CTI STIX Subcommittee

Expand all | Collapse all

Re: [cti-stix] MTI Binding

  • 1.  Re: [cti-stix] MTI Binding

    Posted 10-06-2015 16:41





    Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.


    Aharon









    From: < cti-stix@lists.oasis-open.org > on behalf of "Jordan, Bret"
    Date: Tuesday, October 6, 2015 at 11:45 AM
    To: " cti-users@lists.oasis-open.org ", " cti-stix@lists.oasis-open.org "
    Subject: [cti-stix] MTI Binding





    We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they
    seem to have the broad support that JSON does.  


    Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.













    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Oct 6, 2015, at 06:17, Davidson II, Mark S < mdavidson@MITRE.ORG > wrote:




    I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:

     

    1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen   lots   of
    discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?

    Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it



    2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples
    would be sufficient?



    3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and
    I want to add STIX support, won’t developers have to write code?  

    I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the
    more concrete the example the better, at least for me).

     

    Thank you.

    -Mark

     














  • 2.  Re: [cti-stix] MTI Binding

    Posted 10-06-2015 16:49
    Sounds good...

    I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.


    If this is agreed upon, then:

    I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.


    Thanks,

    Bret



    Bret Jordan CISSP
    Director of Security Architecture and Standards | Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

    > On Oct 6, 2015, at 10:40, Aharon Chernin <achernin@soltra.com> wrote:
    >
    > Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.
    >
    > Aharon
    >
    > From: <cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org>> on behalf of "Jordan, Bret"
    > Date: Tuesday, October 6, 2015 at 11:45 AM
    > To: "cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>", "cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org>"
    > Subject: [cti-stix] MTI Binding
    >
    > We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI. While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.
    >
    > Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.
    >
    >
    > Thanks,
    >
    > Bret
    >
    >
    >
    > Bret Jordan CISSP
    > Director of Security Architecture and Standards | Office of the CTO
    > Blue Coat Systems
    > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
    >
    >> On Oct 6, 2015, at 06:17, Davidson II, Mark S <mdavidson@MITRE.ORG <mailto:mdavidson@MITRE.ORG>> wrote:
    >>
    >> I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:
    >>
    >> 1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
    >> Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it
    >>
    >> 2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?
    >>
    >> 3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?
    >> I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).
    >>
    >> Thank you.
    >> -Mark
    >>
    >




  • 3.  Re: [cti-stix] MTI Binding

    Posted 10-06-2015 16:49
    Sounds good... I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.   If this is agreed upon, then: I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 6, 2015, at 10:40, Aharon Chernin < achernin@soltra.com > wrote: Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”. Aharon From: < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret Date: Tuesday, October 6, 2015 at 11:45 AM To: cti-users@lists.oasis-open.org , cti-stix@lists.oasis-open.org Subject: [cti-stix] MTI Binding We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.   Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 6, 2015, at 06:17, Davidson II, Mark S < mdavidson@MITRE.ORG > wrote: I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:   1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen   lots   of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX? Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it 2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient? 3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?   I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).   Thank you. -Mark   Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 4.  Re: [cti-users] Re: [cti-stix] MTI Binding

    Posted 10-06-2015 17:08
    I too would like to see JSON as the default and second that!

    Kevin Wetzel
    Jigsaw Enterprise
    www.jigsaw-security.com


    > On Oct 6, 2015, at 12:49 PM, Jordan, Bret <bret.jordan@bluecoat.com> wrote:
    >
    > Sounds good...
    >
    > I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.
    >
    >
    > If this is agreed upon, then:
    >
    > I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.
    >
    >
    > Thanks,
    >
    > Bret
    >
    >
    >
    > Bret Jordan CISSP
    > Director of Security Architecture and Standards | Office of the CTO
    > Blue Coat Systems
    > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
    >
    >> On Oct 6, 2015, at 10:40, Aharon Chernin <achernin@soltra.com> wrote:
    >>
    >> Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.
    >>
    >> Aharon
    >>
    >> From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret"
    >> Date: Tuesday, October 6, 2015 at 11:45 AM
    >> To: "cti-users@lists.oasis-open.org", "cti-stix@lists.oasis-open.org"
    >> Subject: [cti-stix] MTI Binding
    >>
    >> We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI. While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.
    >>
    >> Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.
    >>
    >>
    >> Thanks,
    >>
    >> Bret
    >>
    >>
    >>
    >> Bret Jordan CISSP
    >> Director of Security Architecture and Standards | Office of the CTO
    >> Blue Coat Systems
    >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    >> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
    >>
    >>> On Oct 6, 2015, at 06:17, Davidson II, Mark S <mdavidson@MITRE.ORG> wrote:
    >>>
    >>> I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:
    >>>
    >>> 1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
    >>> Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it
    >>>
    >>> 2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?
    >>>
    >>> 3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?
    >>> I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).
    >>>
    >>> Thank you.
    >>> -Mark
    >



