
within the Bundle are related should use SROs or the Report object to do so.
 

From:
John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 2:32 PM
To: Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Hm, I took it out because it seemed to imply that the objects could only be related if they were in the same bundle. Being in the same bundle has nothing to do with whether objects are
related and so IMO our language shouldn’t try to make those concepts overlap, even just as an example.
 

From:
Rich Piazza <rpiazza@mitre.org>
Date: Tuesday, November 15, 2016 at 2:27 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Fine, but I think the “within the Bundle” clause (applying to both SROs and Report) is clearer:
 
Producers who wish to indicate that objects are related should use SROs or the Report object
within the Bundle to do so.
 

From:
John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 2:24 PM
To: Rich Piazza <rpiazza@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

With some slight changes that would work for me:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects
in contained with a Bundle SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related
should are encouraged to use SROs within the Bundle
or the Report object to do so.
 
Note that the should is intentionally non-normative.
 

From:
Rich Piazza <rpiazza@mitre.org>
Date: Tuesday, November 15, 2016 at 2:16 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Here is some proposed text which use ideas from all suggestions:
 
A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle
SHOULD NOT be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so.
 

From:
<cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Tuesday, November 15, 2016 at 1:52 PM
To: Patrick Maroney <oasis.individual@gmail.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”
 

From:
<cti@lists.oasis-open.org> on behalf of Patrick Maroney <oasis.individual@gmail.com>
Date: Tuesday, November 15, 2016 at 1:41 PM
To: John Wunder <jwunder@mitre.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Text around bundle


 

I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related?

On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote:



All,
 
One of the other topics we talked about on the working call today was the normative text around Bundle.
 
In RC3, the text (Part 1, Section 5) stated:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects
in the same Bundle are not necessarily related. Objects MUST NOT be considered related by virtue of being in the same Bundle.”
 
The suggestion from Allan is to modify that text to say:
“A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily
related. Objects SHOULD NOT be considered related by virtue of being in the same Bundle.”
 
Allan can elaborate but his thinking was that:
-          
In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles.
-          
In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST
 
The counterpoints that I heard to changing it were:
-          
We need to be as clear as possible, because people have gotten it wrong before.
-          
Other normative statements aren’t testable, but it can still be worthwhile to put them in.
 
The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being
in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.
 
Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative
MUST?
 
Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles
don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!
 
John
 
Link:

