OASIS Cyber Threat Intelligence (CTI) TC

Document Name : STIX Extensions Policy Description The STIX Extensions Policy document describes how extensions will managed and the steps needed for targeted extensions to get into a future version of the STIX specification. Download Latest Revision Public Download Link Submitter : Ms. Emily Ratliff Group : OASIS Cyber Threat Intelligence (CTI) TC Folder : Documents Date submitted : 2022-04-07 13:32:26

I would like to propose that there be an agenda item on next month’s TC call to discuss whether CTI TC should liaison with ITU on making STIX 2.1 an ITU standard.   My understanding (as official OASIS Liaison to ITU SG17 and attending most SG17 meetings for last few years) is that ITU has sent OASIS several liaisons requesting this. My understanding (from discussion with OASIS legal counsel) is that it was inappropriate prior to STIX becoming an OASIS standard (ie TC committee spec is not appropriate, but OASIS standard is) and that had been the holdup in the past. OASIS formally responded to ITU with that fact and implied that once STIX 2.1 was approved as standard, that OASIS would then proceed with ITU standardization. STIX 2.1 is now an OASIS standard so that hurdle is removed. Today was the first I’d heard that there are other concerns. I would like those concerns aired (ideally via email prior to next month’s TC meeting) and a plan created to address them if possible so we at least know a proposed timeline on when we might proceed. Or to decide that ITU standardization is inappropriate if that is the will of the group (which I really hope it is not the case).   OASIS is proud that one of it’s advantages is that it has been a path to ITU standardization for many influential standards. In my opinion, ITU standardization would help address many of the issues brought up on today’s call with respect to increasing STIX awareness and adoption, and a more global reach for the TC.   Ditto everything above for TAXII but in the interest of one-step-at-a-time, I’ll settle for discussing STIX.   --  Duncan Sparrell sFractal Consulting LLC iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at  http://vsre.info /    

I fully support this for both STIX 2.1 and TAXII 2.1. I was the one that originally floated the idea to the ITU-T SG17 Chair and the US and UK delegations. I still fully support this and would suggest that the TC vote on this so that it can be official. If there are any issues, as Duncan mentioned, please air them on the public mailing list so that they can be archived and documented.  Thanks Bret   On Apr 21, 2022, at 10:19 AM, duncan sfractal.com < duncan@sfractal.com > wrote: I would like to propose that there be an agenda item on next month s TC call to discuss whether CTI TC should liaison with ITU on making STIX 2.1 an ITU standard.   My understanding (as official OASIS Liaison to ITU SG17 and attending most SG17 meetings for last few years) is that ITU has sent OASIS several liaisons requesting this. My understanding (from discussion with OASIS legal counsel) is that it was inappropriate prior to STIX becoming an OASIS standard (ie TC committee spec is not appropriate, but OASIS standard is) and that had been the holdup in the past. OASIS formally responded to ITU with that fact and implied that once STIX 2.1 was approved as standard, that OASIS would then proceed with ITU standardization. STIX 2.1 is now an OASIS standard so that hurdle is removed. Today was the first I d heard that there are other concerns. I would like those concerns aired (ideally via email prior to next month s TC meeting) and a plan created to address them if possible so we at least know a proposed timeline on when we might proceed. Or to decide that ITU standardization is inappropriate if that is the will of the group (which I really hope it is not the case).   OASIS is proud that one of it s advantages is that it has been a path to ITU standardization for many influential standards. In my opinion, ITU standardization would help address many of the issues brought up on today s call with respect to increasing STIX awareness and adoption, and a more global reach for the TC.   Ditto everything above for TAXII but in the interest of one-step-at-a-time, I ll settle for discussing STIX.   --  Duncan Sparrell sFractal Consulting LLC iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at  http://vsre.info /

I just want to chime in that, for whatever it's worth,  I fully support this as well.  Unfortunately I could not make the meeting so I am unclear what if any concerns were raised - and am somewhat surprised there are any ? - I am also interested in hearing them be raised on the list, as soon as possible.  -- J ason Keirstead Distinguished Engineer, CTO - IBM Security Threat Management   www.ibm.com/security Declare an Emergency: USA   +1 888 241 9812 , Global   +1 312 212 8034   Assistant - Mauricio Durán Cambronero ( mauduran@ibm.com ) See my calendar -  https://ibm.biz/jkcalendar Co-Chair - Open Cybersecurity Alliance, Project Governing Board www.opencybersecurityalliance.org From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Bret Jordan <bj@ctin.us> Sent: Thursday, April 21, 2022, 4:46 p.m. To: Duncan Sparrell <duncan@sfractal.com> Cc: cti@lists.oasis-open.org <cti@lists.oasis-open.org> Subject: [EXTERNAL] Re: [cti] Propose ITU STIX standard as agenda topic for next month I fully support this for both STIX 2.1 and TAXII 2.1. I was the one that originally floated the idea to the ITU-T SG17 Chair and the US and UK delegations. I still fully support this and would suggest that the TC vote on this so that it can ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. ZjQcmQRYFpfptBannerEnd I fully support this for both STIX 2.1 and TAXII 2.1. I was the one that originally floated the idea to the ITU-T SG17 Chair and the US and UK delegations. I still fully support this and would suggest that the TC vote on this so that it can be official. If there are any issues, as Duncan mentioned, please air them on the public mailing list so that they can be archived and documented.  Thanks Bret   On Apr 21, 2022, at 10:19 AM, duncan sfractal.com < duncan@sfractal.com > wrote: I would like to propose that there be an agenda item on next month’s TC call to discuss whether CTI TC should liaison with ITU on making STIX 2.1 an ITU standard.   My understanding (as official OASIS Liaison to ITU SG17 and attending most SG17 meetings for last few years) is that ITU has sent OASIS several liaisons requesting this. My understanding (from discussion with OASIS legal counsel) is that it was inappropriate prior to STIX becoming an OASIS standard (ie TC committee spec is not appropriate, but OASIS standard is) and that had been the holdup in the past. OASIS formally responded to ITU with that fact and implied that once STIX 2.1 was approved as standard, that OASIS would then proceed with ITU standardization. STIX 2.1 is now an OASIS standard so that hurdle is removed. Today was the first I’d heard that there are other concerns. I would like those concerns aired (ideally via email prior to next month’s TC meeting) and a plan created to address them if possible so we at least know a proposed timeline on when we might proceed. Or to decide that ITU standardization is inappropriate if that is the will of the group (which I really hope it is not the case).   OASIS is proud that one of it’s advantages is that it has been a path to ITU standardization for many influential standards. In my opinion, ITU standardization would help address many of the issues brought up on today’s call with respect to increasing STIX awareness and adoption, and a more global reach for the TC.   Ditto everything above for TAXII but in the interest of one-step-at-a-time, I’ll settle for discussing STIX.   --  Duncan Sparrell sFractal Consulting LLC iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at  http://vsre.info /