CTI STIX Subcommittee

 View Only
  • 1.  Re: [cti-stix] _ref field suffix

    Posted 05-10-2016 17:37





    (Renamed subject line to track this thread)


    I’m against dropping it. I have a practical reason and a philosophical reason:

    Practical reason: I’ve written STIX code for both STIX 1 and STIX 2 and, in both cases, it’s useful to be able to programmatically determine when a field contains a reference to another object. For example, in my STIX 2.0 visualizer I just look for fields
    ending in _ref and treat them as a reference in the visualization. In a STIX 1.x tool, I do the same thing but try to resolve the reference otherwise. If that naming convention goes away, you’d have to hardcode the name of every reference field in the language
    for these more generic STIX utilities (visualization tools, etc.) Philosophical reason: “reference” is not a field type. The field’s data type is “identifier”. What the “_ref” is indicating is a semantic of the field usage: that it’s a reference to another object.





    John




    From: "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Tuesday, May 10, 2016 at 1:29 PM
    To: "Wunder, John A." < jwunder@mitre.org >
    Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] STIX, Topics to Review, 10 May






    Based on the conversation today on the working call, I would be okay with dropping the "_ref" from the ID reference property names, since that is the only place where we add a field type to a property name.


    Where do people stand on this?










    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On May 10, 2016, at 10:41, Wunder, John A. < jwunder@mitre.org > wrote:



    Hey all,


    Here are the topics we need some in-depth review on currently to make more progress. These are in rough order of priority. Also, there are other topics as well, this list is for people who want to review something that’s nearing finalization.
    If you’re interested in early development on campaign, TTP, i18n, or other topics see Slack and the mailing list.


    Also, as Bret said on the call…if anyone else has the time or bandwidth to “adopt” sections (perhaps Indicator or the Indicator Type vocab?) and move them forward let us know. I can walk you through the process we use and make sure you’re comfortable
    with it.


    Thanks everyone,
    John


    ---


    Timestamp/Timestamp Precision ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.de8ah59mobqf )
    Current Status: Awaiting Unanimous Consent
    Requested Action: Review the draft text for the timestamp and timestamp precision sections. If you have any objections, please make them by 12 May, 2016 end-of-day UTC (~7pm ET), otherwise we’ll move this text forward to draft.



    Identifier  ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.ko24ggw4eq0q )
    Current Status: Awaiting ballot
    Requested Action: Review the (unmodified) draft text. Pat made some suggestions, but the vote is for the text as-is that calls out UUIDv4 specifically. Vote on the ballot when it’s opened.



    Custom Properties ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.8072zpptza86 )
    Current Status: Objection to Unanimous Consent
    Requested Action: Review the draft text and Eric Burger’s response. We talked about this topic on the call, and general consensus was that we don’t really need a formal registry of extension fields at this time. We could have some kind of informal
    registry via e-mail to the cti-users list, if the community seems interested as we get to that point, but that we don’t need anything formal. As such, the language as-is seemed fine to most people. I would ask that you take the next 2 days to review this (through
    12 May, end of day UTC/COB ET) and, if we don’t hear any further objections, we’ll motion to hold a ballot (having failed unanimous consent) to move it to draft status.


    IDs & References  ( https://docs.google.com/document/d/1YcEtyUGdFkJIPdDZ7K-mHbvjFt-5pOL2EIw_ZJuqNpM/edit#heading=h.h02ac9vlmabi )
    Current Status: Review prior to motion to move to draft
    Requested Action: Review the draft text for the identifier field on STIX TLOs, and how it’s used for references. Provide suggested updates. Also, consider whether the
    _ref suffix is valuable for reference fields or if those fields would be better named without that suffix or with a different suffix (i.e. Do you prefer created_by_ref, created_by, created_by_id, or something else). We’ll work through this over
    the next few days until it settles down, then move to draft preferably late this week.


    Versioning  ( https://docs.google.com/document/d/1YcEtyUGdFkJIPdDZ7K-mHbvjFt-5pOL2EIw_ZJuqNpM/edit#heading=h.rye5q2hkacu )
    Current Status: Review/Normative Text
    Requested Action: Review the draft text and suggest updates, it still needs some work to become good normative text. Review the open questions at the top to ensure that we’ve addressed them. Comment on which examples might be moved to an appendix/separate
    document to save room in the main specification. We’ll try to push this text forward over the next few days so that we have finalized normative text to motion/vote on either late this week or early next week.


