CTI STIX Subcommittee

  • 1.  Re: [cti-users] Model / Binding Motions

    Posted 10-06-2015 18:15




    I do not believe that we are at all ready to be making any decisions on MTI or even really on default bindings yet.


    Before such decisions can be made we first need four things:

    Understanding and consensus on the requirements and evaluation criteria that should be used to select an MTI or default binding Identification and understanding of potential binding options and their capabilities and limitations Understanding of how each potential binding option meets or does not meet the consensus requirements and evaluation criteria Understanding of member opinions and preferences


    We simply do not have any of these things yet. Ongoing discussions on the list demonstrate that clearly, I believe.
    Even if we had all of the above worked out for our current knowledge, we still would not necessarily have enough to make a decision today as many of the issues and proposals for STIX 2.0 changes have the likelihood of affecting the consensus requirements
    and evaluation criteria for an MTI. 
    Any decisions made on incomplete information are likely to be poor ones.


    I would propose that attempting to cut short discussions aimed at addressing the above needs would be premature at this time.


    sean








    From: < cti-users@lists.oasis-open.org > on behalf of "Foley, Alexander - GIS"
    Date: Tuesday, October 6, 2015 at 2:05 PM
    To: " cti-users@lists.oasis-open.org ", " cti-stix@lists.oasis-open.org "
    Subject: [cti-users] Model / Binding Motions








    By my count:
     
    1.      
    We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.

    a.      
    If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.

                                                       
    i.     
    Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or
    OASIS if that’s an incorrect assumption

    b.      
    We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.
     
    I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s
    separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.
     


    Thanks,
     
    Alex


     


    From:
    cti-users@lists.oasis-open.org [ mailto:cti-users@lists.oasis-open.org ]
    On Behalf Of Jordan, Bret
    Sent: Tuesday, October 06, 2015 12:49 PM
    To: Aharon Chernin
    Cc: cti-users@lists.oasis-open.org ;
    cti-stix@lists.oasis-open.org
    Subject: [cti-users] Re: [cti-stix] MTI Binding


     
    Sounds good...

     


    I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  

     


     








    If this is agreed upon, then:


     


    I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.


     


    Thanks,


     


    Bret



     


     


     



    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO


    Blue Coat Systems



    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









     



    On Oct 6, 2015, at 10:40, Aharon Chernin < achernin@soltra.com > wrote:

     





    Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would
    like to propose that we adopt JSON as the default binding”.


     


    Aharon




     


    From:
    < cti-stix@lists.oasis-open.org > on behalf of "Jordan, Bret"
    Date: Tuesday, October 6, 2015 at 11:45 AM
    To: " cti-users@lists.oasis-open.org ", " cti-stix@lists.oasis-open.org "
    Subject: [cti-stix] MTI Binding


     



    We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed
    around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  


     


    Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.


     









     


    Thanks,


     


    Bret



     


     


     



    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO


    Blue Coat Systems



    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









     



    On Oct 6, 2015, at 06:17, Davidson II, Mark S < mdavidson@MITRE.ORG > wrote:

     


    I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:


     


    1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen   lots   of
    discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?


    Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes
    it clear that we are considering it





    2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What
    examples would be sufficient?





    3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have
    a product and I want to add STIX support, won’t developers have to write code?  


    I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand
    how that actually works (the more concrete the example the better, at least for me).


     


    Thank you.


    -Mark


     




     







     



    This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at
    http://www.bankofamerica.com/emaildisclaimer . If you are not the intended recipient, please delete this message.








  • 2.  Re: [cti-stix] [cti-users] Model / Binding Motions

    Posted 10-06-2015 18:23
    We have most of this on the wiki today.


    Thanks,

    Bret



    Bret Jordan CISSP
    Director of Security Architecture and Standards | Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

    > On Oct 6, 2015, at 12:15, Barnum, Sean D. <sbarnum@mitre.org> wrote:
    >
    > I do not believe that we are at all ready to be making any decisions on MTI or even really on default bindings yet.
    >
    > Before such decisions can be made we first need four things:
    > Understanding and consensus on the requirements and evaluation criteria that should be used to select an MTI or default binding
    > Identification and understanding of potential binding options and their capabilities and limitations
    > Understanding of how each potential binding option meets or does not meet the consensus requirements and evaluation criteria
    > Understanding of member opinions and preferences
    >
    > We simply do not have any of these things yet. Ongoing discussions on the list demonstrate that clearly, I believe.
    > Even if we had all of the above worked out for our current knowledge, we still would not necessarily have enough to make a decision today as many of the issues and proposals for STIX 2.0 changes have the likelihood of affecting the consensus requirements and evaluation criteria for an MTI.
    > Any decisions made on incomplete information are likely to be poor ones.
    >
    > I would propose that attempting to cut short discussions aimed at addressing the above needs would be premature at this time.
    >
    > sean
    >
    > From: <cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>> on behalf of "Foley, Alexander - GIS"
    > Date: Tuesday, October 6, 2015 at 2:05 PM
    > To: "cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>", "cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org>"
    > Subject: [cti-users] Model / Binding Motions
    >
    > By my count:
    >
    > 1. We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.
    > a. If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.
    > i. Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption
    > b. We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.
    >
    > I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.
    >
    > Thanks,
    >
    > Alex
    >
    > From: cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>] On Behalf Of Jordan, Bret
    > Sent: Tuesday, October 06, 2015 12:49 PM
    > To: Aharon Chernin
    > Cc: cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>; cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org>
    > Subject: [cti-users] Re: [cti-stix] MTI Binding
    >
    > Sounds good...
    >
    > I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.
    >
    >
    > If this is agreed upon, then:
    >
    > I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.
    >
    >
    > Thanks,
    >
    > Bret
    >
    >
    >
    > Bret Jordan CISSP
    > Director of Security Architecture and Standards | Office of the CTO
    > Blue Coat Systems
    > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
    >
    >> On Oct 6, 2015, at 10:40, Aharon Chernin <achernin@soltra.com <mailto:achernin@soltra.com>> wrote:
    >>
    >> Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.
    >>
    >> Aharon
    >>
    >> From: <cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org>> on behalf of "Jordan, Bret"
    >> Date: Tuesday, October 6, 2015 at 11:45 AM
    >> To: "cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>", "cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org>"
    >> Subject: [cti-stix] MTI Binding
    >>
    >> We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI. While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.
    >>
    >> Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.
    >>
    >>
    >> Thanks,
    >>
    >> Bret
    >>
    >>
    >>
    >> Bret Jordan CISSP
    >> Director of Security Architecture and Standards | Office of the CTO
    >> Blue Coat Systems
    >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    >> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
    >>
    >>> On Oct 6, 2015, at 06:17, Davidson II, Mark S <mdavidson@MITRE.ORG <mailto:mdavidson@MITRE.ORG>> wrote:
    >>>
    >>> I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:
    >>>
    >>> 1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
    >>> Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it
    >>>
    >>>
    >>> 2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?
    >>>
    >>>
    >>> 3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?
    >>> I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).
    >>>
    >>> Thank you.
    >>> -Mark
    >>>
    >>
    >>
    >
    >
    > This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer <http://www.bankofamerica.com/emaildisclaimer>. If you are not the intended recipient, please delete this message.




