2.1 is unrealistic, in any near timeframe.
its not ready. My question is more around how we could
progress 2.0 through to be a full standard. This would still not be possible
for January. However, it would be possible for the summer, which is the
next meeting. - Jason Keirstead Lead Architect - IBM Security Connect
www.ibm.com/security "Things may come to those who wait, but only the things left by those
who hustle." - Unknown From:
Chet Ensign <
chet.ensign@oasis-open.org> To:
"Kelley, Sarah
E." <
skelley@mitre.org> Cc:
Jason Keirstead <
Jason.Keirstead@ca.ibm.com>,
Allan Thomson <
athomson@lookingglasscyber.com>, OASIS CTI TC Discussion
List <
cti@lists.oasis-open.org>, Jamie Clark <
jamie.clark@oasis-open.org>,
"Struse, Richard J." <
rjs@mitre.org>,
trey.darley@cert.be Date:
12/13/2018 03:31 PM Subject:
Re: [cti] Submission
of STIX/TAXII to ITU-T? Plan for reply Hi Sarah, I'm sure Jamie will work on whatever you all feel is realistic
and feasible. He is working as our point of contact but you all are in
the driver's seat. In terms of what's possible, STIX and TAXII V2.0 are a
Committee Specifications. The TC can advance them to OASIS Standard by
(a) gathering 3 or more Statements of Use for each, (b) passing a Special
Majority Vote to approve presenting them to the members as Candidate OASIS
Standards, (c) completing 60-day public reviews of the COSs, and finally
(d) passing the Call for Consent as OASIS Standards. I think that can be
done by summer. Versions 2.1 are still in the draft stage. So there you
need at least your first 30-day public reviews and the Special Majority
Votes to approve them as Committee Specifications - plus working time for
associated logistics. And, unless I am mistaken, the work on the specs
is still very active. So OS for 2.1 by summer is unlikely based on my experience. Best, /chet On Thu, Dec 13, 2018 at 2:16 PM Kelley, Sarah E. <
skelley@mitre.org >
wrote: This drives to the point of my question. It sounds like
he wants to announce in January that they ll be working towards getting
STIX/TAXII into ITU in the summer. Yet it requires that STIX/TAXII be full
Oasis standards in order to do that, and they currently aren t. Is it
even possible for us (timing-wise) to meet that deadline? Given the pace
at which things move in the TC, my concern is that we would say Yes of
course! and then fail to meet the deadline by not getting them into full
Oasis Standards by the ITU deadline. Thanks, Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242
skelley@mitre.org From:
cti@lists.oasis-open.org <
cti@lists.oasis-open.org >
On Behalf Of Chet Ensign Sent: Thursday, December 13, 2018 1:59 PM To: Jason Keirstead <
Jason.Keirstead@ca.ibm.com > Cc: Allan Thomson <
athomson@lookingglasscyber.com >;
OASIS CTI TC Discussion List <
cti@lists.oasis-open.org >;
Jamie Clark <
jamie.clark@oasis-open.org >;
Struse, Richard J. <
rjs@mitre.org >;
Kelley, Sarah E. <
skelley@mitre.org >;
trey.darley@cert.be Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply Oh and also, that is not an ITU requirement, it is our
own OASIS policy. On Thu, Dec 13, 2018 at 1:25 PM Jason Keirstead <
Jason.Keirstead@ca.ibm.com >
wrote: I agree with Allan.. Furthermore, I believe that if it requires for 2.0 to be a full OASIS standard
- that perhaps we should go down that path. IE - roadblocking this on 2.1 and that yet-to-be-determined timeframe,
is not IMO a good idea whatsoever. Can we get clarity on what level of specification ITU requires - CSD, CS,
COS, OASIS Standard? - Jason Keirstead Lead Architect - IBM Security Connect
www.ibm.com/security "Things may come to those who wait, but only the things left by those
who hustle." - Unknown From: Allan
Thomson <
athomson@lookingglasscyber.com > To: "Kelley,
Sarah E." <
skelley@mitre.org >,
Jamie Clark <
jamie.clark@oasis-open.org >,
OASIS CTI TC Discussion List <
cti@lists.oasis-open.org >,
"Struse, Richard J." <
rjs@mitre.org >,
"
trey.darley@cert.be "
<
trey.darley@cert.be > Cc: Chet Ensign
<
chet.ensign@oasis-open.org > Date: 12/13/2018
01:58 PM Subject: Re:
[cti] Submission of STIX/TAXII to ITU-T? Plan for reply Sent by: <
cti@lists.oasis-open.org > Regardless of when STIX2 becomes a full approved standard I think OASIS
guidance to ITU-T should be that they should not standardize a standard
(version1) that is already being replaced for good reason. I think it makes ITU-T look foolish and disconnected. But if they want
to do that then go ahead. Its just an opinion. Allan Thomson CTO (+1-408-331-6646) LookingGlass
Cyber Solutions From: "
cti@lists.oasis-open.org "
<
cti@lists.oasis-open.org >
on behalf of "Kelley, Sarah E." <
skelley@mitre.org > Date: Thursday, December 13, 2018 at 9:54 AM To: Allan Thomson <
athomson@lookingglasscyber.com >,
"
jamie.clark@oasis-open.org "
<
jamie.clark@oasis-open.org >,
"
cti@lists.oasis-open.org "
<
cti@lists.oasis-open.org >,
"Struse, Richard J." <
rjs@mitre.org >,
"
trey.darley@cert.be "
<
trey.darley@cert.be > Cc: Chet Ensign <
chet.ensign@oasis-open.org > Subject: RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply If we would prefer to use STIX/TAXII 2, does this require that some form
of STIX 2 and TAXII 2 be a full Oasis standard before next summer? Am I