https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv
 

Coming from a place of ignorance, why do we have Bundles? Let me explain by a slightly different wording: A Bundle is a collection of arbitrary STIX Objects that do not have any relationship to each other, unless they do have a relationship with each other. However, if they do have a relationship with each other, we have SRO’s and Report objects to tie them together, which means you really should never bundle a collection of related STIX Objects together. Since there is a mechanism for collecting related STIX Objects together, one might be tempted to use a Bundle to collect a bunch of unrelated STIX Objects together. However, sometimes these objects are related, which means one cannot draw any conclusions that STIX Objects in a Bundle are not related. In English: the only purpose of a Bundle is to confuse implementors and give the bad guys a chance to find holes in code that is more complicated than it needs to be. Why do we have Bundles? On Nov 15, 2016, at 3:15 PM, Wunder, John A. < jwunder@mitre.org > wrote: Alright sorry for the double e-mail, talked through this a bit on Slack with Mark, Bret, and Ivan. We wanted to address Allan’s comments with the fewest changes to the existing text possible given how many review cycles it’s been through. To that end, any objections to this?   Ø     A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and Objects are not considered related by virtue of being in the same Bundle.   Short, sweet, and to the point.   John   From:   < cti@lists.oasis-open.org > on behalf of John Wunder < jwunder@mitre.org > Date:   Tuesday, November 15, 2016 at 2:41 PM To:   Bret Jordan (CS) < Bret_Jordan@symantec.com >, Rich Piazza < rpiazza@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   I like removing the SHOULD normative statement and your last sentence. I would also be fine with Rich’s suggestion.   Allan, do you think something like what Bret wrote would work for you? If so and if nobody else has objections we can take this off list and do some word-smithing.   John   From:   < cti@lists.oasis-open.org > on behalf of Bret Jordan (CS) < Bret_Jordan@symantec.com > Date:   Tuesday, November 15, 2016 at 2:37 PM To:   Rich Piazza < rpiazza@mitre.org >, John Wunder < jwunder@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   What about this:   A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained in a Bundle are not related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related should use SROs and / or the Report object to do so.   Bret From:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Piazza, Rich < rpiazza@mitre.org > Sent:   Tuesday, November 15, 2016 12:34:31 PM To:   Wunder, John A.; Patrick Maroney Cc:   cti@lists.oasis-open.org Subject:   Re: [cti] Text around bundle   How about this then:   Producers who wish to indicate that objects   within the Bundle   are related should use SROs or the Report object to do so.   From:   John Wunder < jwunder@mitre.org > Date:   Tuesday, November 15, 2016 at 2:32 PM To:   Rich Piazza < rpiazza@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   Hm, I took it out because it seemed to imply that the objects could only be related if they were in the same bundle. Being in the same bundle has nothing to do with whether objects are related and so IMO our language shouldn’t try to make those concepts overlap, even just as an example.   From:   Rich Piazza < rpiazza@mitre.org > Date:   Tuesday, November 15, 2016 at 2:27 PM To:   John Wunder < jwunder@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   Fine, but I think the “within the Bundle” clause (applying to both SROs and Report) is clearer:   Producers who wish to indicate that objects are related should use SROs or the Report object   within the Bundle   to do so.   From:   John Wunder < jwunder@mitre.org > Date:   Tuesday, November 15, 2016 at 2:24 PM To:   Rich Piazza < rpiazza@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   With some slight changes that would work for me:   A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects   in   contained with   a Bundle   SHOULD NOT   be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related   should   are encouraged to   use SROs   within the Bundle   or the Report object to do so.   Note that the should is intentionally non-normative.   From:   Rich Piazza < rpiazza@mitre.org > Date:   Tuesday, November 15, 2016 at 2:16 PM To:   John Wunder < jwunder@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   Here is some proposed text which use ideas from all suggestions:   A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle   SHOULD NOT   be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so.   From:   < cti@lists.oasis-open.org > on behalf of John Wunder < jwunder@mitre.org > Date:   Tuesday, November 15, 2016 at 1:52 PM To:   Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”   From:   < cti@lists.oasis-open.org > on behalf of Patrick Maroney < oasis.individual@gmail.com > Date:   Tuesday, November 15, 2016 at 1:41 PM To:   John Wunder < jwunder@mitre.org > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related? On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote: All,   One of the other topics we talked about on the working call today was the normative text around Bundle.   In RC3, the text (Part 1, Section 5) stated: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects in the same Bundle are not necessarily related. Objects   MUST NOT   be considered related by virtue of being in the same Bundle.”   The suggestion from Allan is to modify that text to say: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily related. Objects   SHOULD NOT   be considered related by virtue of being in the same Bundle.”   Allan can elaborate but his thinking was that: -             In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles. -             In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST   The counterpoints that I heard to changing it were: -             We need to be as clear as possible, because people have gotten it wrong before. -             Other normative statements aren’t testable, but it can still be worthwhile to put them in.   The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.   Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative MUST?   Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!   John   Link: https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv   Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