  • 3.  Re: [cti-stix] [cti-users] Model / Binding Motions

    Posted 10-06-2015 18:23
    We have most of this on the wiki today.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 6, 2015, at 12:15, Barnum, Sean D. < sbarnum@mitre.org > wrote: I do not believe that we are at all ready to be making any decisions on MTI or even really on default bindings yet. Before such decisions can be made we first need four things: Understanding and consensus on the requirements and evaluation criteria that should be used to select an MTI or default binding Identification and understanding of potential binding options and their capabilities and limitations Understanding of how each potential binding option meets or does not meet the consensus requirements and evaluation criteria Understanding of member opinions and preferences We simply do not have any of these things yet. Ongoing discussions on the list demonstrate that clearly, I believe. Even if we had all of the above worked out for our current knowledge, we still would not necessarily have enough to make a decision today as many of the issues and proposals for STIX 2.0 changes have the likelihood of affecting the consensus requirements and evaluation criteria for an MTI.  Any decisions made on incomplete information are likely to be poor ones. I would propose that attempting to cut short discussions aimed at addressing the above needs would be premature at this time. sean From:   < cti-users@lists.oasis-open.org > on behalf of Foley, Alexander - GIS Date:   Tuesday, October 6, 2015 at 2:05 PM To:   cti-users@lists.oasis-open.org , cti-stix@lists.oasis-open.org Subject:   [cti-users] Model / Binding Motions By my count:   1.         We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second. a.         If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.                                                       i.        Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption b.         We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.   I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.   Thanks,   Alex   From:   cti-users@lists.oasis-open.org   [ mailto:cti-users@lists.oasis-open.org ]   On Behalf Of   Jordan, Bret Sent:   Tuesday, October 06, 2015 12:49 PM To:   Aharon Chernin Cc:   cti-users@lists.oasis-open.org ;   cti-stix@lists.oasis-open.org Subject:   [cti-users] Re: [cti-stix] MTI Binding   Sounds good...   I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.       If this is agreed upon, then:   I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.   Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Oct 6, 2015, at 10:40, Aharon Chernin < achernin@soltra.com > wrote:   Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.   Aharon   From:   < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret Date:   Tuesday, October 6, 2015 at 11:45 AM To:   cti-users@lists.oasis-open.org , cti-stix@lists.oasis-open.org Subject:   [cti-stix] MTI Binding   We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.     Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Oct 6, 2015, at 06:17, Davidson II, Mark S < mdavidson@MITRE.ORG > wrote:   I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:   1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen   lots   of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX? Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it 2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient? 3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?   I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).   Thank you. -Mark       This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at   http://www.bankofamerica.com/emaildisclaimer . If you are not the intended recipient, please delete this message. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 4.  Re: [cti-stix] [cti-users] Model / Binding Motions

    Posted 10-06-2015 18:34
    We have initial starts on parts of this on the wiki representing input from a very limited set of people.
    I would assert that we need that information fleshed out more and significantly broader input before we could consider it consensus or complete.

    The discussions dominating the list even today demonstrate that we are not there yet.

    sean

    From: "cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>" on behalf of "Jordan, Bret"
    Date: Tuesday, October 6, 2015 at 2:23 PM
    To: "Barnum, Sean D."
    Cc: "Foley, Alexander - GIS", "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>", "cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>"
    Subject: Re: [cti-stix] [cti-users] Model / Binding Motions

    We have most of this on the wiki today.


    Thanks,

    Bret



    Bret Jordan CISSP
    Director of Security Architecture and Standards | Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

    On Oct 6, 2015, at 12:15, Barnum, Sean D. <sbarnum@mitre.org<mailto:sbarnum@mitre.org>> wrote:

    I do not believe that we are at all ready to be making any decisions on MTI or even really on default bindings yet.

    Before such decisions can be made we first need four things:

    * Understanding and consensus on the requirements and evaluation criteria that should be used to select an MTI or default binding
    * Identification and understanding of potential binding options and their capabilities and limitations
    * Understanding of how each potential binding option meets or does not meet the consensus requirements and evaluation criteria
    * Understanding of member opinions and preferences

    We simply do not have any of these things yet. Ongoing discussions on the list demonstrate that clearly, I believe.
    Even if we had all of the above worked out for our current knowledge, we still would not necessarily have enough to make a decision today as many of the issues and proposals for STIX 2.0 changes have the likelihood of affecting the consensus requirements and evaluation criteria for an MTI.
    Any decisions made on incomplete information are likely to be poor ones.