reading that correctly? Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242
skelley@mitre.org From:
cti@lists.oasis-open.org <
cti@lists.oasis-open.org >
On Behalf Of Allan Thomson Sent: Thursday, December 13, 2018 12:02 PM To: Jamie Clark <
jamie.clark@oasis-open.org >;
OASIS CTI TC Discussion List <
cti@lists.oasis-open.org >;
Struse, Richard J. <
rjs@mitre.org >;
trey.darley@cert.be Cc: Chet Ensign <
chet.ensign@oasis-open.org > Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply The importance of making sure VERSION 2 is the version to considered as
the primary standard for CTI sharing cannot be understated. The market already does not understand the important and significant differences
between v1 and v2. I strongly suggest that OASIS make sure the ITU-T does everything it can
to adopt version 2 not 1. Allan Thomson CTO (+1-408-331-6646) LookingGlass
Cyber Solutions From: "
cti@lists.oasis-open.org "
<
cti@lists.oasis-open.org >
on behalf of "
jamie.clark@oasis-open.org "
<
jamie.clark@oasis-open.org > Date: Thursday, December 13, 2018 at 8:49 AM To: "
cti@lists.oasis-open.org "
<
cti@lists.oasis-open.org >,
"Struse, Richard J." <
rjs@mitre.org >,
"
trey.darley@cert.be "
<
trey.darley@cert.be > Cc: Chet Ensign <
chet.ensign@oasis-open.org > Subject: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply Dear members of the CTI TC: After consultation with your chairs, they asked us to share this (attached)
communication from ITU-T's Study Group 17 (on cybersecurity),
inquiring about a contribution of STIX and TAXII for their endorsement
and approval. BACKGROUND. OASIS has contributed many standards to global de jure
standards bodies like ITU-T, including a number successfully approved by
ITU's SG17. [1] The ground rules for doing so can be found in the
OASIS liaison policy [2]. T here are several
process requirements, which include OASIS S tandard
status, and an approval vote from the originating TC. Staff's view is that submission is appropriate and
expected to be successful. OASIS submissions
to the study group occur with the condition that, while comments
are welcome, only the final approved version of the OASIS
submission can beconsidered ...
in other words, the ITU panel
would not have the right to make changes as part of its
approval process. CONSIDERATIONS FOR THIS SUBMISSION. Your V ersions
1 of STIX and TAXII of have become
OASIS Standards , as you know.
Your work on bringing
your Versions 2 to that status
is ongoing. Our understanding with your leader ship
was tha t, while the Versions 1
are not officially deprecated ,
your TC wishes to encourage implementation of
the newer (and differently scheme-ad) Vesrions 2; so
a promotion of V ersions 1 to international
standard status at this time might not achieve your
goals. We have been advised
that you likely would wish to submit both STIX and
TAXII together, and wait until both versions
are eligible (as
an OS) before submitting. The schedule of SG1 7
essentially uses live meetings once
every six months, so this would probably result in a mid-2019 submission , assuming
you support it. RECOMMENDATION . If we are correct that your
preference is to submit V ersion s 2.X,
then we suggest that OASIS reply
to this inquiry now, with a polite
and encouraging indication that the TC expects to submit the completed
version to ITU as soon as they're
available, within a few months. That would allow
us to provide a positive statement as feedback to the January 2019 meeting,
for which planning is now underway . ACTION REQUESTED. Would you please let us (and the TC) know if there's
any objection to that approach? We'll plan to send the "version
2 coming soon" message, as described above, which requires no TC vote,
if we hear no objections. If on the other hand, there is TC sentiment to send completed V ersion s
1 to ITU for consideration
for promotion and republication as " ITU-T
Recommendations" ( their version of international
standards), then please advise your TC leadership and
my colleague Chet Ensign , as that
could be done by a we b ballot TC
vote at any time and a short public notice to the membership. Please feel free to contact Chet or me if you have any questions. Kind regards Jamie [1] Including SAML, XACML and CAP (an emergency services resources
info protocol). [2]
https://www.oasis-open.org/policies-guidelines/liaison#submitwork James Bryce Clark, General Counsel OASIS: Advancing open data, code and standards for the information society
https://www.oasis-open.org/staff EU Commission 2018 Rolling Plan for Open ICT Standards:
http://j.mp/EUstds2018 OASIS Borderless Cybersecurity conference, October 2018:
https://us18.borderlesscyber.org/en/ Previously Prague
2017 , NYC
2017 , Tokyo
2016 , Brussels
2016 , World
Bank 2015 [attachment "image001.jpg"
deleted by Jason Keirstead/CanEast/IBM] -- /chet ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society
http://www.oasis-open.org Primary: +1 973-996-2298 Mobile: +1 201-341-1393 -- /chet ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society
http://www.oasis-open.org Primary: +1 973-996-2298 Mobile: +1 201-341-1393 [attachment "image002.jpg" deleted
by Jason Keirstead/CanEast/IBM]