A STIX Relationship Object (SRO) and a Report Object do not allow you to include or embedded the various things that are linked.  A Bundle on the other hand allows you to attach multiple STIX "things" in a single JSON blob of data.  You may use these in TAXII you may use them in sneaker-net, you may use them with STIX over email or STIX over skype.   Without the STIX Bundle there is really no way to send multiple STIX objects as a single "thing".  The way a lot of people may use a Bundle is like: 1) TAXII, give me all indicators over the past 24 hours.  So if there were say 10 Million new indicators.  You could group all of those Indicators together in a single Bundle.   2) Let me send you 4 CTI Reports and automatically dereference all of the content and send that to you as well.  This will include say the 4 report objects, 1000 SDOs per report and say 2000 SDOs per report.  Once again, you could send these all as single JSON objects or you could wrap them in a container to send them.   This is what a Bundle is.  But we are trying to fix the STIX 1.x problems we had with the old STIX Package.  Where some times things in the STIX Package were related and sometimes they were not.  And there was no way to tell the difference.  This way, the way we have it, if you include SROs or a Report Object that the SRO or Report object tells you how things are related.  But just because two objects are in a Bundle does NOT make them related at all, ever. You need something else to actually relate them. Bret From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Eric Burger <Eric.Burger@georgetown.edu> Sent: Tuesday, November 15, 2016 5:11:31 PM To: cti@lists.oasis-open.org Subject: Re: [cti] Text around bundle   Coming from a place of ignorance, why do we have Bundles? Let me explain by a slightly different wording: A Bundle is a collection of arbitrary STIX Objects that do not have any relationship to each other, unless they do have a relationship with each other. However, if they do have a relationship with each other, we have SRO’s and Report objects to tie them together, which means you really should never bundle a collection of related STIX Objects together. Since there is a mechanism for collecting related STIX Objects together, one might be tempted to use a Bundle to collect a bunch of unrelated STIX Objects together. However, sometimes these objects are related, which means one cannot draw any conclusions that STIX Objects in a Bundle are not related. In English: the only purpose of a Bundle is to confuse implementors and give the bad guys a chance to find holes in code that is more complicated than it needs to be. Why do we have Bundles? On Nov 15, 2016, at 3:15 PM, Wunder, John A. < jwunder@mitre.org > wrote: Alright sorry for the double e-mail, talked through this a bit on Slack with Mark, Bret, and Ivan. We wanted to address Allan’s comments with the fewest changes to the existing text possible given how many review cycles it’s been through. To that end, any objections to this?   Ø     A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and Objects are not considered related by virtue of being in the same Bundle.   Short, sweet, and to the point.   John   From:   < cti@lists.oasis-open.org > on behalf of John Wunder < jwunder@mitre.org > Date:   Tuesday, November 15, 2016 at 2:41 PM To:   "Bret Jordan (CS)" < Bret_Jordan@symantec.com >, Rich Piazza < rpiazza@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   I like removing the SHOULD normative statement and your last sentence. I would also be fine with Rich’s suggestion.   Allan, do you think something like what Bret wrote would work for you? If so and if nobody else has objections we can take this off list and do some word-smithing.   John   From:   < cti@lists.oasis-open.org > on behalf of "Bret Jordan (CS)" < Bret_Jordan@symantec.com > Date:   Tuesday, November 15, 2016 at 2:37 PM To:   Rich Piazza < rpiazza@mitre.org >, John Wunder < jwunder@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   What about this:   "A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained in a Bundle are not related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related should use SROs and / or the Report object to do so."   Bret From:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Piazza, Rich < rpiazza@mitre.org > Sent:   Tuesday, November 15, 2016 12:34:31 PM To:   Wunder, John A.; Patrick Maroney Cc:   cti@lists.oasis-open.org Subject:   Re: [cti] Text around bundle   How about this then:   Producers who wish to indicate that objects   within the Bundle   are related should use SROs or the Report object to do so.   From:   John Wunder < jwunder@mitre.org > Date:   Tuesday, November 15, 2016 at 2:32 PM To:   Rich Piazza < rpiazza@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   Hm, I took it out because it seemed to imply that the objects could only be related if they were in the same bundle. Being in the same bundle has nothing to do with whether objects are related and so IMO our language shouldn’t try to make those concepts overlap, even just as an example.   From:   Rich Piazza < rpiazza@mitre.org > Date:   Tuesday, November 15, 2016 at 2:27 PM To:   John Wunder < jwunder@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   Fine, but I think the “within the Bundle” clause (applying to both SROs and Report) is clearer:   Producers who wish to indicate that objects are related should use SROs or the Report object   within the Bundle   to do so.   From:   John Wunder < jwunder@mitre.org > Date:   Tuesday, November 15, 2016 at 2:24 PM To:   Rich Piazza < rpiazza@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   With some slight changes that would work for me:   A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects   in   contained with   a Bundle   SHOULD NOT   be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related   should   are encouraged to   use SROs   within the Bundle   or the Report object to do so.   Note that the should is intentionally non-normative.   From:   Rich Piazza < rpiazza@mitre.org > Date:   Tuesday, November 15, 2016 at 2:16 PM To:   John Wunder < jwunder@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   Here is some proposed text which use ideas from all suggestions:   A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle   SHOULD NOT   be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so.   From:   < cti@lists.oasis-open.org > on behalf of John Wunder < jwunder@mitre.org > Date:   Tuesday, November 15, 2016 at 1:52 PM To:   Patrick Maroney < oasis.individual@gmail.com > Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”   From:   < cti@lists.oasis-open.org > on behalf of Patrick Maroney < oasis.individual@gmail.com > Date:   Tuesday, November 15, 2016 at 1:41 PM To:   John Wunder < jwunder@mitre.org > Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related? On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote: All,   One of the other topics we talked about on the working call today was the normative text around Bundle.   In RC3, the text (Part 1, Section 5) stated: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects in the same Bundle are not necessarily related. Objects   MUST NOT   be considered related by virtue of being in the same Bundle.”   The suggestion from Allan is to modify that text to say: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily related. Objects   SHOULD NOT   be considered related by virtue of being in the same Bundle.”   Allan can elaborate but his thinking was that: -             In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles. -             In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST   The counterpoints that I heard to changing it were: -             We need to be as clear as possible, because people have gotten it wrong before. -             Other normative statements aren’t testable, but it can still be worthwhile to put them in.   The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.   Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative MUST?   Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!   John   Link: https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv  

