OASIS Cyber Threat Intelligence (CTI) TC

  • 1.  Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply

    Posted 12-13-2018 17:58
      |   view attached




    Regardless of when STIX2 becomes a full approved standard I think OASIS guidance to ITU-T should be that they should not standardize a standard (version1) that is already being replaced for good reason.
     
    I think it makes ITU-T look foolish and disconnected. But if they want to do that then go ahead. Its just an opinion.
     

    Allan Thomson
    CTO ( +1-408-331-6646)
    LookingGlass Cyber Solutions

     

    From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Kelley, Sarah E." <skelley@mitre.org>
    Date: Thursday, December 13, 2018 at 9:54 AM
    To: Allan Thomson <athomson@lookingglasscyber.com>, "jamie.clark@oasis-open.org" <jamie.clark@oasis-open.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, "Struse, Richard J." <rjs@mitre.org>, "trey.darley@cert.be" <trey.darley@cert.be>
    Cc: Chet Ensign <chet.ensign@oasis-open.org>
    Subject: RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply


     

    If we would prefer to use STIX/TAXII 2, does this require that some form of STIX 2 and TAXII 2 be a full Oasis standard before next summer? Am I reading that correctly?

     

    Sarah Kelley
    Lead Cybersecurity Engineer, T8B2
    Defensive Operations
    The MITRE Corporation
    703-983-6242
    skelley@mitre.org


     


    From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
    On Behalf Of Allan Thomson
    Sent: Thursday, December 13, 2018 12:02 PM
    To: Jamie Clark <jamie.clark@oasis-open.org>; OASIS CTI TC Discussion List <cti@lists.oasis-open.org>; Struse, Richard J. <rjs@mitre.org>; trey.darley@cert.be
    Cc: Chet Ensign <chet.ensign@oasis-open.org>
    Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply


     
    The importance of making sure VERSION 2 is the version to considered as the primary standard for CTI sharing cannot be understated.
     
    The market already does not understand the important and significant differences between v1 and v2.
     
    I strongly suggest that OASIS make sure the ITU-T does everything it can to adopt version 2 not 1.
     

    Allan Thomson
    CTO ( +1-408-331-6646)
    LookingGlass Cyber Solutions

     

    From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    on behalf of " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org >
    Date: Thursday, December 13, 2018 at 8:49 AM
    To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be "
    < trey.darley@cert.be >
    Cc: Chet Ensign < chet.ensign@oasis-open.org >
    Subject: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply


     




    Dear members of the CTI TC:

    After consultation with your chairs, they asked us to share this
    (attached) communication from ITU-T's Study Group 17 (on cybersecurity), inquiring about a contribution of STIX and TAXII for their endorsement and approval.

    BACKGROUND.  OASIS has contributed many standards to global de jure standards bodies like ITU-T, including a number successfully approved by ITU's SG17. [1]  The ground rules for doing so can be found in the OASIS liaison policy [2].  T here
    are several process requirements, which include
    OASIS S tandard status, and an approval vote from the originating TC.

    Staff's view is that submission is
    appropriate and expected to be successful.
    OASIS submissions to the study group occur with the condition that,
    while comments are welcome, only the final approved version of the
    OASIS submission
    can be considered
    ... in other words, the
    ITU panel would not have the right to make changes as part of
    its approval process.

    CONSIDERATIONS FOR THIS SUBMISSION.  Your V ersions
    1 of STIX and TAXII of
    have become OASIS Standards , as you know.
      Your work
    on bringing
    your Versions 2 to
    that status is ongoing. Our understanding with your leader ship was
    tha t, while the Versions 1
    are not officially deprecated , your TC
    wishes to encourage implementation of the newer (and differently scheme-ad) Vesrions 2; 
    so a promotion of V ersions 1 to international standard status at this time might not
    achieve your goals.
      We have been advised that you likely would wish to submit both
    STIX and TAXII  together, and wait until both versions
    are eligible
    (as an OS) before submitting. The schedule of
    SG1 7 essentially
    uses live meetings
    once every six months, so this would probably result in a mid-2019 submission , assuming you
    support it.

    RECOMMENDATION .  If we are correct that
    your preference is to submit
    V ersion s 2.X, then we suggest
    that OASIS reply to this inquiry
    now, with a polite and encouraging indication that the TC expects to submit the completed version
    to ITU as soon as they're available, within a few months.
      That would allow us to provide a positive statement as feedback to the January 2019 meeting, for which planning is now underway .



     


    ACTION REQUESTED. Would you please let us (and the TC) know if there's any objection to that approach?  We'll plan to send the "version 2 coming soon" message, as described above,
    which requires no TC vote, if we hear no objections. 

    If on the other hand, there is TC sentiment to send completed
    V ersion s 1 to
    ITU for consideration
    for promotion and republication as
    " ITU-T Recommendations" ( their version of international standards), then please advise your TC leadership and my
    colleague Chet Ensign , as that could be done by a we b ballot
    TC vote at any time and a short public notice to the membership.


     


    Please feel free to contact Chet or me if you have any questions. 




    Kind regards


    Jamie

     


      [1]  Including SAML, XACML and CAP (an emergency services resources info protocol).


      [2] 
    https://www.oasis-open.org/policies-guidelines/liaison#submitwork


     














































    James Bryce Clark, General Counsel
    OASIS: Advancing open data, code and standards for the information society



    https://www.oasis-open.org/staff

    EU Commission 2018 Rolling Plan for Open ICT Standards:
    http://j.mp/EUstds2018


    OASIS Borderless Cybersecurity conference, October 2018:
    https://us18.borderlesscyber.org/en/



    Previously
    Prague 2017 ,
    NYC 2017 ,
    Tokyo 2016 ,
    Brussels 2016 ,
    World Bank 2015



















