    I would propose that attempting to cut short discussions aimed at addressing the above needs would be premature at this time.

    sean

    From: <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>> on behalf of "Foley, Alexander - GIS"
    Date: Tuesday, October 6, 2015 at 2:05 PM
    To: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>", "cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>"
    Subject: [cti-users] Model / Binding Motions

    By my count:

    1. We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.
    a. If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.
    i. Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption
    b. We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.

    I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.

    Thanks,

    Alex

    From: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jordan, Bret
    Sent: Tuesday, October 06, 2015 12:49 PM
    To: Aharon Chernin
    Cc: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>; cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>
    Subject: [cti-users] Re: [cti-stix] MTI Binding

    Sounds good...

    I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.


    If this is agreed upon, then:

    I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.

    Thanks,

    Bret



    Bret Jordan CISSP
    Director of Security Architecture and Standards | Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

    On Oct 6, 2015, at 10:40, Aharon Chernin <achernin@soltra.com<mailto:achernin@soltra.com>> wrote:

    Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.

    Aharon

    From: <cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>> on behalf of "Jordan, Bret"
    Date: Tuesday, October 6, 2015 at 11:45 AM
    To: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>", "cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>"
    Subject: [cti-stix] MTI Binding

    We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI. While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.

    Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.


    Thanks,

    Bret



    Bret Jordan CISSP
    Director of Security Architecture and Standards | Office of the CTO
    Blue Coat Systems
    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

    On Oct 6, 2015, at 06:17, Davidson II, Mark S <mdavidson@MITRE.ORG<mailto:mdavidson@MITRE.ORG>> wrote:

    I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:

    1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
    Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it


    2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?


    3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?
    I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).

    Thank you.
    -Mark



    ________________________________
    This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.




  • 5.  Re: [cti-stix] [cti-users] Model / Binding Motions

    Posted 10-06-2015 18:34





    We have initial starts on parts of this on the wiki representing input from a very limited set of people.
    I would assert that we need that information fleshed out more and significantly broader input before we could consider it consensus or complete.


    The discussions dominating the list even today demonstrate that we are not there yet.


    sean









    From: " cti-stix@lists.oasis-open.org " on behalf of "Jordan, Bret"
    Date: Tuesday, October 6, 2015 at 2:23 PM
    To: "Barnum, Sean D."
    Cc: "Foley, Alexander - GIS", " cti-users@lists.oasis-open.org ", " cti-stix@lists.oasis-open.org "
    Subject: Re: [cti-stix] [cti-users] Model / Binding Motions





    We have most of this on the wiki today.  











    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Oct 6, 2015, at 12:15, Barnum, Sean D. < sbarnum@mitre.org > wrote:



    I do not believe that we are at all ready to be making any decisions on MTI or even really on default bindings yet.


    Before such decisions can be made we first need four things:

    Understanding and consensus on the requirements and evaluation criteria that should be used to select an MTI or default binding Identification and understanding of potential binding options and their capabilities and limitations Understanding of how each potential binding option meets or does not meet the consensus requirements and evaluation criteria Understanding of member opinions and preferences


    We simply do not have any of these things yet. Ongoing discussions on the list demonstrate that clearly, I believe.
    Even if we had all of the above worked out for our current knowledge, we still would not necessarily have enough to make a decision today as many of the issues and proposals for STIX 2.0 changes have the likelihood of affecting the consensus requirements
    and evaluation criteria for an MTI. 
    Any decisions made on incomplete information are likely to be poor ones.


    I would propose that attempting to cut short discussions aimed at addressing the above needs would be premature at this time.


    sean









    From:   < cti-users@lists.oasis-open.org > on behalf of "Foley,
    Alexander - GIS"
    Date:   Tuesday, October 6, 2015 at 2:05 PM
    To:   " cti-users@lists.oasis-open.org ", " cti-stix@lists.oasis-open.org "
    Subject:   [cti-users] Model / Binding Motions







    By my count:

     

    1.         We
    have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.

    a.         If
    this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.

                                                          i.        Kevin
    Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption

    b.         We
    also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.

     

    I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate
    from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.

     



    Thanks,

     

    Alex



     



    From:   cti-users@lists.oasis-open.org   [ mailto:cti-users@lists.oasis-open.org ]   On
    Behalf Of   Jordan, Bret
    Sent:   Tuesday, October 06, 2015 12:49 PM
    To:   Aharon Chernin
    Cc:   cti-users@lists.oasis-open.org ;   cti-stix@lists.oasis-open.org
    Subject:   [cti-users] Re: [cti-stix] MTI Binding



     

    Sounds good...


     



    I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.  


     



     









    If this is agreed upon, then:



     



    I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.



     



    Thanks,



     



    Bret




     



     



     




    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO



    Blue Coat Systems




    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050



    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 










     




    On Oct 6, 2015, at 10:40, Aharon Chernin < achernin@soltra.com > wrote:


     






    Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose
    that we adopt JSON as the default binding”.



     



    Aharon





     



    From:   < cti-stix@lists.oasis-open.org >
    on behalf of "Jordan, Bret"
    Date:   Tuesday, October 6, 2015 at 11:45 AM
    To:   " cti-users@lists.oasis-open.org ", " cti-stix@lists.oasis-open.org "
    Subject:   [cti-stix] MTI Binding



     




    We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed
    they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.  


     



    Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.



     










     



    Thanks,



     



    Bret




     



     



     




    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO



    Blue Coat Systems




    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050



    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 










     




    On Oct 6, 2015, at 06:17, Davidson II, Mark S < mdavidson@MITRE.ORG > wrote:


     



    I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:



     



    1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen   lots   of
    discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?



    Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it






    2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples
    would be sufficient?






    3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and
    I want to add STIX support, won’t developers have to write code?  



    I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the
    more concrete the example the better, at least for me).



     



    Thank you.



    -Mark



     





     








     



    This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at   http://www.bankofamerica.com/emaildisclaimer .
    If you are not the intended recipient, please delete this message.