    Package/Bundle ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.6zghk3evovcs ,
    e-mail)
    Current Status: Development
    Requested Actions:
    1. Discuss having an ID field on bundle. General discussion on the call seemed to lean towards yes, but there was not a lot of consensus.
    2. Discuss approaches for data markings on bundle. General discussion on the call seemed to lean towards a consensus of not having default markings but having a most restrictive marking field, is that acceptable?


    See other e-mails for more info on package/bundle.

















  • 2.  Re: [cti-stix] _ref field suffix

    Posted 05-10-2016 17:42





    John – I agree that a _ref is a reference to another object but so is an Id field. That’s my point. Both fields are references to an object that is identified by an identifier.


    allan









    From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of "Wunder, John" < jwunder@mitre.org >
    Date: Tuesday, May 10, 2016 at 10:37 AM
    To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] _ref field suffix








    (Renamed subject line to track this thread)


    I’m against dropping it. I have a practical reason and a philosophical reason:

    Practical reason: I’ve written STIX code for both STIX 1 and STIX 2 and, in both cases, it’s useful to be able to programmatically determine when a field contains a reference to another object. For example, in my STIX 2.0 visualizer I just look for fields
    ending in _ref and treat them as a reference in the visualization. In a STIX 1.x tool, I do the same thing but try to resolve the reference otherwise. If that naming convention goes away, you’d have to hardcode the name of every reference field in the language
    for these more generic STIX utilities (visualization tools, etc.) Philosophical reason: “reference” is not a field type. The field’s data type is “identifier”. What the “_ref” is indicating is a semantic of the field usage: that it’s a reference to another object.





    John




    From: "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Tuesday, May 10, 2016 at 1:29 PM
    To: "Wunder, John A." < jwunder@mitre.org >
    Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] STIX, Topics to Review, 10 May






    Based on the conversation today on the working call, I would be okay with dropping the "_ref" from the ID reference property names, since that is the only place where we add a field type to a property name.


    Where do people stand on this?










    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On May 10, 2016, at 10:41, Wunder, John A. < jwunder@mitre.org > wrote:



    Hey all,


    Here are the topics we need some in-depth review on currently to make more progress. These are in rough order of priority. Also, there are other topics as well, this list is for people who want to review something that’s nearing finalization.
    If you’re interested in early development on campaign, TTP, i18n, or other topics see Slack and the mailing list.


    Also, as Bret said on the call…if anyone else has the time or bandwidth to “adopt” sections (perhaps Indicator or the Indicator Type vocab?) and move them forward let us know. I can walk you through the process we use and make sure you’re comfortable
    with it.


    Thanks everyone,
    John


    ---


    Timestamp/Timestamp Precision ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.de8ah59mobqf )
    Current Status: Awaiting Unanimous Consent
    Requested Action: Review the draft text for the timestamp and timestamp precision sections. If you have any objections, please make them by 12 May, 2016 end-of-day UTC (~7pm ET), otherwise we’ll move this text forward to draft.



    Identifier  ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.ko24ggw4eq0q )
    Current Status: Awaiting ballot
    Requested Action: Review the (unmodified) draft text. Pat made some suggestions, but the vote is for the text as-is that calls out UUIDv4 specifically. Vote on the ballot when it’s opened.



    Custom Properties ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.8072zpptza86 )
    Current Status: Objection to Unanimous Consent
    Requested Action: Review the draft text and Eric Burger’s response. We talked about this topic on the call, and general consensus was that we don’t really need a formal registry of extension fields at this time. We could have some kind of informal
    registry via e-mail to the cti-users list, if the community seems interested as we get to that point, but that we don’t need anything formal. As such, the language as-is seemed fine to most people. I would ask that you take the next 2 days to review this (through
    12 May, end of day UTC/COB ET) and, if we don’t hear any further objections, we’ll motion to hold a ballot (having failed unanimous consent) to move it to draft status.