  • 5.  Model / Binding Motions

    Posted 10-06-2015 18:05
    By my count:


    1. We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.

    a. If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.

    i. Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption

    b. We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.

    I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.

    Thanks,

    Alex

    From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jordan, Bret
    Sent: Tuesday, October 06, 2015 12:49 PM
    To: Aharon Chernin
    Cc: cti-users@lists.oasis-open.org; cti-stix@lists.oasis-open.org
    Subject: [cti-users] Re: [cti-stix] MTI Binding

    Sounds good...

    I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.


    If this is agreed upon, then:

    I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.

    Thanks,

    Bret



    Bret Jordan CISSP
    Director of Security Architecture and Standards | Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

    On Oct 6, 2015, at 10:40, Aharon Chernin <achernin@soltra.com<mailto:achernin@soltra.com>> wrote:

    Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.

    Aharon

    From: <cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>> on behalf of "Jordan, Bret"
    Date: Tuesday, October 6, 2015 at 11:45 AM
    To: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>", "cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>"
    Subject: [cti-stix] MTI Binding

    We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI. While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.

    Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.


    Thanks,

    Bret



    Bret Jordan CISSP
    Director of Security Architecture and Standards | Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

    On Oct 6, 2015, at 06:17, Davidson II, Mark S <mdavidson@MITRE.ORG<mailto:mdavidson@MITRE.ORG>> wrote:

    I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:

    1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
    Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it


    2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?


    3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?
    I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).

    Thank you.
    -Mark




    ----------------------------------------------------------------------
    This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
    Re: Is anyone actually proposing JSON-LD as the MTI for STIX?
    Ok, I will step into it and propose JSON-LD as a MTI based on the following MINIMUM requirements for any exchange format:
    1: That all data exchange is described by one or more machine readable schema
    2: That all exchange data reference its definition(s) such that every tag used may be deterministically bound to its definition
    3: That elements in an exchange document be able to reference elements in other exchange documents
    4: That all STIX exchange formats utilize existing standards and not duplicate standard capabilities.
    5: That the STIX exchange schema scale in complexity based on requirements (simple things should be simple, complex things possible and reasonable)

    I would note that current STIX-XML meets all of the above except #3 and perhaps #5. Simple JSON meets none. IMHO JSON-LD meets all. It is not perfect, perfect is not available – it seems a good balance between simplicity and flexibility. I would also emphasize that the above list is minimal, there are other desirable features. I would be surprised if these requirements were not ubiquitous in the group.

    I would also point out the relative risks. If some are correct and STIX is a closed manual coded system then JSON-LD will have some unused and ignored context sections in the front and we will have wasted some time making the RDF schema. The alternative risk for “simple JSON” is that it will not be possible to have dynamic use of stix data, that data external to stix will be unusable, that data internal to stix will be unavailable to others – that STIX is another “data island” where the sea-change is moving in the opposite direction.

    -Cory Casanave

    From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Davidson II, Mark S
    Sent: Tuesday, October 06, 2015 8:17 AM
    To: Jordan, Bret; Cory Casanave; cti-users@lists.oasis-open.org; cti-stix@lists.oasis-open.org
    Subject: [cti-users] RE: [cti-stix] [cti-users] MTI Binding

    I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:

    1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
    Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it
    2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?
    3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?
    I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).

    Thank you.
    -Mark

    From: cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org> [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jordan, Bret
    Sent: Monday, October 05, 2015 10:23 PM
    To: Cory Casanave <cory-c@modeldriven.com<mailto:cory-c@modeldriven.com>>; cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>; cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>
    Subject: Re: [cti-stix] [cti-users] MTI Binding

    Cory,

    Please help me understand....

