CTI TAXII Subcommittee

Mark – when we say ‘specify TAXII implementation’ within the server or user-agent, can we be more prescriptive and define the exact value that should be included?
 
Given that both server and user-agents will likely have multiple values in them (for shared services on the same server) then we will want to avoid ambiguity and conflicts as much as possible.
 

[TAXII Servers]
MUST include ‘taxii /2.0’ within the Server: header
2.      
[TAXII Clients] MUST include ‘taxii /2.0’ within the User-Agent: header
 
 
or similar.
 
 
allan
 
 

From: <cti-taxii@lists.oasis-open.org> on behalf of Mark Davidson <Mark.Davidson@nc4.com>
Date: Tuesday, February 7, 2017 at 1:05 PM
To: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Subject: [cti-taxii] Open question: Server and User-Agent headers


 

All,
 
In reviewing the TAXII specification, the editors came across a document suggestion that was discussed on the call, and no clear resolution was arrived at.
 
The suggestion is that the following sentences be added to the conformance requirements for TAXII Server and TAXII Client, respectively:
 
1.      
[TAXII Servers]
MUST specify TAXII implementation within the Server: header
2.      
[TAXII Clients] MUST specify TAXII implementation within the User-Agent: header
 
I’d like to resolve this proposal with one of the following outcomes:
 
1.      
Accept proposal as-is
2.      
Accept a modification of the proposal
3.      
Reject the proposal
 
Please let me know what you think.
 
Thank you.
-Mark
Disclaimer: This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential, proprietary, or exempt
from disclosure under applicable law. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, you are strictly prohibited from disclosing, distributing, copying, or in any way using this message.
If you have received this communication in error, please notify the sender and destroy and delete any copies you may have received.

Personally, I think at best this should be something like "The TAXII Server SHOULD support the configuration of Server: header with an appropriate server version string" And then a similar statement for the client. Bret From: cti-taxii@lists.oasis-open.org <cti-taxii@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com> Sent: Tuesday, February 7, 2017 3:33:45 PM To: Mark Davidson; cti-taxii@lists.oasis-open.org Subject: Re: [cti-taxii] Open question: Server and User-Agent headers   Mark – when we say ‘specify TAXII implementation’ within the server or user-agent, can we be more prescriptive and define the exact value that should be included?   Given that both server and user-agents will likely have multiple values in them (for shared services on the same server) then we will want to avoid ambiguity and conflicts as much as possible.   [TAXII Servers] MUST include ‘taxii /2.0’ within the Server: header 2.       [TAXII Clients] MUST include ‘taxii /2.0’ within the User-Agent: header     or similar.     allan     From: <cti-taxii@lists.oasis-open.org> on behalf of Mark Davidson <Mark.Davidson@nc4.com> Date: Tuesday, February 7, 2017 at 1:05 PM To: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org> Subject: [cti-taxii] Open question: Server and User-Agent headers   All,   In reviewing the TAXII specification, the editors came across a document suggestion that was discussed on the call, and no clear resolution was arrived at.   The suggestion is that the following sentences be added to the conformance requirements for TAXII Server and TAXII Client, respectively:   1.       [TAXII Servers] MUST specify TAXII implementation within the Server: header 2.       [TAXII Clients] MUST specify TAXII implementation within the User-Agent: header   I’d like to resolve this proposal with one of the following outcomes:   1.       Accept proposal as-is 2.       Accept a modification of the proposal 3.       Reject the proposal   Please let me know what you think.   Thank you. -Mark Disclaimer: This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential, proprietary, or exempt from disclosure under applicable law. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, you are strictly prohibited from disclosing, distributing, copying, or in any way using this message. If you have received this communication in error, please notify the sender and destroy and delete any copies you may have received.