    IDs & References  ( https://docs.google.com/document/d/1YcEtyUGdFkJIPdDZ7K-mHbvjFt-5pOL2EIw_ZJuqNpM/edit#heading=h.h02ac9vlmabi )
    Current Status: Review prior to motion to move to draft
    Requested Action: Review the draft text for the identifier field on STIX TLOs, and how it’s used for references. Provide suggested updates. Also, consider whether the
    _ref suffix is valuable for reference fields or if those fields would be better named without that suffix or with a different suffix (i.e. Do you prefer created_by_ref, created_by, created_by_id, or something else). We’ll work through this over
    the next few days until it settles down, then move to draft preferably late this week.


    Versioning  ( https://docs.google.com/document/d/1YcEtyUGdFkJIPdDZ7K-mHbvjFt-5pOL2EIw_ZJuqNpM/edit#heading=h.rye5q2hkacu )
    Current Status: Review/Normative Text
    Requested Action: Review the draft text and suggest updates, it still needs some work to become good normative text. Review the open questions at the top to ensure that we’ve addressed them. Comment on which examples might be moved to an appendix/separate
    document to save room in the main specification. We’ll try to push this text forward over the next few days so that we have finalized normative text to motion/vote on either late this week or early next week.


    Package/Bundle ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.6zghk3evovcs ,
    e-mail)
    Current Status: Development
    Requested Actions:
    1. Discuss having an ID field on bundle. General discussion on the call seemed to lean towards yes, but there was not a lot of consensus.
    2. Discuss approaches for data markings on bundle. General discussion on the call seemed to lean towards a consensus of not having default markings but having a most restrictive marking field, is that acceptable?


    See other e-mails for more info on package/bundle.



















  • 3.  Re: [cti-stix] _ref field suffix

    Posted 05-10-2016 17:45





    I’m not sure I follow…an ID field identifies the object it’s placed on, not another object.


    {
      “id”: “this-objects-id”,
      “created_by”: “a-different-objects-id”
    }


    I’m saying that having all of those things that point to a different object have a consistent naming pattern tooling can leverage that and take some actions automatically (I.e., try to resolve it). Semantically, those are different things.


    Yes, they both use the identifier data type. But one is identifying something, one is pointing to something else. They do different things.


    John









    From: Allan Thomson < athomson@lookingglasscyber.com >
    Date: Tuesday, May 10, 2016 at 1:41 PM
    To: "Wunder, John A." < jwunder@mitre.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] _ref field suffix








    John – I agree that a _ref is a reference to another object but so is an Id field. That’s my point. Both fields are references to an object that is identified by an identifier.


    allan









    From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of "Wunder, John" < jwunder@mitre.org >
    Date: Tuesday, May 10, 2016 at 10:37 AM
    To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] _ref field suffix








    (Renamed subject line to track this thread)


    I’m against dropping it. I have a practical reason and a philosophical reason:

    Practical reason: I’ve written STIX code for both STIX 1 and STIX 2 and, in both cases, it’s useful to be able to programmatically determine when a field contains a reference to another object. For example, in my STIX 2.0 visualizer I just look for fields
    ending in _ref and treat them as a reference in the visualization. In a STIX 1.x tool, I do the same thing but try to resolve the reference otherwise. If that naming convention goes away, you’d have to hardcode the name of every reference field in the language
    for these more generic STIX utilities (visualization tools, etc.) Philosophical reason: “reference” is not a field type. The field’s data type is “identifier”. What the “_ref” is indicating is a semantic of the field usage: that it’s a reference to another object.





    John




    From: "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Tuesday, May 10, 2016 at 1:29 PM
    To: "Wunder, John A." < jwunder@mitre.org >
    Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] STIX, Topics to Review, 10 May






    Based on the conversation today on the working call, I would be okay with dropping the "_ref" from the ID reference property names, since that is the only place where we add a field type to a property name.


    Where do people stand on this?










    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On May 10, 2016, at 10:41, Wunder, John A. < jwunder@mitre.org > wrote:



    Hey all,


    Here are the topics we need some in-depth review on currently to make more progress. These are in rough order of priority. Also, there are other topics as well, this list is for people who want to review something that’s nearing finalization.
    If you’re interested in early development on campaign, TTP, i18n, or other topics see Slack and the mailing list.