    Say for kicks and giggles I have some structs that looks like this to consume an Indicator in a STIX package

    type StixMessageType struct {
    Id string `json:"id,omitempty"`
    IdRef string `json:"idref,omitempty"`
    Timestamp string `json:"timestamp,omitempty"`
    Version string `json:"version,omitempty"`
    Indicators []indicator.IndicatorType `json:"indicators,omitempty"`
    }

    type IndicatorType struct {
    Id string `json:"id,omitempty"`
    IdRef string `json:"idref,omitempty"`
    Timestamp string `json:"timestamp,omitempty"`
    Version string `json:"version,omitempty"`
    Negate bool `json:"negate,omitempty"`
    Title string `json:"title,omitempty"`
    Types []string `json:"type,omitempty"`
    AlternativeIDs []string `json:"alternative_ids,omitempty"`
    Descriptions []common.StructuredTextType `json:"descriptions,omitempty"`
    ShortDescriptions []common.StructuredTextType `json:"short_descriptions,omitempty"`
    ValidTimePositions []ValidTimeType `json:"valid_time_positions,omitempty"`
    Observable *observable.ObservableType `json:"observable,omitempty"`
    CompositeIndicatorExpression *CompositeIndicatorExpressionType `json:"composite_indicator_expression,omitempty"`
    IndicatedTTP []common.RelatedTTPType `json:"indicated_ttps,omitempty"`
    KillChainPhases []common.KillChainPhaseReferenceType `json:"kill_chain_phases,omitempty"`
    TestMechanisms []TestMechanismType `json:"test_mechanisms,omitempty"`
    LikelyImpact *common.StatementType `json:"likely_impact,omitempty"`
    SuggestedCOAs []SuggestedCOAsType `json:"suggested_coas,omitempty"`
    Handling []common.MarkingSpecificationType `json:"handling,omitempty"`
    Confidence *common.ConfidenceType `json:"confidence,omitempty"`
    Sightings *SightingsType `json:"sightings,omitempty"`
    RelatedIndicators *RelatedIndicatorsType `json:"related_indicators,omitempty"`
    RelatedCampaigns *RelatedCampaignReferencesType `json:"related_campaigns,omitempty"`
    RelatedPackages []common.RelatedPackageRefType `json:"related_packages,omitempty"`
    Producer *common.InformationSourceType `json:"producer,omitempty"`
    }
    And lets say I get an indicator over the wire that looks something like this, built directly from the STIX 1.2 schema.

    {
    "stix_package": {
    "id": "example:package-1ad2aab5-1707-4fcc-8fd2-ebae152adeec",
    "indicators": [
    {
    "id": "example:indicator-8571137a-32a2-4934-8077-2129475813af",
    "idref": "companyfoo:indicator-1234-1234-1234-1234",
    "timestamp": "2015-10-05T20:03:23-06:00",
    "version": "1.2.1",
    "title": "Some really neat indicator that we found",
    "type": [
    "URL Watchlist"
    ],
    "alternative_ids": [
    "CV-2014-12-12345",
    "CV-2015-02-54321"
    ],
    "descriptions": [
    {
    "id": "example:text-8769b510-9e76-4573-9778-864a51f052ae",
    "format": "text/plain",
    "value": "Some long description"
    }
    ],
    "short_descriptions": [
    {
    "id": "example:text-12170f79-62f4-48d9-9a97-d7077f05714f",
    "format": "text/plain",
    "value": "Some shorter description"
    }
    ]
    }
    ]
    }
    }

    We have a version field to say what version of an indicator it is and we know the type because it is in an indicator blob inside a stix_package blob.

    How does adding namespace elements make this more clear?

    I can easily parse this indicator and do interesting things with it. I can parse the TTPs that reference it and do things with them. I understand all of the fields in the indicator package because they are all well documented on the Github site [1] for Indicators. So I can either dump this data in to a relational database or in to a document database like MongoDB.

    Please help me understand why namespaces are required for structured data that is well defined. Like I said before, I can totally get and fully understand the need for JSON-LD in the open web. It makes perfect sense when you need this to share say random profile data between two or more entities (twitter, Facebook, youtube, etc). But we are not transporting random CTI, it will be in STIX. So alternative_ids are Alternative IDs, and a title is a Title. I do not see how JSON-LD helps us in anyway other than making a case for RDF over UML/OWL as RDF can work with JSON-LD.