Hi, I'm not sure why we would need a MUST for the server or user-agent. What benefits does this bring? We already have a MIME type that will cover this sort of information...do we really need it in the Server and User-Agent as well? Seems like unneeded extra complication to me. Cheers Terry MacDonald   Chief Product Officer M:   +64 211 918 814 E:   terry.macdonald@cosive.com W:   www.cosive.com On Wed, Feb 8, 2017 at 11:33 AM, Allan Thomson < athomson@lookingglasscyber.com > wrote: Mark – when we say ‘specify TAXII implementation’ within the server or user-agent, can we be more prescriptive and define the exact value that should be included?   Given that both server and user-agents will likely have multiple values in them (for shared services on the same server) then we will want to avoid ambiguity and conflicts as much as possible.   [TAXII Servers] MUST include ‘taxii /2.0’ within the Server: header 2.       [TAXII Clients] MUST include ‘taxii /2.0’ within the User-Agent: header     or similar.     allan     From: < cti-taxii@lists.oasis-open. org > on behalf of Mark Davidson < Mark.Davidson@nc4.com > Date: Tuesday, February 7, 2017 at 1:05 PM To: " cti-taxii@lists.oasis-open. org " < cti-taxii@lists.oasis-open. org > Subject: [cti-taxii] Open question: Server and User-Agent headers   All,   In reviewing the TAXII specification, the editors came across a document suggestion that was discussed on the call, and no clear resolution was arrived at.   The suggestion is that the following sentences be added to the conformance requirements for TAXII Server and TAXII Client, respectively:   1.       [TAXII Servers] MUST specify TAXII implementation within the Server: header 2.       [TAXII Clients] MUST specify TAXII implementation within the User-Agent: header   I’d like to resolve this proposal with one of the following outcomes:   1.       Accept proposal as-is 2.       Accept a modification of the proposal 3.       Reject the proposal   Please let me know what you think.   Thank you. -Mark Disclaimer: This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential, proprietary, or exempt from disclosure under applicable law. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, you are strictly prohibited from disclosing, distributing, copying, or in any way using this message. If you have received this communication in error, please notify the sender and destroy and delete any copies you may have received.

Personally I’m fine not having it in the header as well.
 
I just wanted to make sure that if we state something about header inclusion that its clear what is included or not.
 
allan
 

From:
Terry MacDonald <terry.macdonald@cosive.com>
Date: Tuesday, February 7, 2017 at 3:20 PM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: Mark Davidson <Mark.Davidson@nc4.com>, "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Subject: Re: [cti-taxii] Open question: Server and User-Agent headers


 


Hi,

 


I'm not sure why we would need a MUST for the server or user-agent. What benefits does this bring? We already have a MIME type that will cover this sort of information...do we really need it in the Server and User-Agent as well? Seems like
unneeded extra complication to me.












Cheers


 



Terry MacDonald   Chief Product Officer


 





 


M:   +64 211 918 814


E:   terry.macdonald@cosive.com


W:   www.cosive.com


 



 


 








 

On Wed, Feb 8, 2017 at 11:33 AM, Allan Thomson < athomson@lookingglasscyber.com > wrote:



Mark – when we say ‘specify TAXII implementation’ within the server or user-agent, can we be more prescriptive and define the exact value that should
be included?
 
Given that both server and user-agents will likely have multiple values in them (for shared services on the same server) then we will want to avoid
ambiguity and conflicts as much as possible.
 


[TAXII Servers] MUST include ‘taxii /2.0’ within the Server: header
2.      
[TAXII Clients] MUST include ‘taxii /2.0’ within the User-Agent: header

 

 

or similar.

 

 

allan
 
 

From:
< cti-taxii@lists.oasis-open.org > on behalf of Mark Davidson < Mark.Davidson@nc4.com >
Date: Tuesday, February 7, 2017 at 1:05 PM
To: " cti-taxii@lists.oasis-open.org " < cti-taxii@lists.oasis-open.org >
Subject: [cti-taxii] Open question: Server and User-Agent headers




 

All,
 
In reviewing the TAXII specification, the editors came across a document suggestion that was discussed on the call, and no clear resolution was arrived
at.
 