  • 2.  Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply

    Posted 12-13-2018 18:25
    I agree with Allan.. Furthermore, I believe that if it requires for 2.0 to be a full OASIS standard - that perhaps we should go down that path. IE - roadblocking this on 2.1 and that yet-to-be-determined timeframe, is not IMO a good idea whatsoever. Can we get clarity on what level of specification ITU requires - CSD, CS, COS, OASIS Standard? - Jason Keirstead Lead Architect - IBM Security Connect www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown From:         Allan Thomson <athomson@lookingglasscyber.com> To:         "Kelley, Sarah E." <skelley@mitre.org>, Jamie Clark <jamie.clark@oasis-open.org>, OASIS CTI TC Discussion List <cti@lists.oasis-open.org>, "Struse, Richard J." <rjs@mitre.org>, "trey.darley@cert.be" <trey.darley@cert.be> Cc:         Chet Ensign <chet.ensign@oasis-open.org> Date:         12/13/2018 01:58 PM Subject:         Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply Sent by:         <cti@lists.oasis-open.org> Regardless of when STIX2 becomes a full approved standard I think OASIS guidance to ITU-T should be that they should not standardize a standard (version1) that is already being replaced for good reason.   I think it makes ITU-T look foolish and disconnected. But if they want to do that then go ahead. Its just an opinion.   Allan Thomson CTO (+1-408-331-6646) LookingGlass Cyber Solutions   From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Kelley, Sarah E." <skelley@mitre.org> Date: Thursday, December 13, 2018 at 9:54 AM To: Allan Thomson <athomson@lookingglasscyber.com>, "jamie.clark@oasis-open.org" <jamie.clark@oasis-open.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, "Struse, Richard J." <rjs@mitre.org>, "trey.darley@cert.be" <trey.darley@cert.be> Cc: Chet Ensign <chet.ensign@oasis-open.org> Subject: RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply   If we would prefer to use STIX/TAXII 2, does this require that some form of STIX 2 and TAXII 2 be a full Oasis standard before next summer? Am I reading that correctly?   Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242 skelley@mitre.org   From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> On Behalf Of Allan Thomson Sent: Thursday, December 13, 2018 12:02 PM To: Jamie Clark <jamie.clark@oasis-open.org>; OASIS CTI TC Discussion List <cti@lists.oasis-open.org>; Struse, Richard J. <rjs@mitre.org>; trey.darley@cert.be Cc: Chet Ensign <chet.ensign@oasis-open.org> Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply   The importance of making sure VERSION 2 is the version to considered as the primary standard for CTI sharing cannot be understated.   The market already does not understand the important and significant differences between v1 and v2.   I strongly suggest that OASIS make sure the ITU-T does everything it can to adopt version 2 not 1.   Allan Thomson CTO (+1-408-331-6646) LookingGlass Cyber Solutions   From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org > Date: Thursday, December 13, 2018 at 8:49 AM To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be " < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply   Dear members of the CTI TC: After consultation with your chairs, they asked us to share this (attached) communication from ITU-T's Study Group 17 (on cybersecurity), inquiring about a contribution of STIX and TAXII for their endorsement and approval. BACKGROUND.  OASIS has contributed many standards to global de jure standards bodies like ITU-T, including a number successfully approved by ITU's SG17. [1]  The ground rules for doing so can be found in the OASIS liaison policy [2].  T here are several process requirements, which include OASIS S tandard status, and an approval vote from the originating TC. Staff's view is that submission is appropriate and expected to be successful. OASIS submissions to the study group occur with the condition that, while comments are welcome, only the final approved version of the OASIS submission can be considered ... in other words, the ITU panel would not have the right to make changes as part of its approval process. CONSIDERATIONS FOR THIS SUBMISSION.  Your V ersions 1 of STIX and TAXII of have become OASIS Standards , as you know.   Your work on bringing your Versions 2 to that status is ongoing. Our understanding with your leader ship was tha t, while the Versions 1 are not officially deprecated , your TC wishes to encourage implementation of the newer (and differently scheme-ad) Vesrions 2;   so a promotion of V ersions 1 to international standard status at this time might not achieve your goals.   We have been advised that you likely would wish to submit both STIX and TAXII  together, and wait until both versions are eligible (as an OS) before submitting. The schedule of SG1 7 essentially uses live meetings once every six months, so this would probably result in a mid-2019 submission , assuming you support it. RECOMMENDATION .  If we are correct that your preference is to submit V ersion s 2.X, then we suggest that OASIS reply to this inquiry now, with a polite and encouraging indication that the TC expects to submit the completed version to ITU as soon as they're available, within a few months.   That would allow us to provide a positive statement as feedback to the January 2019 meeting, for which planning is now underway .   ACTION REQUESTED. Would you please let us (and the TC) know if there's any objection to that approach?  We'll plan to send the "version 2 coming soon" message, as described above, which requires no TC vote, if we hear no objections.   If on the other hand, there is TC sentiment to send completed V ersion s 1 to ITU for consideration for promotion and republication as " ITU-T Recommendations" ( their version of international standards), then please advise your TC leadership and my colleague Chet Ensign , as that could be done by a we b ballot TC vote at any time and a short public notice to the membership.   Please feel free to contact Chet or me if you have any questions.   Kind regards Jamie     [1]  Including SAML, XACML and CAP (an emergency services resources info protocol).   [2]   https://www.oasis-open.org/policies-guidelines/liaison#submitwork   James Bryce Clark, General Counsel OASIS: Advancing open data, code and standards for the information society https://www.oasis-open.org/staff EU Commission 2018 Rolling Plan for Open ICT Standards: http://j.mp/EUstds2018 OASIS Borderless Cybersecurity conference, October 2018: https://us18.borderlesscyber.org/en/ Previously Prague 2017 , NYC 2017 , Tokyo 2016 , Brussels 2016 , World Bank 2015 [attachment "image001.jpg" deleted by Jason Keirstead/CanEast/IBM]


  • 3.  Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply

    Posted 12-13-2018 18:58
    Hi Jason, I can confirm that work is only considered for submission after it becomes an OASIS Standard. It is covered in our Liaison policy at https://www.oasis-open.org/policies-guidelines/liaison#submitwork /chet On Thu, Dec 13, 2018 at 1:25 PM Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I agree with Allan.. Furthermore, I believe that if it requires for 2.0 to be a full OASIS standard - that perhaps we should go down that path. IE - roadblocking this on 2.1 and that yet-to-be-determined timeframe, is not IMO a good idea whatsoever. Can we get clarity on what level of specification ITU requires - CSD, CS, COS, OASIS Standard? - Jason Keirstead Lead Architect - IBM Security Connect www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown From: Allan Thomson < athomson@lookingglasscyber.com > To: "Kelley, Sarah E." < skelley@mitre.org >, Jamie Clark < jamie.clark@oasis-open.org >, OASIS CTI TC Discussion List < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be " < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Date: 12/13/2018 01:58 PM Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply Sent by: < cti@lists.oasis-open.org > Regardless of when STIX2 becomes a full approved standard I think OASIS guidance to ITU-T should be that they should not standardize a standard (version1) that is already being replaced for good reason. I think it makes ITU-T look foolish and disconnected. But if they want to do that then go ahead. Its just an opinion. Allan Thomson CTO (+1-408-331-6646) LookingGlass Cyber Solutions From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of "Kelley, Sarah E." < skelley@mitre.org > Date: Thursday, December 13, 2018 at 9:54 AM To: Allan Thomson < athomson@lookingglasscyber.com >, " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be " < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply If we would prefer to use STIX/TAXII 2, does this require that some form of STIX 2 and TAXII 2 be a full Oasis standard before next summer? Am I reading that correctly? Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242 skelley@mitre.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > On Behalf Of Allan Thomson Sent: Thursday, December 13, 2018 12:02 PM To: Jamie Clark < jamie.clark@oasis-open.org >; OASIS CTI TC Discussion List < cti@lists.oasis-open.org >; Struse, Richard J. < rjs@mitre.org >; trey.darley@cert.be Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply The importance of making sure VERSION 2 is the version to considered as the primary standard for CTI sharing cannot be understated. The market already does not understand the important and significant differences between v1 and v2. I strongly suggest that OASIS make sure the ITU-T does everything it can to adopt version 2 not 1. Allan Thomson CTO (+1-408-331-6646) LookingGlass Cyber Solutions From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org > Date: Thursday, December 13, 2018 at 8:49 AM To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be " < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply Dear members of the CTI TC: After consultation with your chairs, they asked us to share this (attached) communication from ITU-T's Study Group 17 (on cybersecurity), inquiring about a contribution of STIX and TAXII for their endorsement and approval. BACKGROUND. OASIS has contributed many standards to global de jure standards bodies like ITU-T, including a number successfully approved by ITU's SG17. [1] The ground rules for doing so can be found in the OASIS liaison policy [2]. T here are several process requirements, which include OASIS S tandard status, and an approval vote from the originating TC. Staff's view is that submission is appropriate and expected to be successful. OASIS submissions to the study group occur with the condition that, while comments are welcome, only the final approved version of the OASIS submission can be considered ... in other words, the ITU panel would not have the right to make changes as part of its approval process. CONSIDERATIONS FOR THIS SUBMISSION. Your V ersions 1 of STIX and TAXII of have become OASIS Standards , as you know. Your work on bringing your Versions 2 to that status is ongoing. Our understanding with your leader ship was tha t, while the Versions 1 are not officially deprecated , your TC wishes to encourage implementation of the newer (and differently scheme-ad) Vesrions 2; so a promotion of V ersions 1 to international standard status at this time might not achieve your goals. We have been advised that you likely would wish to submit both STIX and TAXII together, and wait until both versions are eligible (as an OS) before submitting. The schedule of SG1 7 essentially uses live meetings once every six months, so this would probably result in a mid-2019 submission , assuming you support it. RECOMMENDATION . If we are correct that your preference is to submit V ersion s 2.X, then we suggest that OASIS reply to this inquiry now, with a polite and encouraging indication that the TC expects to submit the completed version to ITU as soon as they're available, within a few months. That would allow us to provide a positive statement as feedback to the January 2019 meeting, for which planning is now underway . ACTION REQUESTED. Would you please let us (and the TC) know if there's any objection to that approach? We'll plan to send the "version 2 coming soon" message, as described above, which requires no TC vote, if we hear no objections. If on the other hand, there is TC sentiment to send completed V ersion s 1 to ITU for consideration for promotion and republication as " ITU-T Recommendations" ( their version of international standards), then please advise your TC leadership and my colleague Chet Ensign , as that could be done by a we b ballot TC vote at any time and a short public notice to the membership. Please feel free to contact Chet or me if you have any questions. Kind regards Jamie [1] Including SAML, XACML and CAP (an emergency services resources info protocol). [2] https://www.oasis-open.org/policies-guidelines/liaison#submitwork James Bryce Clark, General Counsel OASIS: Advancing open data, code and standards for the information society https://www.oasis-open.org/staff EU Commission 2018 Rolling Plan for Open ICT Standards: http://j.mp/EUstds2018 OASIS Borderless Cybersecurity conference, October 2018: https://us18.borderlesscyber.org/en/ Previously Prague 2017 , NYC 2017 , Tokyo 2016 , Brussels 2016 , World Bank 2015 [attachment "image001.jpg" deleted by Jason Keirstead/CanEast/IBM] -- /chet ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society http://www.oasis-open.org Primary: +1 973-996-2298 Mobile: +1 201-341-1393