    Also, as Bret said on the call…if anyone else has the time or bandwidth to “adopt” sections (perhaps Indicator or the Indicator Type vocab?) and move them forward let us know. I can walk you through the process we use and make sure you’re comfortable
    with it.


    Thanks everyone,
    John


    ---


    Timestamp/Timestamp Precision ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.de8ah59mobqf )
    Current Status: Awaiting Unanimous Consent
    Requested Action: Review the draft text for the timestamp and timestamp precision sections. If you have any objections, please make them by 12 May, 2016 end-of-day UTC (~7pm ET), otherwise we’ll move this text forward to draft.



    Identifier  ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.ko24ggw4eq0q )
    Current Status: Awaiting ballot
    Requested Action: Review the (unmodified) draft text. Pat made some suggestions, but the vote is for the text as-is that calls out UUIDv4 specifically. Vote on the ballot when it’s opened.



    Custom Properties ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.8072zpptza86 )
    Current Status: Objection to Unanimous Consent
    Requested Action: Review the draft text and Eric Burger’s response. We talked about this topic on the call, and general consensus was that we don’t really need a formal registry of extension fields at this time. We could have some kind of informal
    registry via e-mail to the cti-users list, if the community seems interested as we get to that point, but that we don’t need anything formal. As such, the language as-is seemed fine to most people. I would ask that you take the next 2 days to review this (through
    12 May, end of day UTC/COB ET) and, if we don’t hear any further objections, we’ll motion to hold a ballot (having failed unanimous consent) to move it to draft status.


    IDs & References  ( https://docs.google.com/document/d/1YcEtyUGdFkJIPdDZ7K-mHbvjFt-5pOL2EIw_ZJuqNpM/edit#heading=h.h02ac9vlmabi )
    Current Status: Review prior to motion to move to draft
    Requested Action: Review the draft text for the identifier field on STIX TLOs, and how it’s used for references. Provide suggested updates. Also, consider whether the
    _ref suffix is valuable for reference fields or if those fields would be better named without that suffix or with a different suffix (i.e. Do you prefer created_by_ref, created_by, created_by_id, or something else). We’ll work through this over
    the next few days until it settles down, then move to draft preferably late this week.


    Versioning  ( https://docs.google.com/document/d/1YcEtyUGdFkJIPdDZ7K-mHbvjFt-5pOL2EIw_ZJuqNpM/edit#heading=h.rye5q2hkacu )
    Current Status: Review/Normative Text
    Requested Action: Review the draft text and suggest updates, it still needs some work to become good normative text. Review the open questions at the top to ensure that we’ve addressed them. Comment on which examples might be moved to an appendix/separate
    document to save room in the main specification. We’ll try to push this text forward over the next few days so that we have finalized normative text to motion/vote on either late this week or early next week.


    Package/Bundle ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.6zghk3evovcs ,
    e-mail)
    Current Status: Development
    Requested Actions:
    1. Discuss having an ID field on bundle. General discussion on the call seemed to lean towards yes, but there was not a lot of consensus.
    2. Discuss approaches for data markings on bundle. General discussion on the call seemed to lean towards a consensus of not having default markings but having a most restrictive marking field, is that acceptable?


    See other e-mails for more info on package/bundle.





















