OASIS Cyber Threat Intelligence (CTI) TC

Expand all | Collapse all

Re: [cti] Update from STIX Package renaming Mini-Group

  • 1.  Re: [cti] Update from STIX Package renaming Mini-Group

    Posted 05-03-2016 15:21





    As discussed on the call today I would like to propose that we add an identifier attribute for the bundle so that it can be tracked.



    {
      "type": "bundle",
      "spec_version": "stix-2.0”,
      “id”: “bundle--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f"
      "indicators": [
        {
          "type": "indicator",
          "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
          "created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff",
          "created_time": "2016-04-29T14:09:00.123456Z",
          "revision": 1,
          "modified_time: "2016-04-29T14:09:00.123456Z",
          "object_marking_refs": ["marking-definition--089a6ecb-cc15-43cc-9494-767639779123"],
          "title": "Poison Ivy Malware",
          "description": "This file is part of Poison Ivy",
          "pattern": "file-object.hashes.md5 = '3773a88f65a5e780c8dff9cdc3a056f3'"
        }
      ],
      {
        "type": "marking-definition",
        "id": "marking-definition--089a6ecb-cc15-43cc-9494-767639779123",
        "created_time": "2016-02-19T09:11:01Z",
        "definition_type": "tlp",
        "definition": {
          "tlp": "GREEN"
        }
      }
    }












    From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of Mark Davidson < mdavidson@soltra.com >
    Date: Friday, April 29, 2016 at 9:56 AM
    To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: [cti] Update from STIX Package renaming Mini-Group







    All,




    Here is a quick update from the STIX Package name mini-group. The mini group is proposing:

    Renaming STIX-Package to STIX-Bundle STIX-bundle is simply a transport container STIX-Bundle is a grouping of STIX content that isn’t required to be related (it MIGHT be related, but being in the same bundle doesn’t mean it’s related) Removing all TLO Common Properties (with an open question about Data Markings)

    Removed properties: id, created_by_ref, created_time, revision, modified_time, revoked, revision_comment, confidence, object_markings_refs, granular_markings
    STIX-Bundle will keep the `spec_version` property All content in the bundle MUST be the same STIX version (identified by spec_version)

    There is an open question about whether Data Markings should be in the STIX-Bundle. Arguments for keeping it are:

    The group seemed to have consensus that Bundle-level markings were desired, but evidence was difficult for the mini-group to find. Certain sharing communities would appreciate the simplicity of package marking. It makes objects look smaller and is more natural for people who are new to the specs

    Arguments for removing it are:

    Data Marking at the bundle level is “two ways of doing things” - on-the-object markings and on-the-bundle markings
    TLO signatures will not be valid when the Bundle-level markings are used