  • 4.  Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply

    Posted 12-13-2018 18:59
    Oh and also, that is not an ITU requirement, it is our own OASIS policy. On Thu, Dec 13, 2018 at 1:25 PM Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I agree with Allan.. Furthermore, I believe that if it requires for 2.0 to be a full OASIS standard - that perhaps we should go down that path. IE - roadblocking this on 2.1 and that yet-to-be-determined timeframe, is not IMO a good idea whatsoever. Can we get clarity on what level of specification ITU requires - CSD, CS, COS, OASIS Standard? - Jason Keirstead Lead Architect - IBM Security Connect www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown From: Allan Thomson < athomson@lookingglasscyber.com > To: "Kelley, Sarah E." < skelley@mitre.org >, Jamie Clark < jamie.clark@oasis-open.org >, OASIS CTI TC Discussion List < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be " < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Date: 12/13/2018 01:58 PM Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply Sent by: < cti@lists.oasis-open.org > Regardless of when STIX2 becomes a full approved standard I think OASIS guidance to ITU-T should be that they should not standardize a standard (version1) that is already being replaced for good reason. I think it makes ITU-T look foolish and disconnected. But if they want to do that then go ahead. Its just an opinion. Allan Thomson CTO (+1-408-331-6646) LookingGlass Cyber Solutions From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of "Kelley, Sarah E." < skelley@mitre.org > Date: Thursday, December 13, 2018 at 9:54 AM To: Allan Thomson < athomson@lookingglasscyber.com >, " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be " < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply If we would prefer to use STIX/TAXII 2, does this require that some form of STIX 2 and TAXII 2 be a full Oasis standard before next summer? Am I reading that correctly? Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242 skelley@mitre.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > On Behalf Of Allan Thomson Sent: Thursday, December 13, 2018 12:02 PM To: Jamie Clark < jamie.clark@oasis-open.org >; OASIS CTI TC Discussion List < cti@lists.oasis-open.org >; Struse, Richard J. < rjs@mitre.org >; trey.darley@cert.be Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply The importance of making sure VERSION 2 is the version to considered as the primary standard for CTI sharing cannot be understated. The market already does not understand the important and significant differences between v1 and v2. I strongly suggest that OASIS make sure the ITU-T does everything it can to adopt version 2 not 1. Allan Thomson CTO (+1-408-331-6646) LookingGlass Cyber Solutions From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org > Date: Thursday, December 13, 2018 at 8:49 AM To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be " < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply Dear members of the CTI TC: After consultation with your chairs, they asked us to share this (attached) communication from ITU-T's Study Group 17 (on cybersecurity), inquiring about a contribution of STIX and TAXII for their endorsement and approval. BACKGROUND. OASIS has contributed many standards to global de jure standards bodies like ITU-T, including a number successfully approved by ITU's SG17. [1] The ground rules for doing so can be found in the OASIS liaison policy [2]. T here are several process requirements, which include OASIS S tandard status, and an approval vote from the originating TC. Staff's view is that submission is appropriate and expected to be successful. OASIS submissions to the study group occur with the condition that, while comments are welcome, only the final approved version of the OASIS submission can be considered ... in other words, the ITU panel would not have the right to make changes as part of its approval process. CONSIDERATIONS FOR THIS SUBMISSION. Your V ersions 1 of STIX and TAXII of have become OASIS Standards , as you know. Your work on bringing your Versions 2 to that status is ongoing. Our understanding with your leader ship was tha t, while the Versions 1 are not officially deprecated , your TC wishes to encourage implementation of the newer (and differently scheme-ad) Vesrions 2; so a promotion of V ersions 1 to international standard status at this time might not achieve your goals. We have been advised that you likely would wish to submit both STIX and TAXII together, and wait until both versions are eligible (as an OS) before submitting. The schedule of SG1 7 essentially uses live meetings once every six months, so this would probably result in a mid-2019 submission , assuming you support it. RECOMMENDATION . If we are correct that your preference is to submit V ersion s 2.X, then we suggest that OASIS reply to this inquiry now, with a polite and encouraging indication that the TC expects to submit the completed version to ITU as soon as they're available, within a few months. That would allow us to provide a positive statement as feedback to the January 2019 meeting, for which planning is now underway . ACTION REQUESTED. Would you please let us (and the TC) know if there's any objection to that approach? We'll plan to send the "version 2 coming soon" message, as described above, which requires no TC vote, if we hear no objections. If on the other hand, there is TC sentiment to send completed V ersion s 1 to ITU for consideration for promotion and republication as " ITU-T Recommendations" ( their version of international standards), then please advise your TC leadership and my colleague Chet Ensign , as that could be done by a we b ballot TC vote at any time and a short public notice to the membership. Please feel free to contact Chet or me if you have any questions. Kind regards Jamie [1] Including SAML, XACML and CAP (an emergency services resources info protocol). [2] https://www.oasis-open.org/policies-guidelines/liaison#submitwork James Bryce Clark, General Counsel OASIS: Advancing open data, code and standards for the information society https://www.oasis-open.org/staff EU Commission 2018 Rolling Plan for Open ICT Standards: http://j.mp/EUstds2018 OASIS Borderless Cybersecurity conference, October 2018: https://us18.borderlesscyber.org/en/ Previously Prague 2017 , NYC 2017 , Tokyo 2016 , Brussels 2016 , World Bank 2015 [attachment "image001.jpg" deleted by Jason Keirstead/CanEast/IBM] -- /chet ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society http://www.oasis-open.org Primary: +1 973-996-2298 Mobile: +1 201-341-1393


  • 5.  RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply

    Posted 12-13-2018 19:17
      |   view attached




    This drives to the point of my question. It sounds like he wants to announce in January that they ll be working towards getting STIX/TAXII into ITU in the summer. Yet it requires that STIX/TAXII be full Oasis standards in order to do that,
    and they currently aren t. Is it even possible for us (timing-wise) to meet that deadline? Given the pace at which things move in the TC, my concern is that we would say Yes of course! and then fail to meet the deadline by not getting them into full Oasis
    Standards by the ITU deadline.
     
    Thanks,
     
    Sarah Kelley
    Lead Cybersecurity Engineer, T8B2
    Defensive Operations
    The MITRE Corporation
    703-983-6242
    skelley@mitre.org

     
    From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
    On Behalf Of Chet Ensign
    Sent: Thursday, December 13, 2018 1:59 PM
    To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
    Cc: Allan Thomson <athomson@lookingglasscyber.com>; OASIS CTI TC Discussion List <cti@lists.oasis-open.org>; Jamie Clark <jamie.clark@oasis-open.org>; Struse, Richard J. <rjs@mitre.org>; Kelley, Sarah E. <skelley@mitre.org>; trey.darley@cert.be
    Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply
     

    Oh and also, that is not an ITU requirement, it is our own OASIS policy. 

     


    On Thu, Dec 13, 2018 at 1:25 PM Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote:


    I agree with Allan..