The suggestion is that the following sentences be added to the conformance requirements for TAXII Server and TAXII Client, respectively:
 
1.      
[TAXII Servers]
MUST specify TAXII implementation within the Server: header
2.      
[TAXII Clients] MUST specify TAXII implementation within the User-Agent: header
 
I’d like to resolve this proposal with one of the following outcomes:
 
1.      
Accept proposal as-is
2.      
Accept a modification of the proposal
3.      
Reject the proposal
 
Please let me know what you think.
 
Thank you.
-Mark
Disclaimer: This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential, proprietary,
or exempt from disclosure under applicable law. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, you are strictly prohibited from disclosing, distributing, copying, or in any way using this
message. If you have received this communication in error, please notify the sender and destroy and delete any copies you may have received.







 

Terry, The MIME types say that it is STIX content or TAXII content.  What people are asking for is the ability broadcast the type and version of the server / client. Bret From: cti-taxii@lists.oasis-open.org <cti-taxii@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com> Sent: Tuesday, February 7, 2017 4:20:50 PM To: Allan Thomson Cc: Mark Davidson; cti-taxii@lists.oasis-open.org Subject: Re: [cti-taxii] Open question: Server and User-Agent headers   Hi, I'm not sure why we would need a MUST for the server or user-agent. What benefits does this bring? We already have a MIME type that will cover this sort of information...do we really need it in the Server and User-Agent as well? Seems like unneeded extra complication to me. Cheers Terry MacDonald   Chief Product Officer M:   +64 211 918 814 E:   terry.macdonald@cosive.com W:   www.cosive.com On Wed, Feb 8, 2017 at 11:33 AM, Allan Thomson < athomson@lookingglasscyber.com > wrote: Mark – when we say ‘specify TAXII implementation’ within the server or user-agent, can we be more prescriptive and define the exact value that should be included?   Given that both server and user-agents will likely have multiple values in them (for shared services on the same server) then we will want to avoid ambiguity and conflicts as much as possible.   [TAXII Servers] MUST include ‘taxii /2.0’ within the Server: header 2.       [TAXII Clients] MUST include ‘taxii /2.0’ within the User-Agent: header     or similar.     allan     From: < cti-taxii@lists.oasis-open. org > on behalf of Mark Davidson < Mark.Davidson@nc4.com > Date: Tuesday, February 7, 2017 at 1:05 PM To: " cti-taxii@lists.oasis-open. org " < cti-taxii@lists.oasis-open. org > Subject: [cti-taxii] Open question: Server and User-Agent headers   All,   In reviewing the TAXII specification, the editors came across a document suggestion that was discussed on the call, and no clear resolution was arrived at.   The suggestion is that the following sentences be added to the conformance requirements for TAXII Server and TAXII Client, respectively:   1.       [TAXII Servers] MUST specify TAXII implementation within the Server: header 2.       [TAXII Clients] MUST specify TAXII implementation within the User-Agent: header   I’d like to resolve this proposal with one of the following outcomes:   1.       Accept proposal as-is 2.       Accept a modification of the proposal 3.       Reject the proposal   Please let me know what you think.   Thank you. -Mark Disclaimer: This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential, proprietary, or exempt from disclosure under applicable law. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, you are strictly prohibited from disclosing, distributing, copying, or in any way using this message. If you have received this communication in error, please notify the sender and destroy and delete any copies you may have received.

On 08.02.2017 02:28:45, Bret Jordan wrote: > > The MIME types say that it is STIX content or TAXII content. What > people are asking for is the ability broadcast the type and version > of the server / client. > Speaking from past experience debugging STIX/TAXII 1.x interoperability issues, the problem is immeasurably easier when you can clearly determine from your logs which implementations are correlated with the issue(s). As John Wunder pointed out during yesterday's working call, in some instances (e.g., DISA STIG requirements) you need the ability to disable this behavior. But in most cases it's helpful to have this information at hand. QED, TAXII servers and clients SHOULD support identifying their type and version via the headers but the behavior MAY be disabled when necessary. -- Cheers, Trey ++--------------------------------------------------------------------------++ Kingfisher Operations, sprl gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D ++--------------------------------------------------------------------------++ -- "There's never enough time. Thank you for yours." --Dan Geer Attachment: signature.asc Description: Digital signature