    Thank you.
    -Mark











  • 2.  Re: [cti] Update from STIX Package renaming Mini-Group

    Posted 05-03-2016 16:07
    Based on the discussion on the call today, I have implemented those changes.  Everyone, please review and make comments and suggestions in the docs. https://docs.google.com/document/d/1YcEtyUGdFkJIPdDZ7K-mHbvjFt-5pOL2EIw_ZJuqNpM/edit#heading=h.c9oxowopqs2 Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On May 3, 2016, at 09:21, Allan Thomson < athomson@lookingglasscyber.com > wrote: As discussed on the call today I would like to propose that we add an identifier attribute for the bundle so that it can be tracked. {   type : bundle ,   spec_version : stix-2.0”,   “id”: “bundle--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f   indicators : [     {       type : indicator ,       id : indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f ,       created_by_ref : source--f431f809-377b-45e0-aa1c-6a4751cae5ff ,       created_time : 2016-04-29T14:09:00.123456Z ,       revision : 1,       modified_time:  2016-04-29T14:09:00.123456Z ,       object_marking_refs : [ marking-definition--089a6ecb-cc15-43cc-9494-767639779123 ],       title : Poison Ivy Malware ,       description : This file is part of Poison Ivy ,       pattern : file-object.hashes.md5 = '3773a88f65a5e780c8dff9cdc3a056f3'     }   ],   {     type : marking-definition ,     id : marking-definition--089a6ecb-cc15-43cc-9494-767639779123 ,     created_time : 2016-02-19T09:11:01Z ,     definition_type : tlp ,     definition : {       tlp : GREEN     }   } } From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Mark Davidson < mdavidson@soltra.com > Date: Friday, April 29, 2016 at 9:56 AM To: cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject: [cti] Update from STIX Package renaming Mini-Group All, Here is a quick update from the STIX Package name mini-group. The mini group is proposing: Renaming STIX-Package to STIX-Bundle STIX-bundle is simply a transport container STIX-Bundle is a grouping of STIX content that isn’t required to be related (it MIGHT be related, but being in the same bundle doesn’t mean it’s related) Removing all TLO Common Properties (with an open question about Data Markings) Removed properties: id, created_by_ref, created_time, revision, modified_time, revoked, revision_comment, confidence, object_markings_refs, granular_markings STIX-Bundle will keep the `spec_version` property All content in the bundle MUST be the same STIX version (identified by spec_version) There is an open question about whether Data Markings should be in the STIX-Bundle. Arguments for keeping it are: The group seemed to have consensus that Bundle-level markings were desired, but evidence was difficult for the mini-group to find. Certain sharing communities would appreciate the simplicity of package marking. It makes objects look smaller and is more natural for people who are new to the specs Arguments for removing it are: Data Marking at the bundle level is “two ways of doing things” - on-the-object markings and on-the-bundle markings TLO signatures will not be valid when the Bundle-level markings are used Thank you. -Mark Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 3.  Re: [cti] Update from STIX Package renaming Mini-Group

    Posted 05-03-2016 16:09
    Open question - adding an identifier "so that it can be tracked", implies that it SHOULD be tracked. As an implementer - why do I need to track bundles, as all a bundle is is a whole bunch of content that may or may not be related? I would argue that we should not encourage the storage or tracking of the bundle structure, and therefore they should not have IDs. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Allan Thomson ---05/03/2016 12:23:49 PM---As discussed on the call today I would like to propose that we add an identifier attribute for the b From: Allan Thomson <athomson@lookingglasscyber.com> To: Mark Davidson <mdavidson@soltra.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Date: 05/03/2016 12:23 PM Subject: Re: [cti] Update from STIX Package renaming Mini-Group Sent by: <cti@lists.oasis-open.org> As discussed on the call today I would like to propose that we add an identifier attribute for the bundle so that it can be tracked. { "type": "bundle", "spec_version": "stix-2.0”, “id”: “bundle--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f" "indicators": [ { "type": "indicator", "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", "created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff", "created_time": "2016-04-29T14:09:00.123456Z", "revision": 1, "modified_time: "2016-04-29T14:09:00.123456Z", "object_marking_refs": ["marking-definition--089a6ecb-cc15-43cc-9494-767639779123"], "title": "Poison Ivy Malware", "description": "This file is part of Poison Ivy", "pattern": "file-object.hashes.md5 = '3773a88f65a5e780c8dff9cdc3a056f3'" } ], { "type": "marking-definition", "id": "marking-definition--089a6ecb-cc15-43cc-9494-767639779123", "created_time": "2016-02-19T09:11:01Z", "definition_type": "tlp", "definition": { "tlp": "GREEN" } } } From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of Mark Davidson < mdavidson@soltra.com > Date: Friday, April 29, 2016 at 9:56 AM To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject: [cti] Update from STIX Package renaming Mini-Group All, Here is a quick update from the STIX Package name mini-group. The mini group is proposing: Renaming STIX-Package to STIX-Bundle STIX-bundle is simply a transport container STIX-Bundle is a grouping of STIX content that isn’t required to be related (it MIGHT be related, but being in the same bundle doesn’t mean it’s related) Removing all TLO Common Properties (with an open question about Data Markings) Removed properties: id, created_by_ref, created_time, revision, modified_time, revoked, revision_comment, confidence, object_markings_refs, granular_markings
    STIX-Bundle will keep the `spec_version` property All content in the bundle MUST be the same STIX version (identified by spec_version) There is an open question about whether Data Markings should be in the STIX-Bundle. Arguments for keeping it are: The group seemed to have consensus that Bundle-level markings were desired, but evidence was difficult for the mini-group to find. Certain sharing communities would appreciate the simplicity of package marking. It makes objects look smaller and is more natural for people who are new to the specs Arguments for removing it are: Data Marking at the bundle level is “two ways of doing things” - on-the-object markings and on-the-bundle markings TLO signatures will not be valid when the Bundle-level markings are used Thank you. -Mark