    Furthermore, I believe that if it requires for 2.0 to be a full OASIS standard - that perhaps we should go down that path.

    IE - roadblocking this on 2.1 and that yet-to-be-determined timeframe, is not IMO a good idea whatsoever.

    Can we get clarity on what level of specification ITU requires - CSD, CS, COS, OASIS Standard?


    -
    Jason Keirstead
    Lead Architect - IBM Security Connect
    www.ibm.com/security

    "Things may come to those who wait, but only the things left by those who hustle." - Unknown





    From:         Allan Thomson < athomson@lookingglasscyber.com >
    To:         "Kelley, Sarah E." < skelley@mitre.org >, Jamie Clark
    < jamie.clark@oasis-open.org >, OASIS CTI TC Discussion List < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >,
    " trey.darley@cert.be " < trey.darley@cert.be >
    Cc:         Chet Ensign < chet.ensign@oasis-open.org >
    Date:         12/13/2018 01:58 PM
    Subject:         Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply
    Sent by:         < cti@lists.oasis-open.org >






    Regardless of when STIX2 becomes a full approved standard I think OASIS guidance to ITU-T should be that they should not standardize a standard (version1) that is already being replaced for good reason.
     
    I think it makes ITU-T look foolish and disconnected. But if they want to do that then go ahead. Its just an opinion.
     
    Allan Thomson
    CTO (+1-408-331-6646)
    LookingGlass Cyber Solutions
     
    From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    on behalf of "Kelley, Sarah E." < skelley@mitre.org >
    Date: Thursday, December 13, 2018 at 9:54 AM
    To: Allan Thomson < athomson@lookingglasscyber.com >, " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org >,
    " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >,
    " trey.darley@cert.be " < trey.darley@cert.be >
    Cc: Chet Ensign < chet.ensign@oasis-open.org >
    Subject: RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply
     
    If we would prefer to use STIX/TAXII 2, does this require that some form of STIX 2 and TAXII 2 be a full Oasis standard before next summer? Am I reading that correctly?

     
    Sarah Kelley
    Lead Cybersecurity Engineer, T8B2
    Defensive Operations
    The MITRE Corporation
    703-983-6242
    skelley@mitre.org

     
    From:
    cti@lists.oasis-open.org < cti@lists.oasis-open.org >
    On Behalf Of Allan Thomson
    Sent: Thursday, December 13, 2018 12:02 PM
    To: Jamie Clark < jamie.clark@oasis-open.org >; OASIS CTI TC Discussion List < cti@lists.oasis-open.org >; Struse, Richard J. < rjs@mitre.org >;
    trey.darley@cert.be
    Cc: Chet Ensign < chet.ensign@oasis-open.org >
    Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply
     
    The importance of making sure VERSION 2 is the version to considered as the primary standard for CTI sharing cannot be understated.
     
    The market already does not understand the important and significant differences between v1 and v2.
     
    I strongly suggest that OASIS make sure the ITU-T does everything it can to adopt version 2 not 1.
     
    Allan Thomson
    CTO (+1-408-331-6646)
    LookingGlass Cyber Solutions
     
    From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    on behalf of " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org >
    Date: Thursday, December 13, 2018 at 8:49 AM
    To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >,
    "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be "
    < trey.darley@cert.be >
    Cc: Chet Ensign < chet.ensign@oasis-open.org >
    Subject: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply
     
    Dear members of the CTI TC:

    After consultation with your chairs, they asked us to share this (attached)
    communication from ITU-T's Study Group 17 (on cybersecurity), inquiring about a contribution of STIX and TAXII for their endorsement and approval.

    BACKGROUND.  OASIS has contributed many standards to global de jure standards bodies like ITU-T, including a number successfully approved by ITU's SG17. [1]  The ground rules for doing so can be found in the OASIS liaison policy [2].  T here
    are several process requirements, which include
    OASIS S tandard status, and an approval vote from the originating TC.

    Staff's view is that submission is appropriate and expected to be successful.
    OASIS submissions to the study group occur with the condition that,
    while comments are welcome, only the final approved version of the
    OASIS submission can beconsidered
    ... in other words, the
    ITU panel would not have the right to make changes as part of
    its approval process.

    CONSIDERATIONS FOR THIS SUBMISSION.  Your V ersions
    1 of STIX and TAXII of have become
    OASIS Standards , as you know.
      Your work
    on bringing
    your Versions 2 to that status is ongoing. Our understanding with your leader ship was
    tha t, while the Versions 1
    are not officially deprecated , your TC
    wishes to encourage implementation of the newer (and differently scheme-ad) Vesrions 2;   so a promotion of
    V ersions 1 to international standard status at this time might not
    achieve your goals.
      We have been advised that you likely would wish to submit both
    STIX and TAXII  together, and wait until both versions
    are eligible
    (as an OS) before submitting. The schedule of
    SG1 7 essentially
    uses live meetings once every six months, so this would probably result in a mid-2019 submission , assuming
    you support it.

    RECOMMENDATION .  If we are correct that
    your preference is to submit
    V ersion s 2.X, then we suggest
    that OASIS reply to this inquiry
    now, with a polite and encouraging indication that the TC expects to submit the completed version
    to ITU as soon as they're available, within a few months.
      That would allow us to provide a positive statement as feedback to the January 2019 meeting, for which planning is now underway .

     
    ACTION REQUESTED. Would you please let us (and the TC) know if there's any objection to that approach?  We'll plan to send the "version 2 coming soon" message, as described above, which requires no TC vote, if we hear no objections.
     

    If on the other hand, there is TC sentiment to send completed V ersion s 1 to
    ITU for consideration
    for promotion and republication as " ITU-T Recommendations" ( their version of international standards), then
    please advise your TC leadership and my colleague Chet Ensign , as
    that could be done by a we b ballot
    TC vote at any time and a short public notice to the membership.
     
    Please feel free to contact Chet or me if you have any questions.  
    Kind regards
    Jamie
     
      [1]  Including SAML, XACML and CAP (an emergency services resources info protocol).
      [2]   https://www.oasis-open.org/policies-guidelines/liaison#submitwork
     

    James Bryce Clark, General Counsel
    OASIS: Advancing open data, code and standards for the information society

    https://www.oasis-open.org/staff
    EU Commission 2018 Rolling Plan for Open ICT Standards: http://j.mp/EUstds2018
    OASIS Borderless Cybersecurity conference, October 2018:
    https://us18.borderlesscyber.org/en/

    Previously Prague 2017 ,
    NYC 2017 ,
    Tokyo 2016 ,
    Brussels 2016 ,
    World Bank 2015 [attachment "image001.jpg" deleted by Jason Keirstead/CanEast/IBM]








     

    --











    /chet 
    ----------------


    Chet Ensign


    Chief Technical Community Steward
    OASIS: Advancing open standards for the information society
    http://www.oasis-open.org