  • 6.  Re: [cti-users] Model / Binding Motions

    Posted 10-06-2015 20:53
    I agree that it seems quite premature at this point to make an MTI
    decision. I would prefer we continue to discuss the options we have at
    present. I personally do not know enough about JSON-LD and the limitations
    of it to be able to make an informed decision. I'm sure a lot of the other
    SC members feel the same.

    We need to tease out more information from both sides to be able to
    effectively come to a group consensus.

    Cheers
    Terry MacDonald
    On 7/10/2015 5:15 am, "Barnum, Sean D." <sbarnum@mitre.org> wrote:

    > I do not believe that we are at all ready to be making any decisions on
    > MTI or even really on default bindings yet.
    >
    > Before such decisions can be made we first need four things:
    >
    > - Understanding and consensus on the requirements and evaluation
    > criteria that should be used to select an MTI or default binding
    > - Identification and understanding of potential binding options and
    > their capabilities and limitations
    > - Understanding of how each potential binding option meets or does not
    > meet the consensus requirements and evaluation criteria
    > - Understanding of member opinions and preferences
    >
    >
    > We simply do not have any of these things yet. Ongoing discussions on the
    > list demonstrate that clearly, I believe.
    > Even if we had all of the above worked out for our current knowledge, we
    > still would not necessarily have enough to make a decision today as many of
    > the issues and proposals for STIX 2.0 changes have the likelihood of
    > affecting the consensus requirements and evaluation criteria for an MTI.
    > Any decisions made on incomplete information are likely to be poor ones.
    >
    > I would propose that attempting to cut short discussions aimed at
    > addressing the above needs would be premature at this time.
    >
    > sean
    >
    > From: <cti-users@lists.oasis-open.org> on behalf of "Foley, Alexander -
    > GIS"
    > Date: Tuesday, October 6, 2015 at 2:05 PM
    > To: "cti-users@lists.oasis-open.org", "cti-stix@lists.oasis-open.org"
    > Subject: [cti-users] Model / Binding Motions
    >
    > By my count:
    >
    >
    >
    > 1. We have Bret’s motion that we require a default binding for STIX
    > and CybOX and it requires a second.
    >
    > a. If this motion succeeds, we have Bret’s motion that JSON be
    > chosen as the default binding for STIX and CybOX and it requires a second.
    >
    > * i. **Kevin
    > Wetzel, I apologize but I do not see you as a member of the cti committee…
    > please follow up with myself, Rich, Chet or OASIS if that’s an incorrect
    > assumption*
    >
    > b. We also have an (alternate?) proposal from Cory that JSON-LD
    > specifically be chosen as our default binding and it requires a second.
    >
    >
    >
    > *I must admit this conversation has been very difficult to follow – if I’m
    > missing a key motion that we construct a UML / RDF / OWL model that’s
    > separate from choosing a new preferred binding / data encoding, please feel
    > free to propose or second any motions.*
    >
    >
    >
    > Thanks,
    >
    >
    >
    > Alex
    >
    >
    >
    > *From:* cti-users@lists.oasis-open.org [
    > mailto:cti-users@lists.oasis-open.org <cti-users@lists.oasis-open.org>] *On
    > Behalf Of *Jordan, Bret
    > *Sent:* Tuesday, October 06, 2015 12:49 PM
    > *To:* Aharon Chernin
    > *Cc:* cti-users@lists.oasis-open.org; cti-stix@lists.oasis-open.org
    > *Subject:* [cti-users] Re: [cti-stix] MTI Binding
    >
    >
    >
    > Sounds good...
    >
    >
    >
    > *I would like to formally make a motion that we require a default binding
    > for STIX 2.0 and CybOX 3.0. *
    >
    >
    >
    >
    >
    > If this is agreed upon, then:
    >
    >
    >
    > *I would like to formally make a motion that the default binding for STIX
    > 2.0 and CybOX 3.0 be JSON.*
    >
    >
    >
    > Thanks,
    >
    >
    >
    > Bret
    >
    >
    >
    >
    >
    >
    >
    > *Bret Jordan CISSP*
    >
    > Director of Security Architecture and Standards | Office of the CTO
    >
    > Blue Coat Systems
    >
    > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    >
    > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
    > can not be unscrambled is an egg."
    >
    >
    >
    > On Oct 6, 2015, at 10:40, Aharon Chernin <achernin@soltra.com> wrote:
    >
    >
    >
    > Bret, I think we need to propose that STIX, CybOX, and TAXII have to
    > require a default binding type first. Then the MTI motion could be changed
    > to something like, “I would like to propose that we adopt JSON as the
    > default binding”.
    >
    >
    >
    > Aharon
    >
    >
    >
    > *From: *<cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret"
    > *Date: *Tuesday, October 6, 2015 at 11:45 AM
    > *To: *"cti-users@lists.oasis-open.org", "cti-stix@lists.oasis-open.org"
    > *Subject: *[cti-stix] MTI Binding
    >
    >
    >
    > We have had a good discussion here and on the wiki and I have seen a lot
    > of people advocating for JSON to be used as the MTI. While a few other
    > options have been tossed around and discussed they do not seem to have an
    > advocate pushing for them nor do they seem to have the broad support that
    > JSON does.
    >
    >
    >
    > *Therefore, I would like to formally propose that we adopt JSON as the MTI
    > for STIX 2.0 and CybOX 3.0.*
    >
    >
    >
    >
    >
    > Thanks,
    >
    >
    >
    > Bret
    >
    >
    >
    >
    >
    >
    >
    > *Bret Jordan CISSP*
    >
    > Director of Security Architecture and Standards | Office of the CTO
    >
    > Blue Coat Systems
    >
    > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    >
    > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
    > can not be unscrambled is an egg."
    >
    >
    >
    > On Oct 6, 2015, at 06:17, Davidson II, Mark S <mdavidson@MITRE.ORG> wrote:
    >
    >
    >
    > I think we’re wrapped around the axle a little bit on this whole topic.
    > I’d like to try and step back and ask some basic questions:
    >
    >
    >
    > 1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the
    > question asked, and I’ve seen *lots* of discussion. Is there somebody who
    > would like to come forward and state their opinion that JSON-LD should be
    > the MTI for STIX?
    >
    > Note: I see this question as a higher bar than asking who thinks we should
    > consider it – IMO the recent discussion makes it clear that we are
    > considering it
    >
    >
    > 2. There was an opinion that the proposed examples (the indicator and
    > incident idioms) wouldn’t be sufficient for comparing size and complexity.
    > What examples would be sufficient?
    >
    >
    > 3. What toolchain is required to develop software that supports using a
    > model without any custom code? Maybe I’m missing something, but if I have a
    > product and I want to add STIX support, won’t developers have to write code?
    >
    >
    > I guess at its core – I hear what people are saying about models and not
    > programming to the data syntax, I just don’t understand how that actually
    > works (the more concrete the example the better, at least for me).
    >
    >
    >
    > Thank you.
    >
    > -Mark
    >
    >
    >
    >
    >
    >
    > ------------------------------
    > This message, and any attachments, is for the intended recipient(s) only,
    > may contain information that is privileged, confidential and/or proprietary
    > and subject to important terms and conditions available at
    > http://www.bankofamerica.com/emaildisclaimer. If you are not the intended
    > recipient, please delete this message.
    >