  • 4.  Re: [cti] Update from STIX Package renaming Mini-Group

    Posted 05-03-2016 17:04
    I agree with Jason... I know the request on the call was about how do you know if you did not get a bundle.  That seems to be an implementation / transport level issue, not a language level issue. Allan / Terry? Thoughts?   Is there another way of doing what you asked without having an ID field? Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On May 3, 2016, at 10:08, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: Open question - adding an identifier so that it can be tracked , implies that it SHOULD be tracked. As an implementer - why do I need to track bundles, as all a bundle is is a whole bunch of content that may or may not be related? I would argue that we should not encourage the storage or tracking of the bundle structure, and therefore they should not have IDs. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Allan Thomson ---05/03/2016 12:23:49 PM---As discussed on the call today I would like to propose that we add an identifier attribute for the b From: Allan Thomson < athomson@lookingglasscyber.com > To: Mark Davidson < mdavidson@soltra.com >, cti@lists.oasis-open.org < cti@lists.oasis-open.org > Date: 05/03/2016 12:23 PM Subject: Re: [cti] Update from STIX Package renaming Mini-Group Sent by: < cti@lists.oasis-open.org > As discussed on the call today I would like to propose that we add an identifier attribute for the bundle so that it can be tracked. { type : bundle , spec_version : stix-2.0”, “id”: “bundle--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f indicators : [ { type : indicator , id : indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f , created_by_ref : source--f431f809-377b-45e0-aa1c-6a4751cae5ff , created_time : 2016-04-29T14:09:00.123456Z , revision : 1, modified_time: 2016-04-29T14:09:00.123456Z , object_marking_refs : [ marking-definition--089a6ecb-cc15-43cc-9494-767639779123 ], title : Poison Ivy Malware , description : This file is part of Poison Ivy , pattern : file-object.hashes.md5 = '3773a88f65a5e780c8dff9cdc3a056f3' } ], { type : marking-definition , id : marking-definition--089a6ecb-cc15-43cc-9494-767639779123 , created_time : 2016-02-19T09:11:01Z , definition_type : tlp , definition : { tlp : GREEN } } } From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Mark Davidson < mdavidson@soltra.com > Date: Friday, April 29, 2016 at 9:56 AM To: cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject: [cti] Update from STIX Package renaming Mini-Group All, Here is a quick update from the STIX Package name mini-group. The mini group is proposing: Renaming STIX-Package to STIX-Bundle STIX-bundle is simply a transport container STIX-Bundle is a grouping of STIX content that isn’t required to be related (it MIGHT be related, but being in the same bundle doesn’t mean it’s related) Removing all TLO Common Properties (with an open question about Data Markings) Removed properties: id, created_by_ref, created_time, revision, modified_time, revoked, revision_comment, confidence, object_markings_refs, granular_markings STIX-Bundle will keep the `spec_version` property All content in the bundle MUST be the same STIX version (identified by spec_version) There is an open question about whether Data Markings should be in the STIX-Bundle. Arguments for keeping it are: The group seemed to have consensus that Bundle-level markings were desired, but evidence was difficult for the mini-group to find. Certain sharing communities would appreciate the simplicity of package marking. It makes objects look smaller and is more natural for people who are new to the specs Arguments for removing it are: Data Marking at the bundle level is “two ways of doing things” - on-the-object markings and on-the-bundle markings TLO signatures will not be valid when the Bundle-level markings are used Thank you. -Mark Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 5.  Re: [cti] Update from STIX Package renaming Mini-Group