    Primary: +1 973-996-2298
    Mobile: +1 201-341-1393 
















  • 6.  Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply

    Posted 12-13-2018 19:31
      |   view attached
    Hi Sarah, I'm sure Jamie will work on whatever you all feel is realistic and feasible. He is working as our point of contact but you all are in the driver's seat. In terms of what's possible, STIX and TAXII V2.0 are a Committee Specifications. The TC can advance them to OASIS Standard by (a) gathering 3 or more Statements of Use for each, (b) passing a Special Majority Vote to approve presenting them to the members as Candidate OASIS Standards, (c) completing 60-day public reviews of the COSs, and finally (d) passing the Call for Consent as OASIS Standards. I think that can be done by summer. Versions 2.1 are still in the draft stage. So there you need at least your first 30-day public reviews and the Special Majority Votes to approve them as Committee Specifications - plus working time for associated logistics. And, unless I am mistaken, the work on the specs is still very active. So OS for 2.1 by summer is unlikely based on my experience. Best, /chet On Thu, Dec 13, 2018 at 2:16 PM Kelley, Sarah E. < skelley@mitre.org > wrote: This drives to the point of my question. It sounds like he wants to announce in January that they ll be working towards getting STIX/TAXII into ITU in the summer. Yet it requires that STIX/TAXII be full Oasis standards in order to do that, and they currently aren t. Is it even possible for us (timing-wise) to meet that deadline? Given the pace at which things move in the TC, my concern is that we would say Yes of course! and then fail to meet the deadline by not getting them into full Oasis Standards by the ITU deadline. Thanks, Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242 skelley@mitre.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > On Behalf Of Chet Ensign Sent: Thursday, December 13, 2018 1:59 PM To: Jason Keirstead < Jason.Keirstead@ca.ibm.com > Cc: Allan Thomson < athomson@lookingglasscyber.com >; OASIS CTI TC Discussion List < cti@lists.oasis-open.org >; Jamie Clark < jamie.clark@oasis-open.org >; Struse, Richard J. < rjs@mitre.org >; Kelley, Sarah E. < skelley@mitre.org >; trey.darley@cert.be Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply Oh and also, that is not an ITU requirement, it is our own OASIS policy. On Thu, Dec 13, 2018 at 1:25 PM Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I agree with Allan.. Furthermore, I believe that if it requires for 2.0 to be a full OASIS standard - that perhaps we should go down that path. IE - roadblocking this on 2.1 and that yet-to-be-determined timeframe, is not IMO a good idea whatsoever. Can we get clarity on what level of specification ITU requires - CSD, CS, COS, OASIS Standard? - Jason Keirstead Lead Architect - IBM Security Connect www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown From: Allan Thomson < athomson@lookingglasscyber.com > To: "Kelley, Sarah E." < skelley@mitre.org >, Jamie Clark < jamie.clark@oasis-open.org >, OASIS CTI TC Discussion List < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be " < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Date: 12/13/2018 01:58 PM Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply Sent by: < cti@lists.oasis-open.org > Regardless of when STIX2 becomes a full approved standard I think OASIS guidance to ITU-T should be that they should not standardize a standard (version1) that is already being replaced for good reason. I think it makes ITU-T look foolish and disconnected. But if they want to do that then go ahead. Its just an opinion. Allan Thomson CTO (+1-408-331-6646) LookingGlass Cyber Solutions From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of "Kelley, Sarah E." < skelley@mitre.org > Date: Thursday, December 13, 2018 at 9:54 AM To: Allan Thomson < athomson@lookingglasscyber.com >, " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be " < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply If we would prefer to use STIX/TAXII 2, does this require that some form of STIX 2 and TAXII 2 be a full Oasis standard before next summer? Am I reading that correctly? Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242 skelley@mitre.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > On Behalf Of Allan Thomson Sent: Thursday, December 13, 2018 12:02 PM To: Jamie Clark < jamie.clark@oasis-open.org >; OASIS CTI TC Discussion List < cti@lists.oasis-open.org >; Struse, Richard J. < rjs@mitre.org >; trey.darley@cert.be Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply The importance of making sure VERSION 2 is the version to considered as the primary standard for CTI sharing cannot be understated. The market already does not understand the important and significant differences between v1 and v2. I strongly suggest that OASIS make sure the ITU-T does everything it can to adopt version 2 not 1. Allan Thomson CTO (+1-408-331-6646) LookingGlass Cyber Solutions From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org > Date: Thursday, December 13, 2018 at 8:49 AM To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be " < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply Dear members of the CTI TC: After consultation with your chairs, they asked us to share this (attached) communication from ITU-T's Study Group 17 (on cybersecurity), inquiring about a contribution of STIX and TAXII for their endorsement and approval. BACKGROUND. OASIS has contributed many standards to global de jure standards bodies like ITU-T, including a number successfully approved by ITU's SG17. [1] The ground rules for doing so can be found in the OASIS liaison policy [2]. T here are several process requirements, which include OASIS S tandard status, and an approval vote from the originating TC. Staff's view is that submission is appropriate and expected to be successful. OASIS submissions to the study group occur with the condition that, while comments are welcome, only the final approved version of the OASIS submission can beconsidered ... in other words, the ITU panel would not have the right to make changes as part of its approval process. CONSIDERATIONS FOR THIS SUBMISSION. Your V ersions 1 of STIX and TAXII of have become OASIS Standards , as you know. Your work on bringing your Versions 2 to that status is ongoing. Our understanding with your leader ship was tha t, while the Versions 1 are not officially deprecated , your TC wishes to encourage implementation of the newer (and differently scheme-ad) Vesrions 2; so a promotion of V ersions 1 to international standard status at this time might not achieve your goals. We have been advised that you likely would wish to submit both STIX and TAXII together, and wait until both versions are eligible (as an OS) before submitting. The schedule of SG1 7 essentially uses live meetings once every six months, so this would probably result in a mid-2019 submission , assuming you support it. RECOMMENDATION . If we are correct that your preference is to submit V ersion s 2.X, then we suggest that OASIS reply to this inquiry now, with a polite and encouraging indication that the TC expects to submit the completed version to ITU as soon as they're available, within a few months. That would allow us to provide a positive statement as feedback to the January 2019 meeting, for which planning is now underway . ACTION REQUESTED. Would you please let us (and the TC) know if there's any objection to that approach? We'll plan to send the "version 2 coming soon" message, as described above, which requires no TC vote, if we hear no objections. If on the other hand, there is TC sentiment to send completed V ersion s 1 to ITU for consideration for promotion and republication as " ITU-T Recommendations" ( their version of international standards), then please advise your TC leadership and my colleague Chet Ensign , as that could be done by a we b ballot TC vote at any time and a short public notice to the membership. Please feel free to contact Chet or me if you have any questions. Kind regards Jamie [1] Including SAML, XACML and CAP (an emergency services resources info protocol). [2] https://www.oasis-open.org/policies-guidelines/liaison#submitwork James Bryce Clark, General Counsel OASIS: Advancing open data, code and standards for the information society https://www.oasis-open.org/staff EU Commission 2018 Rolling Plan for Open ICT Standards: http://j.mp/EUstds2018 OASIS Borderless Cybersecurity conference, October 2018: https://us18.borderlesscyber.org/en/ Previously Prague 2017 , NYC 2017 , Tokyo 2016 , Brussels 2016 , World Bank 2015 [attachment "image001.jpg" deleted by Jason Keirstead/CanEast/IBM] -- /chet ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society http://www.oasis-open.org Primary: +1 973-996-2298 Mobile: +1 201-341-1393 -- /chet ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society http://www.oasis-open.org Primary: +1 973-996-2298 Mobile: +1 201-341-1393


