FWIW,
DHS AIS requires ISO Country Codes for AIS submission, and references Wikipedia [1]. Soltra implemented support for DHS AIS this without purchasing the ISO standard.
Based on that, it seems like we could use the country codes and reference Wikipedia.
Thank you.
-Mark
[1]
https://www.us-cert.gov/sites/default/files/ais_files/AIS_Submission_Guidance_Appendix_A.pdf (Page 28, 29, near “@xal:NameCode”)
[2]
https://en.wikipedia.org/wiki/ISO_3166-2 (Referenced by [1])
From:
<
cti-stix@lists.oasis-open.org>, Eric Burger <
ewb25@georgetown.edu> on behalf of Eric Burger <
Eric.Burger@georgetown.edu>
Date: Monday, August 7, 2017 at 7:07 AM
To: <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] ISO customer service statement w.r.t. the "Country Code Collection"
Do we really care? Given the contents of ISO 3166 are everywhere, including Wikipedia , it seems a safe reference. If we want to spite ISO, reference Wikipedia and not the ISO standard
;-)
On Aug 7, 2017, at 4:59 AM, Mr. Stefan Hagen <
stefan@hagen.link > wrote:
Dear members,
as of this morning, I received a statement from a ISO
customer service representative:
"The _Country Code Collection_ is not available for free and,
as far as I am aware, will never be.
The codes are the property of ISO and are copyright protected."
Above citation is in direct reply to my request (below).
Personally I do not think this is really answering my question,
but I wanted to be sure, everyone on the TC can enjoy the message,
kind of - so I share this:
As the three words "counter Code Collection" are linked to
https://www.iso.org/obp/ui/#iso:pub:PUB500001:en I **think** this
statement narrowly focuses on the "product" offering and for sure
not on say the numeric codes for countries, as I remember, you
cannot copyright numbers ... but I maybe care to less to fully grok
such non-issues (to me).
B.t.w. My request was as follows (cited in full):
"""
Dear ISO Customer Service Team Member,
in OASIS CTI STIX TC - of which I am an active member, some members are
reluctant to include ISO-3166 as a reference, as the standard is not
freely available and they are not even sure, the "Data" itself is (for
commercial use).
Question:
Given, that the ISO Online Browsing Platform (OBP) offers the main asset
(the 249 country codes and sub codes thereof) in a very convenient
manner, it would allow us to refer to ISO-3166 if and only if this data
is also commercially free available without resulting in additional fees.
I think it is clear, that the term "usage" may foster fantasies of law
experts on what one should not do with it, but we are interested in the
usage (no advertisement no claim, that a software is supported by ISO etc.)
So, as use case is it correct, that if a commercially available cyber
threat intelligence software creates or receives a document, and encodes
it's knowledge about some location as say "DE-BB" - this will be
compliant with any whatsoever license for the data (which I by the way
could not find) and does not incur any cost or risk of law.
I am sure, that esp. in the linked detail pages, many source lists
contains wikipedia CC-SA licensed data or from foreign governments, thus
I am sure, that this data is not proprietary to ISO) but I am not a
lawyer, and the uncertainty in the hearts and minds of our domain expert
members hinders us currently in progressing in the usual consensual way.
In ending, I would be very pleased, if you were so kind as to send me a
response to this in the near future and many thanks in advance,
Stefan Hagen
"""
PS: Over the weekend - me being nostalgic - I purchased the ISO-3166
prose (all parts) and my dear old friend ISO-8601 just as I owned the latter
only in an old paper revision, to be able to more profoundly cite from it in my
standards work for free ... personally, I really hoped this having to pay a
dollar per mostly ineligible or at least barely readable prose page would have
stopped long ago, but some things stay longer. Anyhow, good to contribute
here, at OASIS.
All the best,
Stefan.
Disclaimer: This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential, proprietary, or exempt from disclosure under applicable law. If you are not the intended
recipient or the person responsible for delivering the message to the intended recipient, you are strictly prohibited from disclosing, distributing, copying, or in any way using this message. If you have received this communication in error, please notify
the sender and destroy and delete any copies you may have received.