  • 7.  Re: [cti-users] Model / Binding Motions

    Posted 10-06-2015 20:53
    I agree that it seems quite premature at this point to make an MTI decision. I would prefer we continue to discuss the options we have at present. I personally do not know enough about JSON-LD and the limitations of it to be able to make an informed decision. I'm sure a lot of the other SC members feel the same. We need to tease out more information from both sides to be able to effectively come to a group consensus. Cheers Terry MacDonald On 7/10/2015 5:15 am, "Barnum, Sean D." < sbarnum@mitre.org > wrote: I do not believe that we are at all ready to be making any decisions on MTI or even really on default bindings yet. Before such decisions can be made we first need four things: Understanding and consensus on the requirements and evaluation criteria that should be used to select an MTI or default binding Identification and understanding of potential binding options and their capabilities and limitations Understanding of how each potential binding option meets or does not meet the consensus requirements and evaluation criteria Understanding of member opinions and preferences We simply do not have any of these things yet. Ongoing discussions on the list demonstrate that clearly, I believe. Even if we had all of the above worked out for our current knowledge, we still would not necessarily have enough to make a decision today as many of the issues and proposals for STIX 2.0 changes have the likelihood of affecting the consensus requirements and evaluation criteria for an MTI.  Any decisions made on incomplete information are likely to be poor ones. I would propose that attempting to cut short discussions aimed at addressing the above needs would be premature at this time. sean From: < cti-users@lists.oasis-open.org > on behalf of "Foley, Alexander - GIS" Date: Tuesday, October 6, 2015 at 2:05 PM To: " cti-users@lists.oasis-open.org ", " cti-stix@lists.oasis-open.org " Subject: [cti-users] Model / Binding Motions By my count:   1.       We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second. a.       If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.                                                     i.      Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption b.       We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.   I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.   Thanks,   Alex   From: cti-users@lists.oasis-open.org [ mailto:cti-users@lists.oasis-open.org ] On Behalf Of Jordan, Bret Sent: Tuesday, October 06, 2015 12:49 PM To: Aharon Chernin Cc: cti-users@lists.oasis-open.org ; cti-stix@lists.oasis-open.org Subject: [cti-users] Re: [cti-stix] MTI Binding   Sounds good...   I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.       If this is agreed upon, then:   I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.   Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Oct 6, 2015, at 10:40, Aharon Chernin < achernin@soltra.com > wrote:   Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.   Aharon   From: < cti-stix@lists.oasis-open.org > on behalf of "Jordan, Bret" Date: Tuesday, October 6, 2015 at 11:45 AM To: " cti-users@lists.oasis-open.org ", " cti-stix@lists.oasis-open.org " Subject: [cti-stix] MTI Binding   We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI.  While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.     Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Oct 6, 2015, at 06:17, Davidson II, Mark S < mdavidson@MITRE.ORG > wrote:   I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:   1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen   lots   of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX? Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it 2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient? 3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?   I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).   Thank you. -Mark       This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer . If you are not the intended recipient, please delete this message.