  • 7.  Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply

    Posted 12-13-2018 19:38
    2.1 is unrealistic, in any near timeframe.
    its not ready. My question is more around how we could
    progress 2.0 through to be a full standard. This would still not be possible
    for January. However, it would be possible for the summer, which is the
    next meeting. - Jason Keirstead Lead Architect - IBM Security Connect www.ibm.com/security "Things may come to those who wait, but only the things left by those
    who hustle." - Unknown From:      
      Chet Ensign <chet.ensign@oasis-open.org> To:      
      "Kelley, Sarah
    E." <skelley@mitre.org> Cc:      
      Jason Keirstead <Jason.Keirstead@ca.ibm.com>,
    Allan Thomson <athomson@lookingglasscyber.com>, OASIS CTI TC Discussion
    List <cti@lists.oasis-open.org>, Jamie Clark <jamie.clark@oasis-open.org>,
    "Struse, Richard J." <rjs@mitre.org>, trey.darley@cert.be Date:      
      12/13/2018 03:31 PM Subject:    
        Re: [cti] Submission
    of STIX/TAXII to ITU-T? Plan for reply Hi Sarah,  I'm sure Jamie will work on whatever you all feel is realistic
    and feasible. He is working as our point of contact but you all are in
    the driver's seat.  In terms of what's possible, STIX and TAXII V2.0 are a
    Committee Specifications. The TC can advance them to OASIS Standard by
    (a) gathering 3 or more Statements of Use for each, (b) passing a Special
    Majority Vote to approve presenting them to the members as Candidate OASIS
    Standards, (c) completing 60-day public reviews of the COSs, and finally
    (d) passing the Call for Consent as OASIS Standards. I think that can be
    done by summer.  Versions 2.1 are still in the draft stage. So there you
    need at least your first 30-day public reviews and the Special Majority
    Votes to approve them as Committee Specifications - plus working time for
    associated logistics. And, unless I am mistaken, the work on the specs
    is still very active. So OS for 2.1 by summer is unlikely based on my experience.  Best,  /chet On Thu, Dec 13, 2018 at 2:16 PM Kelley, Sarah E. < skelley@mitre.org >
    wrote: This drives to the point of my question. It sounds like
    he wants to announce in January that they ll be working towards getting
    STIX/TAXII into ITU in the summer. Yet it requires that STIX/TAXII be full
    Oasis standards in order to do that, and they currently aren t. Is it
    even possible for us (timing-wise) to meet that deadline? Given the pace
    at which things move in the TC, my concern is that we would say Yes of
    course! and then fail to meet the deadline by not getting them into full
    Oasis Standards by the ITU deadline.   Thanks,   Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242 skelley@mitre.org   From: cti@lists.oasis-open.org < cti@lists.oasis-open.org >
    On Behalf Of Chet Ensign Sent: Thursday, December 13, 2018 1:59 PM To: Jason Keirstead < Jason.Keirstead@ca.ibm.com > Cc: Allan Thomson < athomson@lookingglasscyber.com >;
    OASIS CTI TC Discussion List < cti@lists.oasis-open.org >;
    Jamie Clark < jamie.clark@oasis-open.org >;
    Struse, Richard J. < rjs@mitre.org >;
    Kelley, Sarah E. < skelley@mitre.org >;
    trey.darley@cert.be Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply   Oh and also, that is not an ITU requirement, it is our
    own OASIS policy.    On Thu, Dec 13, 2018 at 1:25 PM Jason Keirstead < Jason.Keirstead@ca.ibm.com >
    wrote: I agree with Allan.. Furthermore, I believe that if it requires for 2.0 to be a full OASIS standard
    - that perhaps we should go down that path. IE - roadblocking this on 2.1 and that yet-to-be-determined timeframe,
    is not IMO a good idea whatsoever. Can we get clarity on what level of specification ITU requires - CSD, CS,
    COS, OASIS Standard? - Jason Keirstead Lead Architect - IBM Security Connect www.ibm.com/security "Things may come to those who wait, but only the things left by those
    who hustle." - Unknown From:         Allan
    Thomson < athomson@lookingglasscyber.com > To:         "Kelley,
    Sarah E." < skelley@mitre.org >,
    Jamie Clark < jamie.clark@oasis-open.org >,
    OASIS CTI TC Discussion List < cti@lists.oasis-open.org >,
    "Struse, Richard J." < rjs@mitre.org >,
    " trey.darley@cert.be "
    < trey.darley@cert.be > Cc:         Chet Ensign
    < chet.ensign@oasis-open.org > Date:         12/13/2018
    01:58 PM Subject:         Re:
    [cti] Submission of STIX/TAXII to ITU-T? Plan for reply Sent by:         < cti@lists.oasis-open.org > Regardless of when STIX2 becomes a full approved standard I think OASIS
    guidance to ITU-T should be that they should not standardize a standard
    (version1) that is already being replaced for good reason.   I think it makes ITU-T look foolish and disconnected. But if they want
    to do that then go ahead. Its just an opinion.   Allan Thomson CTO (+1-408-331-6646) LookingGlass
    Cyber Solutions   From: " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >
    on behalf of "Kelley, Sarah E." < skelley@mitre.org > Date: Thursday, December 13, 2018 at 9:54 AM To: Allan Thomson < athomson@lookingglasscyber.com >,
    " jamie.clark@oasis-open.org "
    < jamie.clark@oasis-open.org >,
    " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >,
    "Struse, Richard J." < rjs@mitre.org >,
    " trey.darley@cert.be "
    < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply   If we would prefer to use STIX/TAXII 2, does this require that some form
    of STIX 2 and TAXII 2 be a full Oasis standard before next summer? Am I
    reading that correctly?   Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242 skelley@mitre.org   From: cti@lists.oasis-open.org < cti@lists.oasis-open.org >
    On Behalf Of Allan Thomson Sent: Thursday, December 13, 2018 12:02 PM To: Jamie Clark < jamie.clark@oasis-open.org >;
    OASIS CTI TC Discussion List < cti@lists.oasis-open.org >;
    Struse, Richard J. < rjs@mitre.org >;
    trey.darley@cert.be Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply   The importance of making sure VERSION 2 is the version to considered as
    the primary standard for CTI sharing cannot be understated.   The market already does not understand the important and significant differences
    between v1 and v2.   I strongly suggest that OASIS make sure the ITU-T does everything it can
    to adopt version 2 not 1.   Allan Thomson CTO (+1-408-331-6646) LookingGlass
    Cyber Solutions   From: " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >
    on behalf of " jamie.clark@oasis-open.org "
    < jamie.clark@oasis-open.org > Date: Thursday, December 13, 2018 at 8:49 AM To: " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >,
    "Struse, Richard J." < rjs@mitre.org >,
    " trey.darley@cert.be "
    < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply   Dear members of the CTI TC: After consultation with your chairs, they asked us to share this (attached)
    communication from ITU-T's Study Group 17 (on cybersecurity),
    inquiring about a contribution of STIX and TAXII for their endorsement
    and approval. BACKGROUND.  OASIS has contributed many standards to global de jure
    standards bodies like ITU-T, including a number successfully approved by
    ITU's SG17. [1]  The ground rules for doing so can be found in the
    OASIS liaison policy [2].  T here are several
    process requirements, which include OASIS S tandard
    status, and an approval vote from the originating TC. Staff's view is that submission is appropriate and
    expected to be successful. OASIS submissions
    to the study group occur with the condition that, while comments
    are welcome, only the final approved version of the OASIS
    submission can beconsidered ...
    in other words, the ITU panel
    would not have the right to make changes as part of its
    approval process. CONSIDERATIONS FOR THIS SUBMISSION.  Your V ersions
    1 of STIX and TAXII of have become
    OASIS Standards , as you know.  
    Your work on bringing
    your Versions 2 to that status
    is ongoing. Our understanding with your leader ship
    was tha t, while the Versions 1
    are not officially deprecated ,
    your TC wishes to encourage implementation of
    the newer (and differently scheme-ad) Vesrions 2;   so
    a promotion of V ersions 1 to international
    standard status at this time might not achieve your
    goals.   We have been advised
    that you likely would wish to submit both STIX and
    TAXII  together, and wait until both versions
    are eligible (as
    an OS) before submitting. The schedule of SG1 7
    essentially uses live meetings once
    every six months, so this would probably result in a mid-2019 submission , assuming
    you support it. RECOMMENDATION .  If we are correct that your
    preference is to submit V ersion s 2.X,
    then we suggest that OASIS reply
    to this inquiry now, with a polite
    and encouraging indication that the TC expects to submit the completed
    version to ITU as soon as they're
    available, within a few months.   That would allow
    us to provide a positive statement as feedback to the January 2019 meeting,
    for which planning is now underway .   ACTION REQUESTED. Would you please let us (and the TC) know if there's
    any objection to that approach?  We'll plan to send the "version
    2 coming soon" message, as described above, which requires no TC vote,
    if we hear no objections.   If on the other hand, there is TC sentiment to send completed V ersion s
    1 to ITU for consideration
    for promotion and republication as " ITU-T
    Recommendations" ( their version of international
    standards), then please advise your TC leadership and
    my colleague Chet Ensign , as that
    could be done by a we b ballot TC
    vote at any time and a short public notice to the membership.   Please feel free to contact Chet or me if you have any questions.   Kind regards Jamie     [1]  Including SAML, XACML and CAP (an emergency services resources
    info protocol).   [2]   https://www.oasis-open.org/policies-guidelines/liaison#submitwork   James Bryce Clark, General Counsel OASIS: Advancing open data, code and standards for the information society
    https://www.oasis-open.org/staff EU Commission 2018 Rolling Plan for Open ICT Standards: http://j.mp/EUstds2018 OASIS Borderless Cybersecurity conference, October 2018: https://us18.borderlesscyber.org/en/
    Previously Prague
    2017 , NYC
    2017 , Tokyo
    2016 , Brussels
    2016 , World
    Bank 2015 [attachment "image001.jpg"
    deleted by Jason Keirstead/CanEast/IBM]   -- /chet  ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society http://www.oasis-open.org Primary: +1 973-996-2298 Mobile: +1 201-341-1393  -- /chet  ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society http://www.oasis-open.org Primary: +1 973-996-2298 Mobile: +1 201-341-1393 [attachment "image002.jpg" deleted
    by Jason Keirstead/CanEast/IBM]