    The only value I can see for JSON-LD is if we want to allow overloading. So I can make my own Indicator format and not adhere to the STIX version of an Indicator. In that case, yes, I can see the value, but I can also see the madness and chaos that would come from it.

    [1] - http://stixproject.github.io/data-model/1.2/indicator/IndicatorType/


    Thanks,

    Bret



    Bret Jordan CISSP
    Director of Security Architecture and Standards | Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

    Sounds good...

    I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.


    If this is agreed upon, then:

    I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.


    Thanks,

    Bret



    Bret Jordan CISSP
    Director of Security Architecture and Standards | Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

    > On Oct 6, 2015, at 10:40, Aharon Chernin <achernin@soltra.com> wrote:
    >
    > Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.
    >
    > Aharon
    >
    > From: <cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org>> on behalf of "Jordan, Bret"
    > Date: Tuesday, October 6, 2015 at 11:45 AM
    > To: "cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>", "cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org>"
    > Subject: [cti-stix] MTI Binding
    >
    > We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI. While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.
    >
    > Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.
    >
    >
    > Thanks,
    >
    > Bret
    >
    >
    >
    > Bret Jordan CISSP
    > Director of Security Architecture and Standards | Office of the CTO
    > Blue Coat Systems
    > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
    >
    >> On Oct 6, 2015, at 06:17, Davidson II, Mark S <mdavidson@MITRE.ORG <mailto:mdavidson@MITRE.ORG>> wrote:
    >>
    >> I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:
    >>
    >> 1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
    >> Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it
    >>
    >> 2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?
    >>
    >> 3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?
    >> I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).
    >>
    >> Thank you.
    >> -Mark
    >>
    >




  • 6.  RE: Model / Binding Motions

    Posted 10-06-2015 21:28
    Personally, I am not prepared to vote for any binding, be it JSON, XML, JSON-LD, CSV, etc… until we see all of the requirements (use cases) we are trying to satisfy. That is like trying to select your software stack before you know what you are trying to build. What if a use-case comes up that whatever binding we choose won’t satisfy (or satisfy easily)? Then do we go back and take a mulligan?

    From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Foley, Alexander - GIS
    Sent: Tuesday, October 06, 2015 2:05 PM
    To: cti-users@lists.oasis-open.org; cti-stix@lists.oasis-open.org
    Subject: [cti-users] Model / Binding Motions

    By my count:


    1. We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.

    a. If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.

    i. Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption

    b. We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.

    I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.

    Thanks,

    Alex

    From: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jordan, Bret
    Sent: Tuesday, October 06, 2015 12:49 PM
    To: Aharon Chernin
    Cc: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>; cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>
    Subject: [cti-users] Re: [cti-stix] MTI Binding

    Sounds good...

    I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.


    If this is agreed upon, then:

    I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.

    Thanks,

    Bret



    Bret Jordan CISSP
    Director of Security Architecture and Standards | Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

    On Oct 6, 2015, at 10:40, Aharon Chernin <achernin@soltra.com<mailto:achernin@soltra.com>> wrote:

    Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.

    Aharon

    From: <cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>> on behalf of "Jordan, Bret"
    Date: Tuesday, October 6, 2015 at 11:45 AM
    To: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>", "cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>"
    Subject: [cti-stix] MTI Binding

    We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI. While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.

    Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.


    Thanks,

    Bret



    Bret Jordan CISSP
    Director of Security Architecture and Standards | Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

    On Oct 6, 2015, at 06:17, Davidson II, Mark S <mdavidson@MITRE.ORG<mailto:mdavidson@MITRE.ORG>> wrote:

    I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:

    1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
    Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it

    2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?

    3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?
    I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).

    Thank you.
    -Mark



    ________________________________
    This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
    DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.



  • 7.  RE: Model / Binding Motions

    Posted 10-06-2015 21:29




    Personally, I am not prepared to vote for any binding, be it JSON, XML, JSON-LD, CSV, etc… until we see all of the requirements (use cases) we are trying to satisfy. 
    That is like trying to select your software stack before you know what you are trying to build.  What if a use-case comes up that whatever binding we choose won’t satisfy (or satisfy easily)?  Then do we go back and take a mulligan?
     


