Terry, In the IEP Reference container, I think you need to use the STIX Hashes type, like what we did with External References. This way you know that the think you are linking to has not changed. Please see the External References description in STIX 2.0 WD02 - Part 1 Bret From:
cti@lists.oasis-open.org <
cti@lists.oasis-open.org> on behalf of Terry MacDonald <
terry.macdonald@cosive.com> Sent: Monday, May 15, 2017 2:22:54 PM To:
cti-stix@lists.oasis-open.org; CTI TC Discussion List Subject: [EXT] [cti] STIX 2.1 Proposal: IEP v2.0 Hi All, I'd like to propose that we add an IEP Data Marking object to STIX 2.1 to allow object creators the option of marking their data using IEP v2.0. More information about the proposal is in the STIX2.1Proposal-InformationExchangePolicyMarkingType.pdf. I've also included background information about the IEP Framework, and the IEP JSON Specification if you're interested. There two documents have been updated based on feedback from CTI members to better align IEP with STIX. The FIRST Information Exchange Policy (IEP) Framework enables threat intelligence providers to inform recipients of how they may use the threat intelligence they receive. IEP ensures that both parties are aware of any restrictions on the use of the shared threat intelligence, and reduces the likelihood of misunderstandings. Think of it as TLP that also describes Handling, Action, Sharing and Licensing restrictions. In other words it answers "What am I allowed to do with this intel?" The real power of IEP is in the ability for content producers to reference the same IEP policy. IEP allows communities to create and reference one or more shared IEP policies that members can choose from and reference. The FIRST IEP-SIG will be creating and hosting some common IEP policies that anyone will be free to use, in the interest of making threat intelligence sharing easier. Cheers Terry MacDonald Chief Product Officer M: +64 211 918 814 E:
terry.macdonald@cosive.com W:
www.cosive.com