  • 4.  Re: [cti-stix] _ref field suffix

    Posted 05-10-2016 17:46
    The id field is the unique string for that object..  It does not relate to anything else.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On May 10, 2016, at 11:41, Allan Thomson < athomson@lookingglasscyber.com > wrote: John – I agree that a _ref is a reference to another object but so is an Id field. That’s my point. Both fields are references to an object that is identified by an identifier. allan From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Wunder, John < jwunder@mitre.org > Date: Tuesday, May 10, 2016 at 10:37 AM To: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > Subject: Re: [cti-stix] _ref field suffix (Renamed subject line to track this thread) I’m against dropping it. I have a practical reason and a philosophical reason: Practical reason: I’ve written STIX code for both STIX 1 and STIX 2 and, in both cases, it’s useful to be able to programmatically determine when a field contains a reference to another object. For example, in my STIX 2.0 visualizer I just look for fields ending in _ref and treat them as a reference in the visualization. In a STIX 1.x tool, I do the same thing but try to resolve the reference otherwise. If that naming convention goes away, you’d have to hardcode the name of every reference field in the language for these more generic STIX utilities (visualization tools, etc.) Philosophical reason: “reference” is not a field type. The field’s data type is “identifier”. What the “_ref” is indicating is a semantic of the field usage: that it’s a reference to another object. John From: Jordan, Bret < bret.jordan@bluecoat.com > Date: Tuesday, May 10, 2016 at 1:29 PM To: Wunder, John A. < jwunder@mitre.org > Cc: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > Subject: Re: [cti-stix] STIX, Topics to Review, 10 May Based on the conversation today on the working call, I would be okay with dropping the _ref from the ID reference property names, since that is the only place where we add a field type to a property name. Where do people stand on this? Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On May 10, 2016, at 10:41, Wunder, John A. < jwunder@mitre.org > wrote: Hey all, Here are the topics we need some in-depth review on currently to make more progress. These are in rough order of priority. Also, there are other topics as well, this list is for people who want to review something that’s nearing finalization. If you’re interested in early development on campaign, TTP, i18n, or other topics see Slack and the mailing list. Also, as Bret said on the call…if anyone else has the time or bandwidth to “adopt” sections (perhaps Indicator or the Indicator Type vocab?) and move them forward let us know. I can walk you through the process we use and make sure you’re comfortable with it. Thanks everyone, John --- Timestamp/Timestamp Precision ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.de8ah59mobqf ) Current Status: Awaiting Unanimous Consent Requested Action: Review the draft text for the timestamp and timestamp precision sections. If you have any objections, please make them by 12 May, 2016 end-of-day UTC (~7pm ET), otherwise we’ll move this text forward to draft. Identifier  ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.ko24ggw4eq0q ) Current Status: Awaiting ballot Requested Action: Review the (unmodified) draft text. Pat made some suggestions, but the vote is for the text as-is that calls out UUIDv4 specifically. Vote on the ballot when it’s opened. Custom Properties ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.8072zpptza86 ) Current Status: Objection to Unanimous Consent Requested Action: Review the draft text and Eric Burger’s response. We talked about this topic on the call, and general consensus was that we don’t really need a formal registry of extension fields at this time. We could have some kind of informal registry via e-mail to the cti-users list, if the community seems interested as we get to that point, but that we don’t need anything formal. As such, the language as-is seemed fine to most people. I would ask that you take the next 2 days to review this (through 12 May, end of day UTC/COB ET) and, if we don’t hear any further objections, we’ll motion to hold a ballot (having failed unanimous consent) to move it to draft status. IDs & References  ( https://docs.google.com/document/d/1YcEtyUGdFkJIPdDZ7K-mHbvjFt-5pOL2EIw_ZJuqNpM/edit#heading=h.h02ac9vlmabi ) Current Status: Review prior to motion to move to draft Requested Action: Review the draft text for the identifier field on STIX TLOs, and how it’s used for references. Provide suggested updates. Also, consider whether the _ref suffix is valuable for reference fields or if those fields would be better named without that suffix or with a different suffix (i.e. Do you prefer created_by_ref, created_by, created_by_id, or something else). We’ll work through this over the next few days until it settles down, then move to draft preferably late this week. Versioning  ( https://docs.google.com/document/d/1YcEtyUGdFkJIPdDZ7K-mHbvjFt-5pOL2EIw_ZJuqNpM/edit#heading=h.rye5q2hkacu ) Current Status: Review/Normative Text Requested Action: Review the draft text and suggest updates, it still needs some work to become good normative text. Review the open questions at the top to ensure that we’ve addressed them. Comment on which examples might be moved to an appendix/separate document to save room in the main specification. We’ll try to push this text forward over the next few days so that we have finalized normative text to motion/vote on either late this week or early next week. Package/Bundle ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.6zghk3evovcs , e-mail) Current Status: Development Requested Actions: 1. Discuss having an ID field on bundle. General discussion on the call seemed to lean towards yes, but there was not a lot of consensus. 2. Discuss approaches for data markings on bundle. General discussion on the call seemed to lean towards a consensus of not having default markings but having a most restrictive marking field, is that acceptable? See other e-mails for more info on package/bundle. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 5.  Re: [cti-stix] _ref field suffix

    Posted 05-10-2016 17:47




    After consideration I think I understand your point better.