    From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org]
    On Behalf Of Foley, Alexander - GIS
    Sent: Tuesday, October 06, 2015 2:05 PM
    To: cti-users@lists.oasis-open.org; cti-stix@lists.oasis-open.org
    Subject: [cti-users] Model / Binding Motions


     
    By my count:
     
    1.       
    We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.

    a.       
    If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.

                                                                  
    i.       Kevin Wetzel, I apologize but I do not see you as a member of the cti committee…
    please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption

    b.      
    We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.
     
    I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate
    from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.
     


    Thanks,
     
    Alex


     


    From:
    cti-users@lists.oasis-open.org [ mailto:cti-users@lists.oasis-open.org ]
    On Behalf Of Jordan, Bret
    Sent: Tuesday, October 06, 2015 12:49 PM
    To: Aharon Chernin
    Cc: cti-users@lists.oasis-open.org ;
    cti-stix@lists.oasis-open.org
    Subject: [cti-users] Re: [cti-stix] MTI Binding


     
    Sounds good...

     


    I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  

     


     








    If this is agreed upon, then:


     


    I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.


     


    Thanks,


     


    Bret



     


     


     



    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO


    Blue Coat Systems



    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









     



    On Oct 6, 2015, at 10:40, Aharon Chernin < achernin@soltra.com > wrote:

     





    Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would
    like to propose that we adopt JSON as the default binding”.


     


    Aharon




     


    From:
    < cti-stix@lists.oasis-open.org > on behalf of "Jordan, Bret"
    Date: Tuesday, October 6, 2015 at 11:45 AM
    To: " cti-users@lists.oasis-open.org ", " cti-stix@lists.oasis-open.org "
    Subject: [cti-stix] MTI Binding


     



    We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around
    and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  


     


    Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.


     









     


    Thanks,


     


    Bret



     


     


     



    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO


    Blue Coat Systems



    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









     



    On Oct 6, 2015, at 06:17, Davidson II, Mark S < mdavidson@MITRE.ORG > wrote:

     


    I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:


     


    1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen   lots   of
    discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?


    Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion
    makes it clear that we are considering it




    2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size
    and complexity. What examples would be sufficient?




    3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product
    and I want to add STIX support, won’t developers have to write code?  


    I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how
    that actually works (the more concrete the example the better, at least for me).


     


    Thank you.


    -Mark


     




     







     




    This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at
    http://www.bankofamerica.com/emaildisclaimer . If you are not the intended recipient, please delete this message.

    DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.




  • 8.  Re: [cti-stix] MTI Binding

    Posted 10-06-2015 18:11



    What do these motions mean, are they binding (in the sense that it’s difficult/impossible to change our mind later)? What’s the process to reach a decision on them? To what extent is that decision binding?


    I agree with these statements but don’t think we’re ready for binding decisions on either of them (in particular the second). I do think it would be nice to have a non-binding decision (in the sense that we can easily change our minds later) in
    order to cut off conversation on the topics until we revisit those decisions when formalizing the specifications.


    (I moved this to the CTI TC list because it seems inappropriate on the users list. If I’m wrong we can move it back)


    John



    On Oct 6, 2015, at 12:49 PM, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote:



    Sounds good...


    I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  













    If this is agreed upon, then:



    I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.





    Thanks,




    Bret












    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Oct 6, 2015, at 10:40, Aharon Chernin < achernin@soltra.com > wrote:





    Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.


    Aharon









    From: < cti-stix@lists.oasis-open.org > on behalf of "Jordan, Bret"
    Date: Tuesday, October 6, 2015 at 11:45 AM
    To: " cti-users@lists.oasis-open.org ", " cti-stix@lists.oasis-open.org "
    Subject: [cti-stix] MTI Binding





    We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they
    seem to have the broad support that JSON does.  


    Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.













    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Oct 6, 2015, at 06:17, Davidson II, Mark S < mdavidson@MITRE.ORG > wrote:




    I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:

     

    1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen   lots   of
    discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?

    Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it



    2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples
    would be sufficient?



    3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and
    I want to add STIX support, won’t developers have to write code?  