  • 8.  Re: [EXT] RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply

    Posted 12-14-2018 17:05
      |   view attached
    I for one would rather not send 2.0 versions.  We know 2.0 is has some rough edges and we do not want the world adopting 2.0.  We want them adopting 2.1.  TAXII 2.1 is almost done.  We should be ready for the public review period to open on Monday.  That will last 30 days, so mid January.  We will need to do another CSD ballot and another 15 day Public Review after that, so TAXII could be a CS by end of February.  STIX 2.1 on the other hand is a bit farther out. But I think if we brought it up to the full TC that we have an "opportunity" to send our work to the ITU, this may be a driving force to get STIX 2.1 done.  It is very possible for us to get the cyber observable piece done in January.  We could finish Malware and Infrastructure based on this new Cyber Observables by mid February if we worked hard.  Then given the process, it would take 2 more months for ballots and public reviews.  So we could potentially have a STIX 2.1 CS first of May.   Yes this means that neither of these are official OASIS Standards.  But we could then take them to that level and have them done by end of July.  Yes this means we would have our work cut out for us.  But if we tell the full TC and spin it in the right way, this could be an opportunity.   Once the ITU adopts somethings (X.500, x.509, both of which you should be familiar with) then the the standard can be implemented in national standards and national policies.  We do not want national policies saying to implement 2.0 when we know it has rough edges.  This will force us to live with 2.0 for 20 years. Bret From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Kelley, Sarah E. <skelley@mitre.org> Sent: Thursday, December 13, 2018 12:16:28 PM To: Chet Ensign; Jason Keirstead Cc: Allan Thomson; OASIS CTI TC Discussion List; Jamie Clark; Struse, Richard J.; trey.darley@cert.be Subject: [EXT] RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply   This drives to the point of my question. It sounds like he wants to announce in January that they’ll be working towards getting STIX/TAXII into ITU in the summer. Yet it requires that STIX/TAXII be full Oasis standards in order to do that, and they currently aren’t. Is it even possible for us (timing-wise) to meet that deadline? Given the pace at which things move in the TC, my concern is that we would say “Yes of course!” and then fail to meet the deadline by not getting them into full Oasis Standards by the ITU deadline.   Thanks,   Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242 skelley@mitre.org   From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> On Behalf Of Chet Ensign Sent: Thursday, December 13, 2018 1:59 PM To: Jason Keirstead <Jason.Keirstead@ca.ibm.com> Cc: Allan Thomson <athomson@lookingglasscyber.com>; OASIS CTI TC Discussion List <cti@lists.oasis-open.org>; Jamie Clark <jamie.clark@oasis-open.org>; Struse, Richard J. <rjs@mitre.org>; Kelley, Sarah E. <skelley@mitre.org>; trey.darley@cert.be Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply   Oh and also, that is not an ITU requirement, it is our own OASIS policy.    On Thu, Dec 13, 2018 at 1:25 PM Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I agree with Allan.. Furthermore, I believe that if it requires for 2.0 to be a full OASIS standard - that perhaps we should go down that path. IE - roadblocking this on 2.1 and that yet-to-be-determined timeframe, is not IMO a good idea whatsoever. Can we get clarity on what level of specification ITU requires - CSD, CS, COS, OASIS Standard? - Jason Keirstead Lead Architect - IBM Security Connect www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown From:         Allan Thomson < athomson@lookingglasscyber.com > To:         "Kelley, Sarah E." < skelley@mitre.org >, Jamie Clark < jamie.clark@oasis-open.org >, OASIS CTI TC Discussion List < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be " < trey.darley@cert.be > Cc:         Chet Ensign < chet.ensign@oasis-open.org > Date:         12/13/2018 01:58 PM Subject:         Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply Sent by:         < cti@lists.oasis-open.org > Regardless of when STIX2 becomes a full approved standard I think OASIS guidance to ITU-T should be that they should not standardize a standard (version1) that is already being replaced for good reason.   I think it makes ITU-T look foolish and disconnected. But if they want to do that then go ahead. Its just an opinion.   Allan Thomson CTO (+1-408-331-6646) LookingGlass Cyber Solutions   From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of "Kelley, Sarah E." < skelley@mitre.org > Date: Thursday, December 13, 2018 at 9:54 AM To: Allan Thomson < athomson@lookingglasscyber.com >, " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be " < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply   If we would prefer to use STIX/TAXII 2, does this require that some form of STIX 2 and TAXII 2 be a full Oasis standard before next summer? Am I reading that correctly?   Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242 skelley@mitre.org   From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > On Behalf Of Allan Thomson Sent: Thursday, December 13, 2018 12:02 PM To: Jamie Clark < jamie.clark@oasis-open.org >; OASIS CTI TC Discussion List < cti@lists.oasis-open.org >; Struse, Richard J. < rjs@mitre.org >; trey.darley@cert.be Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply   The importance of making sure VERSION 2 is the version to considered as the primary standard for CTI sharing cannot be understated.   The market already does not understand the important and significant differences between v1 and v2.   I strongly suggest that OASIS make sure the ITU-T does everything it can to adopt version 2 not 1.   Allan Thomson CTO (+1-408-331-6646) LookingGlass Cyber Solutions   From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org > Date: Thursday, December 13, 2018 at 8:49 AM To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be " < trey.darley@cert.be > Cc: Chet Ensign < chet.ensign@oasis-open.org > Subject: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply   Dear members of the CTI TC: After consultation with your chairs, they asked us to share this (attached) communication from ITU-T's Study Group 17 (on cybersecurity), inquiring about a contribution of STIX and TAXII for their endorsement and approval. BACKGROUND.  OASIS has contributed many standards to global de jure standards bodies like ITU-T, including a number successfully approved by ITU's SG17. [1]  The ground rules for doing so can be found in the OASIS liaison policy [2].  T here are several process requirements, which include OASIS S tandard status, and an approval vote from the originating TC. Staff's view is that submission is appropriate and expected to be successful. OASIS submissions to the study group occur with the condition that, while comments are welcome, only the final approved version of the OASIS submission can beconsidered ... in other words, the ITU panel would not have the right to make changes as part of its approval process. CONSIDERATIONS FOR THIS SUBMISSION.  Your V ersions 1 of STIX and TAXII of have become OASIS Standards , as you know.   Your work on bringing your Versions 2 to that status is ongoing. Our understanding with your leader ship was tha t, while the Versions 1 are not officially deprecated , your TC wishes to encourage implementation of the newer (and differently scheme-ad) Vesrions 2;   so a promotion of V ersions 1 to international standard status at this time might not achieve your goals.   We have been advised that you likely would wish to submit both STIX and TAXII  together, and wait until both versions are eligible (as an OS) before submitting. The schedule of SG1 7 essentially uses live meetings once every six months, so this would probably result in a mid-2019 submission , assuming you support it. RECOMMENDATION .  If we are correct that your preference is to submit V ersion s 2.X, then we suggest that OASIS reply to this inquiry now, with a polite and encouraging indication that the TC expects to submit the completed version to ITU as soon as they're available, within a few months.   That would allow us to provide a positive statement as feedback to the January 2019 meeting, for which planning is now underway .   ACTION REQUESTED. Would you please let us (and the TC) know if there's any objection to that approach?  We'll plan to send the "version 2 coming soon" message, as described above, which requires no TC vote, if we hear no objections.   If on the other hand, there is TC sentiment to send completed V ersion s 1 to ITU for consideration for promotion and republication as " ITU-T Recommendations" ( their version of international standards), then please advise your TC leadership and my colleague Chet Ensign , as that could be done by a we b ballot TC vote at any time and a short public notice to the membership.   Please feel free to contact Chet or me if you have any questions.   Kind regards Jamie     [1]  Including SAML, XACML and CAP (an emergency services resources info protocol).   [2]   https://www.oasis-open.org/policies-guidelines/liaison#submitwork   James Bryce Clark, General Counsel OASIS: Advancing open data, code and standards for the information society https://www.oasis-open.org/staff EU Commission 2018 Rolling Plan for Open ICT Standards: http://j.mp/EUstds2018 OASIS Borderless Cybersecurity conference, October 2018: https://us18.borderlesscyber.org/en/ Previously Prague 2017 , NYC 2017 , Tokyo 2016 , Brussels 2016 , World Bank 2015 [attachment "image001.jpg" deleted by Jason Keirstead/CanEast/IBM]   -- /chet  ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society http://www.oasis-open.org Primary: +1 973-996-2298 Mobile: +1 201-341-1393 