    If an attribute is the object’s identifier then the field will be call <X>_id, correct? In that case its the identifier of the specific object.


    Whereas <X>_ref is a reference to a different object. In which case the identifier is a different object. 


    I see the distinction you are making. 


    My main concern was around the term ‘reference’ being called out when its really just an identifier. 


    There is no “type” in STIX for reference, correct? Its just an identifier. So why explicitly callout Reference?


    allan








    From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of Allan Thomson < athomson@lookingglasscyber.com >
    Date: Tuesday, May 10, 2016 at 10:41 AM
    To: "Wunder, John" < jwunder@mitre.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] _ref field suffix








    John – I agree that a _ref is a reference to another object but so is an Id field. That’s my point. Both fields are references to an object that is identified by an identifier.


    allan









    From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of "Wunder, John" < jwunder@mitre.org >
    Date: Tuesday, May 10, 2016 at 10:37 AM
    To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] _ref field suffix








    (Renamed subject line to track this thread)


    I’m against dropping it. I have a practical reason and a philosophical reason:

    Practical reason: I’ve written STIX code for both STIX 1 and STIX 2 and, in both cases, it’s useful to be able to programmatically determine when a field contains a reference to another object. For example, in my STIX 2.0 visualizer I just look for fields
    ending in _ref and treat them as a reference in the visualization. In a STIX 1.x tool, I do the same thing but try to resolve the reference otherwise. If that naming convention goes away, you’d have to hardcode the name of every reference field in the language
    for these more generic STIX utilities (visualization tools, etc.) Philosophical reason: “reference” is not a field type. The field’s data type is “identifier”. What the “_ref” is indicating is a semantic of the field usage: that it’s a reference to another object.





    John




    From: "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Tuesday, May 10, 2016 at 1:29 PM
    To: "Wunder, John A." < jwunder@mitre.org >
    Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] STIX, Topics to Review, 10 May






    Based on the conversation today on the working call, I would be okay with dropping the "_ref" from the ID reference property names, since that is the only place where we add a field type to a property name.


    Where do people stand on this?










    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On May 10, 2016, at 10:41, Wunder, John A. < jwunder@mitre.org > wrote:



    Hey all,


    Here are the topics we need some in-depth review on currently to make more progress. These are in rough order of priority. Also, there are other topics as well, this list is for people who want to review something that’s nearing finalization.
    If you’re interested in early development on campaign, TTP, i18n, or other topics see Slack and the mailing list.


    Also, as Bret said on the call…if anyone else has the time or bandwidth to “adopt” sections (perhaps Indicator or the Indicator Type vocab?) and move them forward let us know. I can walk you through the process we use and make sure you’re comfortable
    with it.


    Thanks everyone,
    John


    ---


    Timestamp/Timestamp Precision ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.de8ah59mobqf )
    Current Status: Awaiting Unanimous Consent
    Requested Action: Review the draft text for the timestamp and timestamp precision sections. If you have any objections, please make them by 12 May, 2016 end-of-day UTC (~7pm ET), otherwise we’ll move this text forward to draft.



    Identifier  ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.ko24ggw4eq0q )
    Current Status: Awaiting ballot
    Requested Action: Review the (unmodified) draft text. Pat made some suggestions, but the vote is for the text as-is that calls out UUIDv4 specifically. Vote on the ballot when it’s opened.



    Custom Properties ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.8072zpptza86 )
    Current Status: Objection to Unanimous Consent
    Requested Action: Review the draft text and Eric Burger’s response. We talked about this topic on the call, and general consensus was that we don’t really need a formal registry of extension fields at this time. We could have some kind of informal
    registry via e-mail to the cti-users list, if the community seems interested as we get to that point, but that we don’t need anything formal. As such, the language as-is seemed fine to most people. I would ask that you take the next 2 days to review this (through
    12 May, end of day UTC/COB ET) and, if we don’t hear any further objections, we’ll motion to hold a ballot (having failed unanimous consent) to move it to draft status.