    Posted 05-03-2016 17:08
    That seems like a TAXII level problem, if anything. I don't see how having IDs would even solve that problem, without changes to TAXII to allow someone to say something like "bundle recieved" - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown "Jordan, Bret" ---05/03/2016 02:03:49 PM---I agree with Jason... I know the request on the call was about how do you know if you did not get a From: "Jordan, Bret" <bret.jordan@bluecoat.com> To: Jason Keirstead/CanEast/IBM@IBMCA Cc: Allan Thomson <athomson@lookingglasscyber.com>, Mark Davidson <mdavidson@soltra.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Date: 05/03/2016 02:03 PM Subject: Re: [cti] Update from STIX Package renaming Mini-Group Sent by: <cti@lists.oasis-open.org> I agree with Jason... I know the request on the call was about how do you know if you did not get a bundle. That seems to be an implementation / transport level issue, not a language level issue. Allan / Terry? Thoughts? Is there another way of doing what you asked without having an ID field? Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
    On May 3, 2016, at 10:08, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote:
    Open question - adding an identifier "so that it can be tracked", implies that it SHOULD be tracked. As an implementer - why do I need to track bundles, as all a bundle is is a whole bunch of content that may or may not be related? I would argue that we should not encourage the storage or tracking of the bundle structure, and therefore they should not have IDs. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Allan Thomson ---05/03/2016 12:23:49 PM---As discussed on the call today I would like to propose that we add an identifier attribute for the b From: Allan Thomson < athomson@lookingglasscyber.com > To: Mark Davidson < mdavidson@soltra.com >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Date: 05/03/2016 12:23 PM Subject: Re: [cti] Update from STIX Package renaming Mini-Group Sent by: < cti@lists.oasis-open.org >
    As discussed on the call today I would like to propose that we add an identifier attribute for the bundle so that it can be tracked. { "type": "bundle", "spec_version": "stix-2.0”, “id”: “bundle--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f" "indicators": [ { "type": "indicator", "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", "created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff", "created_time": "2016-04-29T14:09:00.123456Z", "revision": 1, "modified_time: "2016-04-29T14:09:00.123456Z", "object_marking_refs": ["marking-definition--089a6ecb-cc15-43cc-9494-767639779123"], "title": "Poison Ivy Malware", "description": "This file is part of Poison Ivy", "pattern": "file-object.hashes.md5 = '3773a88f65a5e780c8dff9cdc3a056f3'" } ], { "type": "marking-definition", "id": "marking-definition--089a6ecb-cc15-43cc-9494-767639779123", "created_time": "2016-02-19T09:11:01Z", "definition_type": "tlp", "definition": { "tlp": "GREEN" } } } From: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > on behalf of Mark Davidson < mdavidson@soltra.com > Date: Friday, April 29, 2016 at 9:56 AM To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject: [cti] Update from STIX Package renaming Mini-Group All, Here is a quick update from the STIX Package name mini-group. The mini group is proposing: Renaming STIX-Package to STIX-Bundle STIX-bundle is simply a transport container STIX-Bundle is a grouping of STIX content that isn’t required to be related (it MIGHT be related, but being in the same bundle doesn’t mean it’s related) Removing all TLO Common Properties (with an open question about Data Markings) Removed properties: id, created_by_ref, created_time, revision, modified_time, revoked, revision_comment, confidence, object_markings_refs, granular_markings
    STIX-Bundle will keep the `spec_version` property All content in the bundle MUST be the same STIX version (identified by spec_version) There is an open question about whether Data Markings should be in the STIX-Bundle. Arguments for keeping it are: The group seemed to have consensus that Bundle-level markings were desired, but evidence was difficult for the mini-group to find. Certain sharing communities would appreciate the simplicity of package marking. It makes objects look smaller and is more natural for people who are new to the specs Arguments for removing it are: Data Marking at the bundle level is “two ways of doing things” - on-the-object markings and on-the-bundle markings TLO signatures will not be valid when the Bundle-level markings are used Thank you. -Mark [attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]




