(Apologies if you already saw this on the cti users list)
I m attempting to derive real deterministic ids for the examples in the spec. Right now the SCO are expressed as stand-ins that look like type--00000000-0000-0000-0000-000000000000 .
I m writing a script that will generate the ids but I have encountered some text in the spec which seems ambiguous. They concern SCOs where a hash is one of the id contributing properties:
Here are the three uses:
For Artifact:
hashes , payload_bin
Where
1. if hashes exists
only include 1 hash from this common ordered list (based on the following order of preference) [ md5, sha1, sha256, sha512 ]
2. if
no hashes are defined and payload_bin exists include only the payload_bin
For File:
hashes , name , extensions
Where
1. if hashes exists
include 1 hash from this ordered list [ md5, sha1, sha256, sha512 ] only
2. If no hashes
a. Include defined extensions
b. Include
defined name
For X509 Certificates:
hashes , serial_number
Where
1. if hashes exists
include 1 hash from this ordered list [ md5, sha1, sha256, sha512 ] only
2. Include serial_number
The way I read this, Artifact and File only include other properties if there are no hashes available, but X509 Certificates always includes serial_number.
If that is the case, then I would probably want to clean up the text but I m not sure that this is what was intended.
Can someone more explicitly describe the use of the contributing properties for these three types?
Rich
--
Rich Piazza
The MITRE Corporation
781-271-3760