    IDs & References  ( https://docs.google.com/document/d/1YcEtyUGdFkJIPdDZ7K-mHbvjFt-5pOL2EIw_ZJuqNpM/edit#heading=h.h02ac9vlmabi )
    Current Status: Review prior to motion to move to draft
    Requested Action: Review the draft text for the identifier field on STIX TLOs, and how it’s used for references. Provide suggested updates. Also, consider whether the
    _ref suffix is valuable for reference fields or if those fields would be better named without that suffix or with a different suffix (i.e. Do you prefer created_by_ref, created_by, created_by_id, or something else). We’ll work through this over
    the next few days until it settles down, then move to draft preferably late this week.


    Versioning  ( https://docs.google.com/document/d/1YcEtyUGdFkJIPdDZ7K-mHbvjFt-5pOL2EIw_ZJuqNpM/edit#heading=h.rye5q2hkacu )
    Current Status: Review/Normative Text
    Requested Action: Review the draft text and suggest updates, it still needs some work to become good normative text. Review the open questions at the top to ensure that we’ve addressed them. Comment on which examples might be moved to an appendix/separate
    document to save room in the main specification. We’ll try to push this text forward over the next few days so that we have finalized normative text to motion/vote on either late this week or early next week.


    Package/Bundle ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.6zghk3evovcs ,
    e-mail)
    Current Status: Development
    Requested Actions:
    1. Discuss having an ID field on bundle. General discussion on the call seemed to lean towards yes, but there was not a lot of consensus.
    2. Discuss approaches for data markings on bundle. General discussion on the call seemed to lean towards a consensus of not having default markings but having a most restrictive marking field, is that acceptable?


    See other e-mails for more info on package/bundle.





















  • 6.  Re: [cti-stix] _ref field suffix

    Posted 05-10-2016 18:06




    Yep, though to clarify, we’ve just been using the exact field name “id” for the TLOs unique ID. So an indicator’s ID field is called “id” and an observations ID field is called “id”.


    I’m comfortable with the term reference just because I think it’s a fairly common term for the use of an identifier that points to something else. If we want to call both usages “identifier” that’s fine, as long as we’re clear when we’re using it to identify
    something vs. when we’re using it to point to an identifier for something else.








    From: Allan Thomson < athomson@lookingglasscyber.com >
    Date: Tuesday, May 10, 2016 at 1:46 PM
    To: "Wunder, John A." < jwunder@mitre.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] _ref field suffix







    After consideration I think I understand your point better.


    If an attribute is the object’s identifier then the field will be call <X>_id, correct? In that case its the identifier of the specific object.


    Whereas <X>_ref is a reference to a different object. In which case the identifier is a different object. 


    I see the distinction you are making. 


    My main concern was around the term ‘reference’ being called out when its really just an identifier. 


    There is no “type” in STIX for reference, correct? Its just an identifier. So why explicitly callout Reference?


    allan








    From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of Allan Thomson < athomson@lookingglasscyber.com >
    Date: Tuesday, May 10, 2016 at 10:41 AM
    To: "Wunder, John" < jwunder@mitre.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] _ref field suffix








    John – I agree that a _ref is a reference to another object but so is an Id field. That’s my point. Both fields are references to an object that is identified by an identifier.


    allan









    From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of "Wunder, John" < jwunder@mitre.org >
    Date: Tuesday, May 10, 2016 at 10:37 AM
    To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] _ref field suffix








    (Renamed subject line to track this thread)


    I’m against dropping it. I have a practical reason and a philosophical reason:

    Practical reason: I’ve written STIX code for both STIX 1 and STIX 2 and, in both cases, it’s useful to be able to programmatically determine when a field contains a reference to another object. For example, in my STIX 2.0 visualizer I just look for fields
    ending in _ref and treat them as a reference in the visualization. In a STIX 1.x tool, I do the same thing but try to resolve the reference otherwise. If that naming convention goes away, you’d have to hardcode the name of every reference field in the language
    for these more generic STIX utilities (visualization tools, etc.) Philosophical reason: “reference” is not a field type. The field’s data type is “identifier”. What the “_ref” is indicating is a semantic of the field usage: that it’s a reference to another object.