  • 6.  Re: [cti] Update from STIX Package renaming Mini-Group

    Posted 05-03-2016 20:52
    Jason Keirstead wrote this message on Tue, May 03, 2016 at 14:07 -0300: > That seems like a TAXII level problem, if anything. > > I don't see how having IDs would even solve that problem, without changes > to TAXII to allow someone to say something like "bundle recieved" I agree... I don't think Bundles should have IDs. We decided that STIX was going to be a transport mechanism, not a document format. If you don't have the TLO's you need, then you need to request the missing TLO's from your higher level transport, ala Bret's example w/ TAXII or via your transport mechanism. As soon as you add an ID to a STIX Bundle, you are now adding meaning to the grouping and we loose the Bundle is just a set of (possibly) unrelated STIX objects. > From: "Jordan, Bret" <bret.jordan@bluecoat.com> > To: Jason Keirstead/CanEast/IBM@IBMCA > Cc: Allan Thomson <athomson@lookingglasscyber.com>, Mark Davidson > <mdavidson@soltra.com>, "cti@lists.oasis-open.org" > <cti@lists.oasis-open.org> > Date: 05/03/2016 02:03 PM > Subject: Re: [cti] Update from STIX Package renaming Mini-Group > Sent by: <cti@lists.oasis-open.org> > > > > I agree with Jason... I know the request on the call was about how do you > know if you did not get a bundle. That seems to be an implementation / > transport level issue, not a language level issue. Allan / Terry? Thoughts? > Is there another way of doing what you asked without having an ID field? > > > Thanks, > > Bret > > > > Bret Jordan CISSP > Director of Security Architecture and Standards Office of the CTO > Blue Coat Systems > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can > not be unscrambled is an egg." > > On May 3, 2016, at 10:08, Jason Keirstead <Jason.Keirstead@ca.ibm.com > > wrote: > > > > Open question - adding an identifier "so that it can be tracked", > implies that it SHOULD be tracked. > > As an implementer - why do I need to track bundles, as all a bundle > is is a whole bunch of content that may or may not be related? > > I would argue that we should not encourage the storage or tracking of > the bundle structure, and therefore they should not have IDs. > > - > Jason Keirstead > STSM, Product Architect, Security Intelligence, IBM Security Systems > www.ibm.com/security www.securityintelligence.com > > Without data, all you are is just another person with an opinion - > Unknown > > > <graycol.gif>Allan Thomson ---05/03/2016 12:23:49 PM---As discussed > on the call today I would like to propose that we add an identifier > attribute for the b > > From: Allan Thomson <athomson@lookingglasscyber.com> > To: Mark Davidson <mdavidson@soltra.com>, "cti@lists.oasis-open.org" > <cti@lists.oasis-open.org> > Date: 05/03/2016 12:23 PM > Subject: Re: [cti] Update from STIX Package renaming Mini-Group > Sent by: <cti@lists.oasis-open.org> > > > > > > As discussed on the call today I would like to propose that we add an > identifier attribute for the bundle so that it can be tracked. > > { > "type": "bundle", > "spec_version": "stix-2.0”, > “id”: “bundle--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f" > "indicators": [ > { > "type": "indicator", > "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", > "created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff", > "created_time": "2016-04-29T14:09:00.123456Z", > "revision": 1, > "modified_time: "2016-04-29T14:09:00.123456Z", > "object_marking_refs": > ["marking-definition--089a6ecb-cc15-43cc-9494-767639779123"], > "title": "Poison Ivy Malware", > "description": "This file is part of Poison Ivy", > "pattern": "file-object.hashes.md5 = > '3773a88f65a5e780c8dff9cdc3a056f3'" > } > ], > { > "type": "marking-definition", > "id": "marking-definition--089a6ecb-cc15-43cc-9494-767639779123", > "created_time": "2016-02-19T09:11:01Z", > "definition_type": "tlp", > "definition": { > "tlp": "GREEN" > } > } > } > > > From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf > of Mark Davidson <mdavidson@soltra.com> > Date: Friday, April 29, 2016 at 9:56 AM > To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> > Subject: [cti] Update from STIX Package renaming Mini-Group > > All, > > Here is a quick update from the STIX Package name mini-group. The > mini group is proposing: > Renaming STIX-Package to STIX-Bundle > STIX-bundle is simply a transport container > STIX-Bundle is a grouping of STIX content that isn’t > required to be related (it MIGHT be related, but being in > the same bundle doesn’t mean it’s related) > Removing all TLO Common Properties (with an open question > about Data Markings) > Removed properties: id, created_by_ref, > created_time, revision, modified_time, > revoked, revision_comment, confidence, > object_markings_refs, granular_markings > STIX-Bundle will keep the `spec_version` property > All content in the bundle MUST be the same STIX version > (identified by spec_version) > There is an open question about whether Data Markings should be in > the STIX-Bundle. Arguments for keeping it are: > The group seemed to have consensus that Bundle-level > markings were desired, but evidence was difficult for the > mini-group to find. > Certain sharing communities would appreciate the > simplicity of package marking. > It makes objects look smaller and is more natural for > people who are new to the specs > Arguments for removing it are: > Data Marking at the bundle level is “two ways of doing > things” - on-the-object markings and on-the-bundle > markings > TLO signatures will not be valid when the Bundle-level > markings are used > > Thank you. > -Mark > > > [attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM] > -- John-Mark


