The importance of making sure VERSION 2 is the version to considered as the primary standard for CTI sharing cannot be understated.
The market already does not understand the important and significant differences between v1 and v2.
I strongly suggest that OASIS make sure the ITU-T does everything it can to adopt version 2 not 1.
Allan Thomson
CTO ( +1-408-331-6646)
LookingGlass Cyber Solutions
From: "cti@lists.oasis-open.org" <
cti@lists.oasis-open.org> on behalf of "jamie.clark@oasis-open.org" <
jamie.clark@oasis-open.org>
Date: Thursday, December 13, 2018 at 8:49 AM
To: "cti@lists.oasis-open.org" <
cti@lists.oasis-open.org>, "Struse, Richard J." <
rjs@mitre.org>, "trey.darley@cert.be" <
trey.darley@cert.be>
Cc: Chet Ensign <
chet.ensign@oasis-open.org>
Subject: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply
Dear members of the CTI TC:
After consultation with your chairs, they asked us to share this
(attached) communication from ITU-T's Study Group 17 (on cybersecurity), inquiring about a contribution of STIX and TAXII for their endorsement and approval.
BACKGROUND. OASIS has contributed many standards to global de jure standards bodies like ITU-T, including a number successfully approved by ITU's SG17. [1] The ground rules for doing so can be found in the OASIS liaison policy [2]. T here
are several process requirements, which include
OASIS S tandard status, and an approval vote from the originating TC.
Staff's view is that submission is
appropriate and expected to be successful.
OASIS submissions to the study group occur with the condition that,
while comments are welcome, only the final approved version of the
OASIS submission
can be considered
... in other words, the
ITU panel would not have the right to make changes as part of
its approval process.
CONSIDERATIONS FOR THIS SUBMISSION. Your V ersions
1 of STIX and TAXII of
have become OASIS Standards , as you know.
Your work
on bringing
your Versions 2 to
that status is ongoing. Our understanding with your leader ship was
tha t, while the Versions 1
are not officially deprecated , your TC
wishes to encourage implementation of the newer (and differently scheme-ad) Vesrions 2;
so a promotion of V ersions 1 to international standard status at this time might not
achieve your goals.
We have been advised that you likely would wish to submit both
STIX and TAXII together, and wait until both versions
are eligible
(as an OS) before submitting. The schedule of
SG1 7 essentially
uses live meetings
once every six months, so this would probably result in a mid-2019 submission , assuming you
support it.
RECOMMENDATION . If we are correct that
your preference is to submit
V ersion s 2.X, then we suggest
that OASIS reply to this inquiry
now, with a polite and encouraging indication that the TC expects to submit the completed version
to ITU as soon as they're available, within a few months.
That would allow us to provide a positive statement as feedback to the January 2019 meeting, for which planning is now underway .
ACTION REQUESTED. Would you please let us (and the TC) know if there's any objection to that approach? We'll plan to send the "version 2 coming soon" message, as described above,
which requires no TC vote, if we hear no objections.
If on the other hand, there is TC sentiment to send completed
V ersion s 1 to
ITU for consideration
for promotion and republication as
" ITU-T Recommendations" ( their version of international standards), then please advise your TC leadership and my
colleague Chet Ensign , as that could be done by a we b ballot
TC vote at any time and a short public notice to the membership.
Please feel free to contact Chet or me if you have any questions.
Kind regards
Jamie
[1] Including SAML, XACML and CAP (an emergency services resources info protocol).
[2]
https://www.oasis-open.org/policies-guidelines/liaison#submitwork James Bryce Clark, General Counsel
OASIS: Advancing open data, code and standards for the information society
https://www.oasis-open.org/staff EU Commission 2018 Rolling Plan for Open ICT Standards:
http://j.mp/EUstds2018 OASIS Borderless Cybersecurity conference, October 2018:
https://us18.borderlesscyber.org/en/ Previously
Prague 2017 ,
NYC 2017 ,
Tokyo 2016 ,
Brussels 2016 ,
World Bank 2015