    John




    From: "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Tuesday, May 10, 2016 at 1:29 PM
    To: "Wunder, John A." < jwunder@mitre.org >
    Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] STIX, Topics to Review, 10 May






    Based on the conversation today on the working call, I would be okay with dropping the "_ref" from the ID reference property names, since that is the only place where we add a field type to a property name.


    Where do people stand on this?










    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On May 10, 2016, at 10:41, Wunder, John A. < jwunder@mitre.org > wrote:



    Hey all,


    Here are the topics we need some in-depth review on currently to make more progress. These are in rough order of priority. Also, there are other topics as well, this list is for people who want to review something that’s nearing finalization.
    If you’re interested in early development on campaign, TTP, i18n, or other topics see Slack and the mailing list.


    Also, as Bret said on the call…if anyone else has the time or bandwidth to “adopt” sections (perhaps Indicator or the Indicator Type vocab?) and move them forward let us know. I can walk you through the process we use and make sure you’re comfortable
    with it.


    Thanks everyone,
    John


    ---


    Timestamp/Timestamp Precision ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.de8ah59mobqf )
    Current Status: Awaiting Unanimous Consent
    Requested Action: Review the draft text for the timestamp and timestamp precision sections. If you have any objections, please make them by 12 May, 2016 end-of-day UTC (~7pm ET), otherwise we’ll move this text forward to draft.



    Identifier  ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.ko24ggw4eq0q )
    Current Status: Awaiting ballot
    Requested Action: Review the (unmodified) draft text. Pat made some suggestions, but the vote is for the text as-is that calls out UUIDv4 specifically. Vote on the ballot when it’s opened.



    Custom Properties ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.8072zpptza86 )
    Current Status: Objection to Unanimous Consent
    Requested Action: Review the draft text and Eric Burger’s response. We talked about this topic on the call, and general consensus was that we don’t really need a formal registry of extension fields at this time. We could have some kind of informal
    registry via e-mail to the cti-users list, if the community seems interested as we get to that point, but that we don’t need anything formal. As such, the language as-is seemed fine to most people. I would ask that you take the next 2 days to review this (through
    12 May, end of day UTC/COB ET) and, if we don’t hear any further objections, we’ll motion to hold a ballot (having failed unanimous consent) to move it to draft status.


    IDs & References  ( https://docs.google.com/document/d/1YcEtyUGdFkJIPdDZ7K-mHbvjFt-5pOL2EIw_ZJuqNpM/edit#heading=h.h02ac9vlmabi )
    Current Status: Review prior to motion to move to draft
    Requested Action: Review the draft text for the identifier field on STIX TLOs, and how it’s used for references. Provide suggested updates. Also, consider whether the
    _ref suffix is valuable for reference fields or if those fields would be better named without that suffix or with a different suffix (i.e. Do you prefer created_by_ref, created_by, created_by_id, or something else). We’ll work through this over
    the next few days until it settles down, then move to draft preferably late this week.


    Versioning  ( https://docs.google.com/document/d/1YcEtyUGdFkJIPdDZ7K-mHbvjFt-5pOL2EIw_ZJuqNpM/edit#heading=h.rye5q2hkacu )
    Current Status: Review/Normative Text
    Requested Action: Review the draft text and suggest updates, it still needs some work to become good normative text. Review the open questions at the top to ensure that we’ve addressed them. Comment on which examples might be moved to an appendix/separate
    document to save room in the main specification. We’ll try to push this text forward over the next few days so that we have finalized normative text to motion/vote on either late this week or early next week.


    Package/Bundle ( https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.6zghk3evovcs ,
    e-mail)
    Current Status: Development
    Requested Actions:
    1. Discuss having an ID field on bundle. General discussion on the call seemed to lean towards yes, but there was not a lot of consensus.
    2. Discuss approaches for data markings on bundle. General discussion on the call seemed to lean towards a consensus of not having default markings but having a most restrictive marking field, is that acceptable?


    See other e-mails for more info on package/bundle.