  • 8.  Re: [cti-users] Model / Binding Motions

    Posted 10-06-2015 23:08
    +1 on Sean and Terry's comments

    Sent from my iPhone

    > On Oct 6, 2015, at 4:53 PM, Terry MacDonald <terry.macdonald@threatloop.com> wrote:
    >
    > I agree that it seems quite premature at this point to make an MTI decision. I would prefer we continue to discuss the options we have at present. I personally do not know enough about JSON-LD and the limitations of it to be able to make an informed decision. I'm sure a lot of the other SC members feel the same.
    >
    > We need to tease out more information from both sides to be able to effectively come to a group consensus.
    >
    > Cheers
    > Terry MacDonald
    >
    >> On 7/10/2015 5:15 am, "Barnum, Sean D." <sbarnum@mitre.org> wrote:
    >> I do not believe that we are at all ready to be making any decisions on MTI or even really on default bindings yet.
    >>
    >> Before such decisions can be made we first need four things:
    >> Understanding and consensus on the requirements and evaluation criteria that should be used to select an MTI or default binding
    >> Identification and understanding of potential binding options and their capabilities and limitations
    >> Understanding of how each potential binding option meets or does not meet the consensus requirements and evaluation criteria
    >> Understanding of member opinions and preferences
    >>
    >> We simply do not have any of these things yet. Ongoing discussions on the list demonstrate that clearly, I believe.
    >> Even if we had all of the above worked out for our current knowledge, we still would not necessarily have enough to make a decision today as many of the issues and proposals for STIX 2.0 changes have the likelihood of affecting the consensus requirements and evaluation criteria for an MTI.
    >> Any decisions made on incomplete information are likely to be poor ones.
    >>
    >> I would propose that attempting to cut short discussions aimed at addressing the above needs would be premature at this time.
    >>
    >> sean
    >>
    >> From: <cti-users@lists.oasis-open.org> on behalf of "Foley, Alexander - GIS"
    >> Date: Tuesday, October 6, 2015 at 2:05 PM
    >> To: "cti-users@lists.oasis-open.org", "cti-stix@lists.oasis-open.org"
    >> Subject: [cti-users] Model / Binding Motions
    >>
    >> By my count:
    >>
    >>
    >>
    >> 1. We have Bret’s motion that we require a default binding for STIX and CybOX and it requires a second.
    >>
    >> a. If this motion succeeds, we have Bret’s motion that JSON be chosen as the default binding for STIX and CybOX and it requires a second.
    >>
    >> i. Kevin Wetzel, I apologize but I do not see you as a member of the cti committee… please follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption
    >>
    >> b. We also have an (alternate?) proposal from Cory that JSON-LD specifically be chosen as our default binding and it requires a second.
    >>
    >>
    >>
    >> I must admit this conversation has been very difficult to follow – if I’m missing a key motion that we construct a UML / RDF / OWL model that’s separate from choosing a new preferred binding / data encoding, please feel free to propose or second any motions.
    >>
    >>
    >>
    >> Thanks,
    >>
    >>
    >>
    >> Alex
    >>
    >>
    >>
    >> From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jordan, Bret
    >> Sent: Tuesday, October 06, 2015 12:49 PM
    >> To: Aharon Chernin
    >> Cc: cti-users@lists.oasis-open.org; cti-stix@lists.oasis-open.org
    >> Subject: [cti-users] Re: [cti-stix] MTI Binding
    >>
    >>
    >>
    >> Sounds good...
    >>
    >>
    >>
    >> I would like to formally make a motion that we require a default binding for STIX 2.0 and CybOX 3.0.
    >>
    >>
    >>
    >>
    >>
    >> If this is agreed upon, then:
    >>
    >>
    >>
    >> I would like to formally make a motion that the default binding for STIX 2.0 and CybOX 3.0 be JSON.
    >>
    >>
    >>
    >> Thanks,
    >>
    >>
    >>
    >> Bret
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >> Bret Jordan CISSP
    >>
    >> Director of Security Architecture and Standards | Office of the CTO
    >>
    >> Blue Coat Systems
    >>
    >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    >>
    >> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
    >>
    >>
    >>
    >> On Oct 6, 2015, at 10:40, Aharon Chernin <achernin@soltra.com> wrote:
    >>
    >>
    >>
    >> Bret, I think we need to propose that STIX, CybOX, and TAXII have to require a default binding type first. Then the MTI motion could be changed to something like, “I would like to propose that we adopt JSON as the default binding”.
    >>
    >>
    >>
    >> Aharon
    >>
    >>
    >>
    >> From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret"
    >> Date: Tuesday, October 6, 2015 at 11:45 AM
    >> To: "cti-users@lists.oasis-open.org", "cti-stix@lists.oasis-open.org"
    >> Subject: [cti-stix] MTI Binding
    >>
    >>
    >>
    >> We have had a good discussion here and on the wiki and I have seen a lot of people advocating for JSON to be used as the MTI. While a few other options have been tossed around and discussed they do not seem to have an advocate pushing for them nor do they seem to have the broad support that JSON does.
    >>
    >>
    >>
    >> Therefore, I would like to formally propose that we adopt JSON as the MTI for STIX 2.0 and CybOX 3.0.
    >>
    >>
    >>
    >>
    >>
    >> Thanks,
    >>
    >>
    >>
    >> Bret
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >> Bret Jordan CISSP
    >>
    >> Director of Security Architecture and Standards | Office of the CTO
    >>
    >> Blue Coat Systems
    >>
    >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    >>
    >> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
    >>
    >>
    >>
    >> On Oct 6, 2015, at 06:17, Davidson II, Mark S <mdavidson@MITRE.ORG> wrote:
    >>
    >>
    >>
    >> I think we’re wrapped around the axle a little bit on this whole topic. I’d like to try and step back and ask some basic questions:
    >>
    >>
    >>
    >> 1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the question asked, and I’ve seen lots of discussion. Is there somebody who would like to come forward and state their opinion that JSON-LD should be the MTI for STIX?
    >>
    >> Note: I see this question as a higher bar than asking who thinks we should consider it – IMO the recent discussion makes it clear that we are considering it
    >>
    >>
    >>
    >> 2. There was an opinion that the proposed examples (the indicator and incident idioms) wouldn’t be sufficient for comparing size and complexity. What examples would be sufficient?
    >>
    >>
    >>
    >> 3. What toolchain is required to develop software that supports using a model without any custom code? Maybe I’m missing something, but if I have a product and I want to add STIX support, won’t developers have to write code?
    >>
    >> I guess at its core – I hear what people are saying about models and not programming to the data syntax, I just don’t understand how that actually works (the more concrete the example the better, at least for me).
    >>
    >>
    >>
    >> Thank you.
    >>
    >> -Mark
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >> This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.



  • 9.  Re: [cti-stix] Re: [cti-users] Model / Binding Motions

    Posted 10-09-2015 16:34
    I would like to state Interoperability as a requirement.


