Matt,
That is great. I am glad to see more people support the idea, this makes it easier for me to support it.
As all things consensus based, we just need to show rough consensus for it. That does not mean unanimity, but it also means more than just a few.
If we can show desire for this, I am more than happy to write up a proposal.
Bret
Sent from my Commodore 128D
PGP
Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
On Dec 7, 2018, at 12:08 PM, Matt Pladna <
mpladna@lookingglasscyber.com > wrote:
I support having TAXII meet some definition of Done Kelley.
Also, isn t this a process change vs a feature change to the spec? Or is the point that there should be a vote for this before it s decided?
What would the # of people out of 200 be required to make this happen?
From: <
cti@lists.oasis-open.org > on behalf of Bret Jordan <
Bret_Jordan@symantec.com >
Date: Friday, December 7, 2018 at 14:04
To: "Kelley, Sarah E." <
skelley@mitre.org >
Cc: "
cti@lists.oasis-open.org " <
cti@lists.oasis-open.org >
Subject: Re: [cti] RE: [EXT] Re: [cti] TAXII definition of "Done"
And as I said in my last email...
While I fundamentally do not disagree, I have yet to see the TC push for this. By this philosophy we should have adopted the whole content process that I sent to the TC as a fully developed working draft several months ago.
So unless there is a ground swell of the TC that is pushing for this, I would object simply out of principle. This is the same reason why tons of new things are not just added to TAXII, there is no demand for them and it is not up to me
to just add them.
So I object on principle. You have 4 people out of over 200 which is less than 2%. The TC has made it really clear as of late that talking about process is not something people want to do. And if we are going to try and talk about process
then once again I want to bring up the fully fleshed out Draft I submitted to the TC, which basically codifies what we have been doing behind the scenes.
Bret
Sent from my Commodore 128D
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
On Dec 7, 2018, at 10:08 AM, Kelley, Sarah E. <
skelley@mitre.org > wrote:
Bret,
As of last week, the people in support of having TAXII meet some definition of done was:
Sarah Kelley
Jason Keirstead
John Wunder
Allan Thompson
and you:
I am fine with that (since this is what I am doing behind the scenes anyways), but this would need to be taken to a ballot just like we did for STIX. It would need to be binding, not just a casual agreement.
Since no one objected to the idea, and at least five people supported it, the goal was to move the ball further down the court and see if there was an appetite for taking this to a ballot and making it more official, and if so, to figure
out when we might want to do that.
Thanks,
Sarah Kelley
Lead Cybersecurity Engineer, T8B2
Defensive Operations
The MITRE Corporation
703-983-6242
skelley@mitre.org <image003.jpg>
From: Bret Jordan <
Bret_Jordan@symantec.com >
Sent: Thursday, December 6, 2018 4:58 PM
To: Kelley, Sarah E. <
skelley@mitre.org >
Cc:
cti@lists.oasis-open.org Subject: Re: [cti] RE: [EXT] Re: [cti] TAXII definition of "Done"
In all things consensus based, there is the does anyone object and two, who supports and is driving this .
It is generally not good form to do things by objection but rather first by demand and then by objection.
While I fundamentally do not disagree, I have yet to see the TC push for this. By this philosophy we should have adopted the whole content process that I sent to the TC as a fully developed working draft several months ago.
So unless there is a ground swell of the TC that is pushing for this, I would object simply out of principle. This is the same reason why tons of new things are not just added to TAXII, there is no demand for them and it is not up to me
to just add them.
Bret
Sent from my Commodore 128D
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
On Dec 7, 2018, at 2:23 AM, Kelley, Sarah E. <
skelley@mitre.org > wrote:
All,
Having seen no objections to the idea of instituting a mandate of done for TAXII (in addition to STIX), I believe the next step would be to decide when we want to institute that policy. As with STIX, the best way to institute that new
policy would be to have a ballot on it, so we would need to decide when to open that ballot.
In my understanding of the changes in the current WD that is open for ballot, the only new thing is the client user-agent. From my perspective, this seems like a relatively small change to hold up with the addition of this new process,
however something like TAXII query would make sense to have proven out in code and to pre-build interop tests for.
What do the TC members think about when we should start the ball rolling on implementing this policy?