    I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the
    more concrete the example the better, at least for me).

     

    Thank you.

    -Mark

     

























  • 9.  Re: [cti-stix] MTI Binding

    Posted 10-06-2015 18:21
    The motions are binding in the same way that HTTP was picked in TAXII land.  We agree that this makes the most sense for what we know and understand at this point in time so organizations that are going to start writing code can do so..  If compelling information comes up later and the community decides to revisit this debate, we can do so.  But it is not open for willy-nilly changes of mind.  We draw a line in the sand and say we think this represents our best options at this point in time.  If we get down the road and implementers that are actually writing code come back and say, hey this will not work and we need X Y and Z, then we revisit it.   So yes, we can always readdress it until the time the standard goes out.  However, we would need to make sure that we are not revisiting it willy-nilly.  There are a lot of organizations that are wanting to start writing code and apps and web tools.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 6, 2015, at 12:11, Wunder, John A. < jwunder@mitre.org > wrote: What do these motions mean, are they binding (in the sense that it’s difficult/impossible to change our mind later)? What’s the process to reach a decision on them? To what extent is that decision binding? I agree with these statements but don’t think we’re ready for binding decisions on either of them (in particular the second). I do think it would be nice to have a non-binding decision (in the sense that we can easily change our minds later) in order to cut off conversation on the topics until we revisit those decisions when formalizing the specifications. (I moved this to the CTI TC list because it seems inappropriate on the users list. If I’m wrong we can move it back) John On Oct 6, 2015, at 12:49 PM, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote: Sounds good... I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.   If this is agreed upon, then: I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 6, 2015, at 10:40, Aharon Chernin < achernin@soltra.com > wrote: Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”. Aharon From: < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret Date: Tuesday, October 6, 2015 at 11:45 AM To: cti-users@lists.oasis-open.org , cti-stix@lists.oasis-open.org Subject: [cti-stix] MTI Binding We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.   Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 6, 2015, at 06:17, Davidson II, Mark S < mdavidson@MITRE.ORG > wrote: I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:   1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen   lots   of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX? Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it 2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient? 3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?   I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).   Thank you. -Mark   Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 10.  Re: [cti-stix] MTI Binding

    Posted 10-06-2015 18:21
    The motions are binding in the same way that HTTP was picked in TAXII land.  We agree that this makes the most sense for what we know and understand at this point in time so organizations that are going to start writing code can do so..  If compelling information comes up later and the community decides to revisit this debate, we can do so.  But it is not open for willy-nilly changes of mind.  We draw a line in the sand and say we think this represents our best options at this point in time.  If we get down the road and implementers that are actually writing code come back and say, hey this will not work and we need X Y and Z, then we revisit it.   So yes, we can always readdress it until the time the standard goes out.  However, we would need to make sure that we are not revisiting it willy-nilly.  There are a lot of organizations that are wanting to start writing code and apps and web tools.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 6, 2015, at 12:11, Wunder, John A. < jwunder@mitre.org > wrote: What do these motions mean, are they binding (in the sense that it’s difficult/impossible to change our mind later)? What’s the process to reach a decision on them? To what extent is that decision binding? I agree with these statements but don’t think we’re ready for binding decisions on either of them (in particular the second). I do think it would be nice to have a non-binding decision (in the sense that we can easily change our minds later) in order to cut off conversation on the topics until we revisit those decisions when formalizing the specifications. (I moved this to the CTI TC list because it seems inappropriate on the users list. If I’m wrong we can move it back) John On Oct 6, 2015, at 12:49 PM, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote: Sounds good... I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.   If this is agreed upon, then: I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 6, 2015, at 10:40, Aharon Chernin < achernin@soltra.com > wrote: Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”. Aharon From: < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret Date: Tuesday, October 6, 2015 at 11:45 AM To: cti-users@lists.oasis-open.org , cti-stix@lists.oasis-open.org Subject: [cti-stix] MTI Binding We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.   Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 6, 2015, at 06:17, Davidson II, Mark S < mdavidson@MITRE.ORG > wrote: I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:   1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen   lots   of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX? Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it 2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient? 3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?   I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).   Thank you. -Mark   Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 11.  RE: [cti-stix] MTI Binding

    Posted 10-06-2015 18:44




    I’ll defer to OASIS for the official word, but by my reading of the TC Process, these are
    not binding decisions.  I am operating under the assumption that we will come to “binding” decisions when we take full votes on Standards Track Work Products (specification draft, candidate standard, etc.)  I would imagine those decisions could be reversed
    in a future work product if we so decided.