  • 7.  Re: [cti] Update from STIX Package renaming Mini-Group

    Posted 05-04-2016 00:09
    I think we should have a higher bandwidth conversation on this topic (conference call) to discuss our differences and come to closure. Listening to the ‘no id’ camp I’m wondering what bundles are intended to support. I personally think there is no problem having an id in a bundle so would like to understand what is so objectionable to having one. If we don’t have one then vendors can create their own TLO that represents an id for a bundle and do it that way but would like to avoid if we can. I’m happy to provide the webex if interested parties share their preferences on time/date. How about Thu 8am PST? allan On 5/3/16, 1:52 PM, "John-Mark Gurney" <jmg@newcontext.com> wrote: >Jason Keirstead wrote this message on Tue, May 03, 2016 at 14:07 -0300: >> That seems like a TAXII level problem, if anything. >> >> I don't see how having IDs would even solve that problem, without changes >> to TAXII to allow someone to say something like "bundle recieved" > >I agree... I don't think Bundles should have IDs. > >We decided that STIX was going to be a transport mechanism, not a >document format. If you don't have the TLO's you need, then you need >to request the missing TLO's from your higher level transport, ala >Bret's example w/ TAXII or via your transport mechanism. > >As soon as you add an ID to a STIX Bundle, you are now adding meaning >to the grouping and we loose the Bundle is just a set of (possibly) >unrelated STIX objects. > >> From: "Jordan, Bret" <bret.jordan@bluecoat.com> >> To: Jason Keirstead/CanEast/IBM@IBMCA >> Cc: Allan Thomson <athomson@lookingglasscyber.com>, Mark Davidson >> <mdavidson@soltra.com>, "cti@lists.oasis-open.org" >> <cti@lists.oasis-open.org> >> Date: 05/03/2016 02:03 PM >> Subject: Re: [cti] Update from STIX Package renaming Mini-Group >> Sent by: <cti@lists.oasis-open.org> >> >> >> >> I agree with Jason... I know the request on the call was about how do you >> know if you did not get a bundle. That seems to be an implementation / >> transport level issue, not a language level issue. Allan / Terry? Thoughts? >> Is there another way of doing what you asked without having an ID field? >> >> >> Thanks, >> >> Bret >> >> >> >> Bret Jordan CISSP >> Director of Security Architecture and Standards Office of the CTO >> Blue Coat Systems >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can >> not be unscrambled is an egg." >> >> On May 3, 2016, at 10:08, Jason Keirstead <Jason.Keirstead@ca.ibm.com >> > wrote: >> >> >> >> Open question - adding an identifier "so that it can be tracked", >> implies that it SHOULD be tracked. >> >> As an implementer - why do I need to track bundles, as all a bundle >> is is a whole bunch of content that may or may not be related? >> >> I would argue that we should not encourage the storage or tracking of >> the bundle structure, and therefore they should not have IDs. >> >> - >> Jason Keirstead >> STSM, Product Architect, Security Intelligence, IBM Security Systems >> www.ibm.com/security www.securityintelligence.com >> >> Without data, all you are is just another person with an opinion - >> Unknown >> >> >> <graycol.gif>Allan Thomson ---05/03/2016 12:23:49 PM---As discussed >> on the call today I would like to propose that we add an identifier >> attribute for the b >> >> From: Allan Thomson <athomson@lookingglasscyber.com> >> To: Mark Davidson <mdavidson@soltra.com>, "cti@lists.oasis-open.org" >> <cti@lists.oasis-open.org> >> Date: 05/03/2016 12:23 PM >> Subject: Re: [cti] Update from STIX Package renaming Mini-Group >> Sent by: <cti@lists.oasis-open.org> >> >> >> >> >> >> As discussed on the call today I would like to propose that we add an >> identifier