Thanks,
Sarah Kelley
Lead Cybersecurity Engineer, T8B2
Defensive Operations
The MITRE Corporation
703-983-6242
skelley@mitre.org <image003.jpg>
From: Bret Jordan <
Bret_Jordan@symantec.com >
Sent: Tuesday, November 27, 2018 5:29 PM
To: Allan Thomson <
athomson@lookingglasscyber.com >; Wunder, John A. <
jwunder@mitre.org >; Jason Keirstead <
Jason.Keirstead@ca.ibm.com >;
Kelley, Sarah E. <
skelley@mitre.org >
Cc:
cti@lists.oasis-open.org Subject: Re: [EXT] Re: [cti] TAXII definition of "Done"
I am fine with that (since this is what I am doing behind the scenes anyways), but this would need to be taken to a ballot just like we did for STIX. It would need to be binding, not just a casual agreement.
What I am doing right now is making sure every feature that gets added to TAXII is actually implemented in my libraries and test server (at some level). I am doing this to help prevent the problems we had with
TAXII 2.0, where 20 minutes in to coding we realized that, that design does not work in code. Some of the issues we have resolved in TAXII 2.1 have come about because of this code work that I and others have done and the plugfests we have held. I am a firm
believer in "working code" and easy to implement in code. I think those are two of the pillars to adoption.
One of the differences we have in TAXII versus STIX though is, TAXII does not have features that are just conceptual models. STIX on the other hand can just be "modeled" and not implemented. This is why it was
so important to have the "written in code" clause for STIX.
Bret
From:
cti@lists.oasis-open.org <
cti@lists.oasis-open.org > on behalf of Allan Thomson <
athomson@lookingglasscyber.com >
Sent: Tuesday, November 27, 2018 2:26:44 PM
To: Wunder, John A.; Jason Keirstead; Kelley, Sarah E.
Cc:
cti@lists.oasis-open.org Subject: [EXT] Re: [cti] TAXII definition of "Done"
+1 to TAXII features starting to require the same level of doneness as STIX changes.
Allan
From:
"
cti@lists.oasis-open.org " <
cti@lists.oasis-open.org > on behalf of "Wunder, John" <
jwunder@mitre.org >
Date: Tuesday, November 27, 2018 at 1:21 PM
To: Jason Keirstead <
Jason.Keirstead@ca.ibm.com >, "Kelley, Sarah E." <
skelley@mitre.org >
Cc: "
cti@lists.oasis-open.org " <
cti@lists.oasis-open.org >
Subject: Re: [cti] TAXII definition of "Done"
Agreed, the same motivation for wanting to do this for STIX applies to TAXII. I d also keep in mind that requiring sponsors and interop text makes it so that you re not just evaluating technical feasibility (the implementation piece),
you re also ensuring that there s defined use cases and a real scenario where it can be used (a concern discussed on the call). It s way easier to say yes to something new than to say no, so it s important to have these checks in place to make sure we don t
end up with something overly broad again.
John
From:
<
cti@lists.oasis-open.org > on behalf of Jason Keirstead <
Jason.Keirstead@ca.ibm.com >
Date: Tuesday, November 27, 2018 at 4:15 PM
To: "Kelley, Sarah E." <
skelley@mitre.org >
Cc: "
cti@lists.oasis-open.org " <
cti@lists.oasis-open.org >
Subject: Re: [cti] TAXII definition of "Done"
I would also agree that TAXII features should also meet the STIX definition of "done" in order to be included in the spec.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown
From: "Kelley, Sarah E." <
skelley@mitre.org >
To: "
cti@lists.oasis-open.org " <
cti@lists.oasis-open.org >
Date: 11/27/2018 04:56 PM
Subject: [cti] TAXII definition of "Done"
Sent by: <
cti@lists.oasis-open.org >
All,
As I mentioned on the working call today, we have imposed a very strict definition of Done for new features/objects in STIX, however, we have never agreed as a TC to impose the same rigorous standards to TAXII. Given the fact
that some of the issues that prompted us to implement this definition came about when people attempted to implement TAXII, it seems only logical to me that we would impose the same standards to both specifications.
As a reminder, the definition of Done for STIX includes:
Written specification text
Proof of concept code from at least two different developers/companies
Corresponding Interop tests
For some of the newer features in TAXII, namely TAXII query, it seems to make sense to me that it should be proved in code before we finalize it in the specification.
I wanted to bring this topic to the list and see what other people thought about this.
Thanks,
Sarah Kelley
Lead Cybersecurity Engineer, T8B2
Defensive Operations
The MITRE Corporation
703-983-6242
skelley@mitre.org [attachment "image003.jpg" deleted by Jason Keirstead/CanEast/IBM]