    2015-10-06 21:15 GMT+03:00 Barnum, Sean D. <sbarnum@mitre.org>:
    > I do not believe that we are at all ready to be making any decisions on MTI
    > or even really on default bindings yet.
    >
    > Before such decisions can be made we first need four things:
    >
    > Understanding and consensus on the requirements and evaluation criteria that
    > should be used to select an MTI or default binding
    > Identification and understanding of potential binding options and their
    > capabilities and limitations
    > Understanding of how each potential binding option meets or does not meet
    > the consensus requirements and evaluation criteria
    > Understanding of member opinions and preferences
    >
    >
    > We simply do not have any of these things yet. Ongoing discussions on the
    > list demonstrate that clearly, I believe.
    > Even if we had all of the above worked out for our current knowledge, we
    > still would not necessarily have enough to make a decision today as many of
    > the issues and proposals for STIX 2.0 changes have the likelihood of
    > affecting the consensus requirements and evaluation criteria for an MTI.
    > Any decisions made on incomplete information are likely to be poor ones.
    >
    > I would propose that attempting to cut short discussions aimed at addressing
    > the above needs would be premature at this time.
    >
    > sean
    >
    > From: <cti-users@lists.oasis-open.org> on behalf of "Foley, Alexander - GIS"
    > Date: Tuesday, October 6, 2015 at 2:05 PM
    > To: "cti-users@lists.oasis-open.org", "cti-stix@lists.oasis-open.org"
    > Subject: [cti-users] Model / Binding Motions
    >
    > By my count:
    >
    >
    >
    > 1. We have Bret’s motion that we require a default binding for STIX and
    > CybOX and it requires a second.
    >
    > a. If this motion succeeds, we have Bret’s motion that JSON be chosen
    > as the default binding for STIX and CybOX and it requires a second.
    >
    > i. Kevin Wetzel, I
    > apologize but I do not see you as a member of the cti committee… please
    > follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption
    >
    > b. We also have an (alternate?) proposal from Cory that JSON-LD
    > specifically be chosen as our default binding and it requires a second.
    >
    >
    >
    > I must admit this conversation has been very difficult to follow – if I’m
    > missing a key motion that we construct a UML / RDF / OWL model that’s
    > separate from choosing a new preferred binding / data encoding, please feel
    > free to propose or second any motions.
    >
    >
    >
    > Thanks,
    >
    >
    >
    > Alex
    >
    >
    >
    > From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org]
    > On Behalf Of Jordan, Bret
    > Sent: Tuesday, October 06, 2015 12:49 PM
    > To: Aharon Chernin
    > Cc: cti-users@lists.oasis-open.org; cti-stix@lists.oasis-open.org
    > Subject: [cti-users] Re: [cti-stix] MTI Binding
    >
    >
    >
    > Sounds good...
    >
    >
    >
    > I would like to formally make a motion that we require a default binding for
    > STIX 2.0 and CybOX 3.0.
    >
    >
    >
    >
    >
    > If this is agreed upon, then:
    >
    >
    >
    > I would like to formally make a motion that the default binding for STIX 2.0
    > and CybOX 3.0 be JSON.
    >
    >
    >
    > Thanks,
    >
    >
    >
    > Bret
    >
    >
    >
    >
    >
    >
    >
    > Bret Jordan CISSP
    >
    > Director of Security Architecture and Standards | Office of the CTO
    >
    > Blue Coat Systems
    >
    > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    >
    > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
    > not be unscrambled is an egg."
    >
    >
    >
    > On Oct 6, 2015, at 10:40, Aharon Chernin <achernin@soltra.com> wrote:
    >
    >
    >
    > Bret, I think we need to propose that STIX, CybOX, and TAXII have to require
    > a default binding type first. Then the MTI motion could be changed to
    > something like, “I would like to propose that we adopt JSON as the default
    > binding”.
    >
    >
    >
    > Aharon
    >
    >
    >
    > From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret"
    > Date: Tuesday, October 6, 2015 at 11:45 AM
    > To: "cti-users@lists.oasis-open.org", "cti-stix@lists.oasis-open.org"
    > Subject: [cti-stix] MTI Binding
    >
    >
    >
    > We have had a good discussion here and on the wiki and I have seen a lot of
    > people advocating for JSON to be used as the MTI. While a few other options
    > have been tossed around and discussed they do not seem to have an advocate
    > pushing for them nor do they seem to have the broad support that JSON does.
    >
    >
    >
    > Therefore, I would like to formally propose that we adopt JSON as the MTI
    > for STIX 2.0 and CybOX 3.0.
    >
    >
    >
    >
    >
    > Thanks,
    >
    >
    >
    > Bret
    >
    >
    >
    >
    >
    >
    >
    > Bret Jordan CISSP
    >
    > Director of Security Architecture and Standards | Office of the CTO
    >
    > Blue Coat Systems
    >
    > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
    >
    > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
    > not be unscrambled is an egg."
    >
    >
    >
    > On Oct 6, 2015, at 06:17, Davidson II, Mark S <mdavidson@MITRE.ORG> wrote:
    >
    >
    >
    > I think we’re wrapped around the axle a little bit on this whole topic. I’d
    > like to try and step back and ask some basic questions:
    >
    >
    >
    > 1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the
    > question asked, and I’ve seen lots of discussion. Is there somebody who
    > would like to come forward and state their opinion that JSON-LD should be
    > the MTI for STIX?
    >
    > Note: I see this question as a higher bar than asking who thinks we should
    > consider it – IMO the recent discussion makes it clear that we are
    > considering it
    >
    >
    > 2. There was an opinion that the proposed examples (the indicator and
    > incident idioms) wouldn’t be sufficient for comparing size and complexity.
    > What examples would be sufficient?
    >
    >
    > 3. What toolchain is required to develop software that supports using a
    > model without any custom code? Maybe I’m missing something, but if I have a
    > product and I want to add STIX support, won’t developers have to write code?
    >
    > I guess at its core – I hear what people are saying about models and not
    > programming to the data syntax, I just don’t understand how that actually
    > works (the more concrete the example the better, at least for me).
    >
    >
    >
    > Thank you.
    >
    > -Mark
    >
    >
    >
    >
    >
    >
    >
    > ________________________________
    > This message, and any attachments, is for the intended recipient(s) only,
    > may contain information that is privileged, confidential and/or proprietary
    > and subject to important terms and conditions available at
    > http://www.bankofamerica.com/emaildisclaimer. If you are not the intended
    > recipient, please delete this message.