  • 9.  Re: [EXT] Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply

    Posted 12-14-2018 16:47
      |   view attached



    I attend the ITU and my colleague is a working party chair. Also Juan Gonzalez from DHS is on the US delegation.  We will not let the ITU adopt version 1.  


    At the last ITU meeting when this topic came up and I addressed the body I said that only the newer version 2 is what we should do.  


    Bret 

    Sent from my Commodore 64 


    PGP
    Fingerprint:  63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    On Dec 13, 2018, at 10:58 AM, Allan Thomson < athomson@lookingglasscyber.com > wrote:







    Regardless of when STIX2 becomes a full approved standard I think OASIS guidance to ITU-T should be that they should not standardize a standard (version1) that is already being replaced for good reason.
     
    I think it makes ITU-T look foolish and disconnected. But if they want to do that then go ahead. Its just an opinion.
     

    Allan Thomson
    CTO ( +1-408-331-6646)
    LookingGlass
    Cyber Solutions

     

    From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    on behalf of "Kelley, Sarah E." < skelley@mitre.org >
    Date: Thursday, December 13, 2018 at 9:54 AM
    To: Allan Thomson < athomson@lookingglasscyber.com >, " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org >,
    " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be "
    < trey.darley@cert.be >
    Cc: Chet Ensign < chet.ensign@oasis-open.org >
    Subject: RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply


     

    If we would prefer to use STIX/TAXII 2, does this require that some form of STIX 2 and TAXII 2 be a full Oasis standard before next summer? Am I reading that correctly?

     

    Sarah Kelley
    Lead Cybersecurity Engineer, T8B2
    Defensive Operations
    The MITRE Corporation
    703-983-6242
    skelley@mitre.org
    <image001.jpg>

     


    From: cti@lists.oasis-open.org < cti@lists.oasis-open.org >
    On Behalf Of Allan Thomson
    Sent: Thursday, December 13, 2018 12:02 PM
    To: Jamie Clark < jamie.clark@oasis-open.org >; OASIS CTI TC Discussion List < cti@lists.oasis-open.org >; Struse, Richard J. < rjs@mitre.org >;
    trey.darley@cert.be
    Cc: Chet Ensign < chet.ensign@oasis-open.org >
    Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply


     
    The importance of making sure VERSION 2 is the version to considered as the primary standard for CTI sharing cannot be understated.
     
    The market already does not understand the important and significant differences between v1 and v2.
     
    I strongly suggest that OASIS make sure the ITU-T does everything it can to adopt version 2 not 1.
     

    Allan Thomson
    CTO ( +1-408-331-6646)
    LookingGlass
    Cyber Solutions

     

    From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    on behalf of " jamie.clark@oasis-open.org " < jamie.clark@oasis-open.org >
    Date: Thursday, December 13, 2018 at 8:49 AM
    To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, "Struse, Richard J." < rjs@mitre.org >, " trey.darley@cert.be "
    < trey.darley@cert.be >
    Cc: Chet Ensign < chet.ensign@oasis-open.org >
    Subject: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply


     




    Dear members of the CTI TC:

    After consultation with your chairs, they asked us to share this
    (attached) communication from ITU-T's Study Group 17 (on cybersecurity), inquiring about a contribution of STIX and TAXII for their endorsement and approval.

    BACKGROUND.  OASIS has contributed many standards to global de jure standards bodies like ITU-T, including a number successfully approved by ITU's SG17. [1]  The ground rules for doing so can be found in the OASIS liaison policy [2].  T here
    are several process requirements, which include
    OASIS S tandard status, and an approval vote from the originating TC.

    Staff's view is that submission is
    appropriate and expected to be successful.
    OASIS submissions to the study group occur with the condition that,
    while comments are welcome, only the final approved version of the
    OASIS submission
    can be considered
    ... in other words, the
    ITU panel would not have the right to make changes as part of
    its approval process.

    CONSIDERATIONS FOR THIS SUBMISSION.  Your V ersions
    1 of STIX and TAXII of
    have become OASIS Standards , as you know.
      Your work
    on bringing
    your Versions 2 to
    that status is ongoing. Our understanding with your leader ship was
    tha t, while the Versions 1
    are not officially deprecated , your TC
    wishes to encourage implementation of the newer (and differently scheme-ad) Vesrions 2; 
    so a promotion of V ersions 1 to international standard status at this time might not
    achieve your goals.
      We have been advised that you likely would wish to submit both
    STIX and TAXII  together, and wait until both versions
    are eligible
    (as an OS) before submitting. The schedule of
    SG1 7 essentially
    uses live meetings
    once every six months, so this would probably result in a mid-2019 submission , assuming you
    support it.

    RECOMMENDATION .  If we are correct that
    your preference is to submit
    V ersion s 2.X, then we suggest
    that OASIS reply to this inquiry
    now, with a polite and encouraging indication that the TC expects to submit the completed version
    to ITU as soon as they're available, within a few months.
      That would allow us to provide a positive statement as feedback to the January 2019 meeting, for which planning is now underway .



     


    ACTION REQUESTED. Would you please let us (and the TC) know if there's any objection to that approach?  We'll plan to send the "version 2 coming soon" message, as described above,
    which requires no TC vote, if we hear no objections. 

    If on the other hand, there is TC sentiment to send completed
    V ersion s 1 to
    ITU for consideration
    for promotion and republication as
    " ITU-T Recommendations" ( their version of international standards), then please advise your TC leadership and my
    colleague Chet Ensign , as that could be done by a we b ballot
    TC vote at any time and a short public notice to the membership.


     


    Please feel free to contact Chet or me if you have any questions. 




    Kind regards


    Jamie

     


      [1]  Including SAML, XACML and CAP (an emergency services resources info protocol).


      [2] 

    https://www.oasis-open.org/policies-guidelines/liaison#submitwork


     














































    James Bryce Clark, General Counsel
    OASIS: Advancing open data, code and standards for the information society



    https://www.oasis-open.org/staff

    EU Commission 2018 Rolling Plan for Open ICT Standards:
    http://j.mp/EUstds2018


    OASIS Borderless Cybersecurity conference, October 2018:

    https://us18.borderlesscyber.org/en/


    Previously
    Prague 2017 ,
    NYC 2017 ,
    Tokyo 2016 ,
    Brussels 2016 ,
    World Bank 2015






















































  • 10.  Re: [EXT] Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply

    Posted 12-14-2018 16:51
    On Fri, Dec 14, 2018 Bret Jordan < Bret_Jordan@symantec.com > wrote: I attend the ITU and my colleague is a working party chair. Also Juan Gonzalez from DHS is on the US delegation. We will not let the ITU adopt version 1. At the last ITU meeting when this topic came up and I addressed the body I said that only the newer version 2 is what we should do. FWIW, not much risk of that, as OASIS would have to give them permission first -- ITU CS is very good about permissions issues -- and the guidance we are getting from the TC is not to do so. Cordially JBC