On 8 February 2017 at 08:44, Trey Darley < trey@kingfisherops.com > wrote: On 08.02.2017 02:28:45, Bret Jordan wrote: > > The MIME types say that it is STIX content or TAXII content. What > people are asking for is the ability broadcast the type and version > of the server / client. > Speaking from past experience debugging STIX/TAXII 1.x interoperability issues, the problem is immeasurably easier when you can clearly determine from your logs which implementations are correlated with the issue(s). As John Wunder pointed out during yesterday's working call, in some instances (e.g., DISA STIG requirements) you need the ability to disable this behavior. But in most cases it's helpful to have this information at hand. QED, TAXII servers and clients SHOULD support identifying their type and version via the headers but the behavior MAY be disabled when necessary. I'd be wary of saying "SHOULD but MAY be disabled"; it makes no sense in RFC 2119 terms. SHOULD implies a MUST which can be broken in rare cases; MAY is truly optional. In both cases this is for interoperability; you want debugging information. The DISA STIGs are not the only cases where implementation information is recommended against, in any case - this seems to be very much a matter of taste. I would argue that TAXII ought to be silent on this matter - these are HTTP headers, and imposing any additional requirement on them seems a mis-step. Dave. -- Dave Cridland phone   +448454681066 email   dave.cridland@surevine.com skype   dave.cridland.surevine Participate Collaborate Innovate Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND If you think you have received this message in error, please notify us.

On 08.02.2017 11:23:27, Dave Cridland wrote: > > I'd be wary of saying "SHOULD but MAY be disabled"; it makes no > sense in RFC 2119 terms. SHOULD implies a MUST which can be broken > in rare cases; MAY is truly optional. In both cases this is for > interoperability; you want debugging information. The DISA STIGs are > not the only cases where implementation information is recommended > against, in any case - this seems to be very much a matter of taste. > > I would argue that TAXII ought to be silent on this matter - these > are HTTP headers, and imposing any additional requirement on them > seems a mis-step. > Taking your point, Dave, I concur that the TAXII specification should be silent on this question. (This appears to be yet another one of those cases where we're conflating normative requirements with implementation details.) Whereas this having this capability configurable in actual tools is incredibly handy, let's ensure that we address this via a recommendation in the implementer's guide. -- Cheers, Trey ++--------------------------------------------------------------------------++ Kingfisher Operations, sprl gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D ++--------------------------------------------------------------------------++ -- "No matter how hard you try, you can't make a baby in much less than 9 months. Trying to speed this up *might* make it slower, but it won't make it happen any quicker." --RFC 1925 Attachment: signature.asc Description: Digital signature

I agree with Dave and Trey, the spec itself should be silent. On 2/8/17, 8:19 AM, "Trey Darley" <cti-taxii@lists.oasis-open.org on behalf of trey@kingfisherops.com> wrote: On 08.02.2017 11:23:27, Dave Cridland wrote: > > I'd be wary of saying "SHOULD but MAY be disabled"; it makes no > sense in RFC 2119 terms. SHOULD implies a MUST which can be broken > in rare cases; MAY is truly optional. In both cases this is for > interoperability; you want debugging information. The DISA STIGs are > not the only cases where implementation information is recommended > against, in any case - this seems to be very much a matter of taste. > > I would argue that TAXII ought to be silent on this matter - these > are HTTP headers, and imposing any additional requirement on them > seems a mis-step. > Taking your point, Dave, I concur that the TAXII specification should be silent on this question. (This appears to be yet another one of those cases where we're conflating normative requirements with implementation details.) Whereas this having this capability configurable in actual tools is incredibly handy, let's ensure that we address this via a recommendation in the implementer's guide. -- Cheers, Trey ++--------------------------------------------------------------------------++ Kingfisher Operations, sprl gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D ++--------------------------------------------------------------------------++ -- "No matter how hard you try, you can't make a baby in much less than 9 months. Trying to speed this up *might* make it slower, but it won't make it happen any quicker." --RFC 1925