  • 10.  Re: [cti-stix] Re: [cti-users] Model / Binding Motions

    Posted 10-09-2015 16:34
    I would like to state Interoperability as a requirement. 2015-10-06 21:15 GMT+03:00 Barnum, Sean D. <sbarnum@mitre.org>: > I do not believe that we are at all ready to be making any decisions on MTI > or even really on default bindings yet. > > Before such decisions can be made we first need four things: > > Understanding and consensus on the requirements and evaluation criteria that > should be used to select an MTI or default binding > Identification and understanding of potential binding options and their > capabilities and limitations > Understanding of how each potential binding option meets or does not meet > the consensus requirements and evaluation criteria > Understanding of member opinions and preferences > > > We simply do not have any of these things yet. Ongoing discussions on the > list demonstrate that clearly, I believe. > Even if we had all of the above worked out for our current knowledge, we > still would not necessarily have enough to make a decision today as many of > the issues and proposals for STIX 2.0 changes have the likelihood of > affecting the consensus requirements and evaluation criteria for an MTI. > Any decisions made on incomplete information are likely to be poor ones. > > I would propose that attempting to cut short discussions aimed at addressing > the above needs would be premature at this time. > > sean > > From: <cti-users@lists.oasis-open.org> on behalf of "Foley, Alexander - GIS" > Date: Tuesday, October 6, 2015 at 2:05 PM > To: "cti-users@lists.oasis-open.org", "cti-stix@lists.oasis-open.org" > Subject: [cti-users] Model / Binding Motions > > By my count: > > > > 1. We have Bret’s motion that we require a default binding for STIX and > CybOX and it requires a second. > > a. If this motion succeeds, we have Bret’s motion that JSON be chosen > as the default binding for STIX and CybOX and it requires a second. > > i. Kevin Wetzel, I > apologize but I do not see you as a member of the cti committee… please > follow up with myself, Rich, Chet or OASIS if that’s an incorrect assumption > > b. We also have an (alternate?) proposal from Cory that JSON-LD > specifically be chosen as our default binding and it requires a second. > > > > I must admit this conversation has been very difficult to follow – if I’m > missing a key motion that we construct a UML / RDF / OWL model that’s > separate from choosing a new preferred binding / data encoding, please feel > free to propose or second any motions. > > > > Thanks, > > > > Alex > > > > From: cti-users@lists.oasis-open.org [ mailto:cti-users@lists.oasis-open.org ] > On Behalf Of Jordan, Bret > Sent: Tuesday, October 06, 2015 12:49 PM > To: Aharon Chernin > Cc: cti-users@lists.oasis-open.org; cti-stix@lists.oasis-open.org > Subject: [cti-users] Re: [cti-stix] MTI Binding > > > > Sounds good... > > > > I would like to formally make a motion that we require a default binding for > STIX 2.0 and CybOX 3.0. > > > > > > If this is agreed upon, then: > > > > I would like to formally make a motion that the default binding for STIX 2.0 > and CybOX 3.0 be JSON. > > > > Thanks, > > > > Bret > > > > > > > > Bret Jordan CISSP > > Director of Security Architecture and Standards Office of the CTO > > Blue Coat Systems > > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can > not be unscrambled is an egg." > > > > On Oct 6, 2015, at 10:40, Aharon Chernin <achernin@soltra.com> wrote: > > > > Bret, I think we need to propose that STIX, CybOX, and TAXII have to require > a default binding type first. Then the MTI motion could be changed to > something like, “I would like to propose that we adopt JSON as the default > binding”. > > > > Aharon > > > > From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" > Date: Tuesday, October 6, 2015 at 11:45 AM > To: "cti-users@lists.oasis-open.org", "cti-stix@lists.oasis-open.org" > Subject: [cti-stix] MTI Binding > > > > We have had a good discussion here and on the wiki and I have seen a lot of > people advocating for JSON to be used as the MTI. While a few other options > have been tossed around and discussed they do not seem to have an advocate > pushing for them nor do they seem to have the broad support that JSON does. > > > > Therefore, I would like to formally propose that we adopt JSON as the MTI > for STIX 2.0 and CybOX 3.0. > > > > > > Thanks, > > > > Bret > > > > > > > > Bret Jordan CISSP > > Director of Security Architecture and Standards Office of the CTO > > Blue Coat Systems > > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can > not be unscrambled is an egg." > > > > On Oct 6, 2015, at 06:17, Davidson II, Mark S <mdavidson@MITRE.ORG> wrote: > > > > I think we’re wrapped around the axle a little bit on this whole topic. I’d > like to try and step back and ask some basic questions: > > > > 1. Is anyone actually proposing JSON-LD as the MTI for STIX? I’ve seen the > question asked, and I’ve seen lots of discussion. Is there somebody who > would like to come forward and state their opinion that JSON-LD should be > the MTI for STIX? > > Note: I see this question as a higher bar than asking who thinks we should > consider it – IMO the recent discussion makes it clear that we are > considering it > > > 2. There was an opinion that the proposed examples (the indicator and > incident idioms) wouldn’t be sufficient for comparing size and complexity. > What examples would be sufficient? > > > 3. What toolchain is required to develop software that supports using a > model without any custom code? Maybe I’m missing something, but if I have a > product and I want to add STIX support, won’t developers have to write code? > > I guess at its core – I hear what people are saying about models and not > programming to the data syntax, I just don’t understand how that actually > works (the more concrete the example the better, at least for me). > > > > Thank you. > > -Mark > > > > > > > > ________________________________ > This message, and any attachments, is for the intended recipient(s) only, > may contain information that is privileged, confidential and/or proprietary > and subject to important terms and conditions available at > http://www.bankofamerica.com/emaildisclaimer . If you are not the intended > recipient, please delete this message.