Why isn’t TAXII the way to send a bunch of unrelated STIX things in a single TAXII message?  More inline. On Nov 15, 2016, at 7:27 PM, Bret Jordan (CS) < Bret_Jordan@symantec.com > wrote: A STIX Relationship Object (SRO) and a Report Object do not allow you to include or embedded the various things that are linked.  A Bundle on the other hand allows you to attach multiple STIX things in a single JSON blob of data.  You may use these in TAXII you may use them in sneaker-net, you may use them with STIX over email or STIX over skype.   Without the STIX Bundle there is really no way to send multiple STIX objects as a single thing .  The way a lot of people may use a Bundle is like: 1) TAXII, give me all indicators over the past 24 hours.  So if there were say 10 Million new indicators.  You could group all of those Indicators together in a single Bundle.   So everything in the bundle is related . They all occurred in the last 24 hours. 2) Let me send you 4 CTI Reports and automatically dereference all of the content and send that to you as well.  This will include say the 4 report objects, 1000 SDOs per report and say 2000 SDOs per report.  Once again, you could send these all as single JSON objects or you could wrap them in a container to send them.   Again, everything in these bundles are also related . They are related to their (Bundled) Reports. This is what a Bundle is.  But we are trying to fix the STIX 1.x problems we had with the old STIX Package.  Where some times things in the STIX Package were related and sometimes they were not.  And there was no way to tell the difference.  This way, the way we have it, if you include SROs or a Report Object that the SRO or Report object tells you how things are related.  But just because two objects are in a Bundle does NOT make them related at all, ever. You need something else to actually relate them. Let’s say you need to bundle things that are truly not related. In that case, why would you bundle them? Bret From:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Eric Burger < Eric.Burger@georgetown.edu > Sent:   Tuesday, November 15, 2016 5:11:31 PM To:   cti@lists.oasis-open.org Subject:   Re: [cti] Text around bundle   Coming from a place of ignorance, why do we have Bundles? Let me explain by a slightly different wording: A Bundle is a collection of arbitrary STIX Objects that do not have any relationship to each other, unless they do have a relationship with each other. However, if they do have a relationship with each other, we have SRO’s and Report objects to tie them together, which means you really should never bundle a collection of related STIX Objects together. Since there is a mechanism for collecting related STIX Objects together, one might be tempted to use a Bundle to collect a bunch of unrelated STIX Objects together. However, sometimes these objects are related, which means one cannot draw any conclusions that STIX Objects in a Bundle are not related. In English: the only purpose of a Bundle is to confuse implementors and give the bad guys a chance to find holes in code that is more complicated than it needs to be. Why do we have Bundles? On Nov 15, 2016, at 3:15 PM, Wunder, John A. < jwunder@mitre.org > wrote: Alright sorry for the double e-mail, talked through this a bit on Slack with Mark, Bret, and Ivan. We wanted to address Allan’s comments with the fewest changes to the existing text possible given how many review cycles it’s been through. To that end, any objections to this?   Ø     A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and Objects are not considered related by virtue of being in the same Bundle.   Short, sweet, and to the point.   John   From:   < cti@lists.oasis-open.org > on behalf of John Wunder < jwunder@mitre.org > Date:   Tuesday, November 15, 2016 at 2:41 PM To:   Bret Jordan (CS) < Bret_Jordan@symantec.com >, Rich Piazza < rpiazza@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   I like removing the SHOULD normative statement and your last sentence. I would also be fine with Rich’s suggestion.   Allan, do you think something like what Bret wrote would work for you? If so and if nobody else has objections we can take this off list and do some word-smithing.   John   From:   < cti@lists.oasis-open.org > on behalf of Bret Jordan (CS) < Bret_Jordan@symantec.com > Date:   Tuesday, November 15, 2016 at 2:37 PM To:   Rich Piazza < rpiazza@mitre.org >, John Wunder < jwunder@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   What about this:   A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained in a Bundle are not related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related should use SROs and / or the Report object to do so.   Bret From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org > on behalf of Piazza, Rich < rpiazza@mitre.org > Sent:   Tuesday, November 15, 2016 12:34:31 PM To:   Wunder, John A.; Patrick Maroney Cc:   cti@lists.oasis-open.org Subject:   Re: [cti] Text around bundle   How about this then:   Producers who wish to indicate that objects   within the Bundle   are related should use SROs or the Report object to do so.   