    The process to call for a vote and reach a decision is covered by the TC Process:
    https://www.oasis-open.org/policies-guidelines/tc-process#voting
     
    Motions may be suggested by a voting member, and must be seconded.  However, motions from the list
    must be discussed before they can be voted on.  Motions for the entire committee should be made to the [cti] list.
     
    To those of you who feel that this debate is moving too quickly, or we are making decisions too quickly – you are empowered to make an alternate motion according
    to Robert’s Rules of Order.
     
    Given that this is our first “contentious” debate, we may need some additional clarity on the period of discussion.  Robert’s Rules suggest that a motion to
    Limit or Extend Debate requires a 2/3 vote, but these rules do not provide the best clarity when it comes to discussion lists that have no ending.  I believe this is one of the reasons that votes are required to have a minimum period of 7 days, but perhaps
    I’m just not finding where in our TC Process we have set the minimum period of debate.
     


    Thanks,
     
    Alex


     


    From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
    On Behalf Of Wunder, John A.
    Sent: Tuesday, October 06, 2015 2:11 PM
    To: cti@lists.oasis-open.org; cti-stix@lists.oasis-open.org
    Subject: [cti] Re: [cti-stix] MTI Binding


     
    What do these motions mean, are they binding (in the sense that it’s difficult/impossible to change our mind later)? What’s the process to reach a decision on them? To what extent is that decision binding?


     


    I agree with these statements but don’t think we’re ready for binding decisions on either of them (in particular the second). I do think it would be nice to have a non-binding decision (in the sense that we can easily change our minds later)
    in order to cut off conversation on the topics until we revisit those decisions when formalizing the specifications.


     


    (I moved this to the CTI TC list because it seems inappropriate on the users list. If I’m wrong we can move it back)


     


    John


     



    On Oct 6, 2015, at 12:49 PM, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote:

     


    Sounds good...

     


    I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  

     


     








    If this is agreed upon, then:


     


    I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.


     


    Thanks,


     


    Bret



     


     


     



    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO


    Blue Coat Systems



    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









     



    On Oct 6, 2015, at 10:40, Aharon Chernin < achernin@soltra.com > wrote:

     





    Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would
    like to propose that we adopt JSON as the default binding”.


     


    Aharon




     


    From:
    < cti-stix@lists.oasis-open.org > on behalf of "Jordan, Bret"
    Date: Tuesday, October 6, 2015 at 11:45 AM
    To: " cti-users@lists.oasis-open.org ", " cti-stix@lists.oasis-open.org "
    Subject: [cti-stix] MTI Binding


     



    We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around
    and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  


     


    Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.


     









     


    Thanks,


     


    Bret



     


     


     



    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO


    Blue Coat Systems



    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









     



    On Oct 6, 2015, at 06:17, Davidson II, Mark S < mdavidson@MITRE.ORG > wrote:

     


    I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:


     


    1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen   lots   of
    discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?


    Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that
    we are considering it





    2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples
    would be sufficient?





    3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product
    and I want to add STIX support, won’t developers have to write code?  


    I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how
    that actually works (the more concrete the example the better, at least for me).


     


    Thank you.


    -Mark


     




     







     





     


    This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.