From:   John Wunder < jwunder@mitre.org > Date:   Tuesday, November 15, 2016 at 2:32 PM To:   Rich Piazza < rpiazza@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   Hm, I took it out because it seemed to imply that the objects could only be related if they were in the same bundle. Being in the same bundle has nothing to do with whether objects are related and so IMO our language shouldn’t try to make those concepts overlap, even just as an example.   From:   Rich Piazza < rpiazza@mitre.org > Date:   Tuesday, November 15, 2016 at 2:27 PM To:   John Wunder < jwunder@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   Fine, but I think the “within the Bundle” clause (applying to both SROs and Report) is clearer:   Producers who wish to indicate that objects are related should use SROs or the Report object   within the Bundle   to do so.   From:   John Wunder < jwunder@mitre.org > Date:   Tuesday, November 15, 2016 at 2:24 PM To:   Rich Piazza < rpiazza@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   With some slight changes that would work for me:   A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects   in   contained with   a Bundle   SHOULD NOT   be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related   should   are encouraged to   use SROs   within the Bundle   or the Report object to do so.   Note that the should is intentionally non-normative.   From:   Rich Piazza < rpiazza@mitre.org > Date:   Tuesday, November 15, 2016 at 2:16 PM To:   John Wunder < jwunder@mitre.org >, Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   Here is some proposed text which use ideas from all suggestions:   A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. Objects contained with a Bundle   SHOULD NOT   be assumed to be related solely by virtue of being in the same Bundle. Producers who wish to indicate that objects are related are encouraged to use SROs within the Bundle or the Report object to do so.   From:   < cti@lists.oasis-open.org > on behalf of John Wunder < jwunder@mitre.org > Date:   Tuesday, November 15, 2016 at 1:52 PM To:   Patrick Maroney < oasis.individual@gmail.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   Hm, we could add a sentence like: “Producers who wish to indicate that objects are related should use SROs and the Report object to do so.”   From:   < cti@lists.oasis-open.org > on behalf of Patrick Maroney < oasis.individual@gmail.com > Date:   Tuesday, November 15, 2016 at 1:41 PM To:   John Wunder < jwunder@mitre.org > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Text around bundle   I think Allan's points are good.  Can we add language in the Bundle descriptions that shows how one would make the assertion that objects in a bundle ARE related? On Tuesday, November 15, 2016, Wunder, John A. < jwunder@mitre.org > wrote: All,   One of the other topics we talked about on the working call today was the normative text around Bundle.   In RC3, the text (Part 1, Section 5) stated: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and objects in the same Bundle are not necessarily related. Objects   MUST NOT   be considered related by virtue of being in the same Bundle.”   The suggestion from Allan is to modify that text to say: “A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. The objects in the same Bundle are not necessarily related. Objects   SHOULD NOT   be considered related by virtue of being in the same Bundle.”   Allan can elaborate but his thinking was that: -             In the second sentence, the clause “A bundle does not have any semantic meaning” is itself meaningless and doesn’t help people understand bundles. -             In the last sentence, the normative statement is inherently untestable and therefore shouldn’t be a MUST   The counterpoints that I heard to changing it were: -             We need to be as clear as possible, because people have gotten it wrong before. -             Other normative statements aren’t testable, but it can still be worthwhile to put them in.   The other suggestion was that rather than changing it to a should, the text could just say “Objects are not considered related by virtue of being in the same bundle.” That removes the untestable normative statement and makes it part of the definition of bundle.   Before trying to drive this to consensus, let’s just get some thoughts on the best text to use. Most importantly, do you think there should be a normative MUST?   Also, I know we as a community went around for a bit on bundle, but the encouraging thing at this point is that we all fundamentally agree that bundles don’t have meaning. We’re just trying to find the best way to phrase it. So that’s good!   John   Link: https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.rvtdrdkf1jdv Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

On 15.11.2016 19:39:47, Eric Burger wrote: > Why isn’t TAXII the way to send a bunch of unrelated STIX things in > a single TAXII message? > Hey, Eric - Because there is a sizable constituency that will not use TAXII as a transport mechanism for STIX. Think IC. Think sneaker-net and cross-domain guards. -- Cheers, Trey ++--------------------------------------------------------------------------++ Kingfisher Operations, sprl gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D ++--------------------------------------------------------------------------++ -- "In theory there is no difference between theory and practice; in practice there is." --anonymous Attachment: signature.asc Description: Digital signature