  • 12.  Re: [cti] [cti-stix] MTI Binding

    Posted 10-06-2015 18:54
    Some of these items are very contentious and I doubt we will ever gain standard consensus.  Maybe if we had a face-2-face we could make some real progress.  The way I see it we have been debating the move from XML to JSON for over 18 months.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 6, 2015, at 12:43, Foley, Alexander - GIS < alexander.foley@bankofamerica.com > wrote: I’ll defer to OASIS for the official word, but by my reading of the TC Process, these are   not   binding decisions.  I am operating under the assumption that we will come to “binding” decisions when we take full votes on Standards Track Work Products (specification draft, candidate standard, etc.)  I would imagine those decisions could be reversed in a future work product if we so decided. The process to call for a vote and reach a decision is covered by the TC Process:   https://www.oasis-open.org/policies-guidelines/tc-process#voting   Motions may be suggested by a voting member, and must be seconded.  However, motions from the list   must   be discussed before they can be voted on.    Motions for the entire committee should be made to the [cti] list.   To those of you who feel that this debate is moving too quickly, or we are making decisions too quickly – you are empowered to make an alternate motion according to Robert’s Rules of Order.   Given that this is our first “contentious” debate, we may need some additional clarity on the period of discussion.  Robert’s Rules suggest that a motion to Limit or Extend Debate requires a 2/3 vote, but these rules do not provide the best clarity when it comes to discussion lists that have no ending.  I believe this is one of the reasons that votes are required to have a minimum period of 7 days, but perhaps I’m just not finding where in our TC Process we have set the minimum period of debate.   Thanks,   Alex   From:   cti@lists.oasis-open.org   [ mailto:cti@lists.oasis-open.org ]   On Behalf Of   Wunder, John A. Sent:   Tuesday, October 06, 2015 2:11 PM To:   cti@lists.oasis-open.org ;   cti-stix@lists.oasis-open.org Subject:   [cti] Re: [cti-stix] MTI Binding   What do these motions mean, are they binding (in the sense that it’s difficult/impossible to change our mind later)? What’s the process to reach a decision on them? To what extent is that decision binding?   I agree with these statements but don’t think we’re ready for binding decisions on either of them (in particular the second). I do think it would be nice to have a non-binding decision (in the sense that we can easily change our minds later) in order to cut off conversation on the topics until we revisit those decisions when formalizing the specifications.   (I moved this to the CTI TC list because it seems inappropriate on the users list. If I’m wrong we can move it back)   John   On Oct 6, 2015, at 12:49 PM, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote:   Sounds good...     I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.       If this is agreed upon, then:   I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.   Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Oct 6, 2015, at 10:40, Aharon Chernin < achernin@soltra.com > wrote:   Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.   Aharon   From:   < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret Date:   Tuesday, October 6, 2015 at 11:45 AM To:   cti-users@lists.oasis-open.org , cti-stix@lists.oasis-open.org Subject:   [cti-stix] MTI Binding   We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.     Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Oct 6, 2015, at 06:17, Davidson II, Mark S < mdavidson@MITRE.ORG > wrote:   I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:   1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen   lots   of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX? Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it 2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient? 3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?   I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).   Thank you. -Mark         This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at   http://www.bankofamerica.com/emaildisclaimer . If you are not the intended recipient, please delete this message. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 13.  Re: [cti-stix] MTI Binding

    Posted 10-06-2015 18:11



    What do these motions mean, are they binding (in the sense that it’s difficult/impossible to change our mind later)? What’s the process to reach a decision on them? To what extent is that decision binding?


    I agree with these statements but don’t think we’re ready for binding decisions on either of them (in particular the second). I do think it would be nice to have a non-binding decision (in the sense that we can easily change our minds later) in
    order to cut off conversation on the topics until we revisit those decisions when formalizing the specifications.


    (I moved this to the CTI TC list because it seems inappropriate on the users list. If I’m wrong we can move it back)


    John



    On Oct 6, 2015, at 12:49 PM, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote:



    Sounds good...


    I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  













    If this is agreed upon, then:



    I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.





    Thanks,




    Bret












    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Oct 6, 2015, at 10:40, Aharon Chernin < achernin@soltra.com > wrote:





    Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.


    Aharon









    From: < cti-stix@lists.oasis-open.org > on behalf of "Jordan, Bret"
    Date: Tuesday, October 6, 2015 at 11:45 AM
    To: " cti-users@lists.oasis-open.org ", " cti-stix@lists.oasis-open.org "
    Subject: [cti-stix] MTI Binding





    We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they
    seem to have the broad support that JSON does.  


    Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.













    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Oct 6, 2015, at 06:17, Davidson II, Mark S < mdavidson@MITRE.ORG > wrote:




    I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:

     

    1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen   lots   of
    discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?

    Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it



    2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples
    would be sufficient?



    3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and
    I want to add STIX support, won’t developers have to write code?  

    I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the
    more concrete the example the better, at least for me).

     

    Thank you.

    -Mark